If you use an existing security group when you create a Container Service for Kubernetes (ACK) cluster or node pool, the system does not add additional rules to the security group. You must manually add rules to the security group. This topic describes how to enforce access control on ACK clusters by adding rules to basic security groups and advanced security groups.

You can use security group rules to allow or forbid Elastic Compute Service (ECS) instances within a security group to communicate with the Internet or internal network. For more information, see Add security group rules.

Basic security groups

Inbound
Access control scope Protocol Port Authorization object
Recommended settings ICMP -1/-1 (all ports) 0.0.0.0/0
All protocols -1/-1 (all ports)
  • The ID of the default security group of the cluster.
  • The pod CIDR block. This rule is required only in Flannel network mode. Do not add this rule if the Terway network mode is used.
Least privilege settings All protocols 53/53 (DNS)
  • The ID of the default security group of the cluster.
  • The pod CIDR block. This rule is required only in Flannel network mode. Do not add this rule if the Terway network mode is used.
ICMP -1/-1 (all ports)
TCP
  • 10250 (kubelet)
  • 10255 (kubelet)
  • 443 (webhook)
All protocols

Ports of applications and components that you want to expose.

The IP addresses or security groups to which you want to expose applications or components.

Outbound
Access control scope Protocol Port Authorization object
Recommended settings All protocols -1/-1 (all ports) 0.0.0.0/0
Least privilege settings All protocols -1/-1 (all ports) 100.96.0.0/10 (the CIDR block of Alibaba Cloud resources)
All protocols 53/53 (DNS)
  • The IP address of the Server Load Balancer (SLB) instance that is used to expose the Kubernetes API server of the cluster.
  • The ID of the default security group of the cluster.
  • The pod CIDR block. This rule is required only in Flannel network mode. Do not add this rule if the Terway network mode is used.
TCP
  • 10250 (kubelet)
  • 10255 (kubelet)
  • 443 (API server)
  • 6443 (API server)
All protocols Ports of applications and components that you want to expose. The IP addresses or security groups to which you want to expose applications or components.

Advanced security groups

Inbound
Access control scope Protocol Port Authorization object
Recommended settings ICMP -1/-1 (all ports) 0.0.0.0/0
All protocols -1/-1 (all ports)
  • The CIDR block of the virtual private cloud (VPC) where the cluster resides.
  • The secondary CIDR block of the VPC where the cluster resides.
  • The pod CIDR block. This rule is required only in Flannel network mode. Do not add this rule if the Terway network mode is used.
Least privilege settings All protocols 53/53 (DNS)
  • The CIDR blocks of all vSwitches that are used by the cluster, including node vSwitches and pod vSwitches.
  • The pod CIDR block. This rule is required only in Flannel network mode. Do not add this rule if the Terway network mode is used.
ICMP -1/-1 (all ports)
TCP
  • 10250 (kubelet)
  • 10255 (kubelet)
  • 443 (webhook)
All protocols Ports of applications and components that you want to expose. The IP addresses or security groups to which you want to expose applications or components.
Outbound
Access control scope Protocol Port Authorization object
Recommended settings All protocols -1/-1 (all ports) 0.0.0.0/0
Least privilege settings All protocols -1/-1 (all ports) 100.96.0.0/10 (the CIDR block of Alibaba Cloud resources)
All protocols 53/53 (DNS)
  • The IP address of the SLB instance that is used to expose the Kubernetes API server of the cluster.
  • The CIDR blocks of all vSwitches that are used by the cluster, including node vSwitches and pod vSwitches.
  • The pod CIDR block. This rule is required only in Flannel network mode. Do not add this rule if the Terway network mode is used.
TCP
  • 10250 (kubelet)
  • 10255 (kubelet)
  • 443 (API server)
  • 6443 (API server)
All protocols Ports of applications and components that you want to expose. The IP addresses or security groups to which you want to expose applications or components.