All Products
Search

This Product

    Container Service for Kubernetes:Configure security group rules to enforce access control on ACK clusters

    Document Center

    Container Service for Kubernetes:Configure security group rules to enforce access control on ACK clusters

    Last Updated:Jun 08, 2023

    If you use an existing security group when you create a Container Service for Kubernetes (ACK) cluster or node pool, the system does not add additional rules to the security group. You must manually add rules to the security group. This topic describes how to enforce access control on ACK clusters by adding rules to basic security groups and advanced security groups.

    You can use security group rules to allow or forbid Elastic Compute Service (ECS) instances within a security group to communicate with the Internet or internal network. For more information, see Add a security group rule.

    Basic security groups

    Inbound

    Access control scope

    Protocol

    Port

    Authorization object

    Recommended settings

    ICMP

    -1/-1 (all ports)

    0.0.0.0/0

    All protocols

    -1/-1 (all ports)

    • The ID of the default security group of the cluster.

    • The pod CIDR block. This rule is required only in Flannel network mode. Do not add this rule if the Terway network mode is used.

    Least privilege settings

    All protocols

    53/53 (DNS)

    • The ID of the default security group of the cluster.

    • The pod CIDR block. This rule is required only in Flannel network mode. Do not add this rule if the Terway network mode is used.

    ICMP

    -1/-1 (all ports)

    TCP

    • 10250 (kubelet)

    • 10255 (kubelet)

    • 443 (webhook)

    • 6443 (APIServer)

    • 8082(heapster)

    All protocols

    Ports of applications and components that you want to expose.

    The IP addresses or security groups to which you want to expose applications or components.

    Outbound

    Access control scope

    Protocol

    Port

    Authorization object

    Recommended settings

    All protocols

    -1/-1 (all ports)

    0.0.0.0/0

    Least privilege settings

    All protocols

    -1/-1 (all ports)

    100.64.0.0/10 (the CIDR block of Alibaba Cloud resources)

    All protocols

    53/53 (DNS)

    • The IP address of the Server Load Balancer (SLB) instance that is used to expose the Kubernetes API server of the cluster.

    • The ID of the default security group of the cluster.

    • The pod CIDR block. This rule is required only in Flannel network mode. Do not add this rule if the Terway network mode is used.

    TCP

    • 10250 (kubelet)

    • 10255 (kubelet)

    • 443 (API server)

    • 6443 (API server)

    All protocols

    Ports of applications and components that you want to expose.

    The IP addresses or security groups to which you want to expose applications or components.

    Advanced security groups

    Inbound

    Access control scope

    Protocol

    Port

    Authorization object

    Recommended settings

    ICMP

    -1/-1 (all ports)

    0.0.0.0/0

    All protocols

    -1/-1 (all ports)

    • The CIDR block of the virtual private cloud (VPC) where the cluster resides.

    • The secondary CIDR block of the VPC where the cluster resides.

    • The pod CIDR block. This rule is required only in Flannel network mode. Do not add this rule if the Terway network mode is used.

    Least privilege settings

    All protocols

    53/53 (DNS)

    • The CIDR blocks of all vSwitches that are used by the cluster, including node vSwitches and pod vSwitches.

    • The pod CIDR block. This rule is required only in Flannel network mode. Do not add this rule if the Terway network mode is used.

    ICMP

    -1/-1 (all ports)

    TCP

    • 10250 (kubelet)

    • 10255 (kubelet)

    • 443 (webhook)

    • 6443 (APIServer)

    • 8082(heapster)

    All protocols

    Ports of applications and components that you want to expose.

    The IP addresses or security groups to which you want to expose applications or components.

    Outbound

    Access control scope

    Protocol

    Port

    Authorization object

    Recommended settings

    All protocols

    -1/-1 (all ports)

    0.0.0.0/0

    Least privilege settings

    All protocols

    -1/-1 (all ports)

    100.64.0.0/10 (the CIDR block of Alibaba Cloud resources)

    All protocols

    53/53 (DNS)

    • The IP address of the SLB instance that is used to expose the Kubernetes API server of the cluster.

    • The CIDR blocks of all vSwitches that are used by the cluster, including node vSwitches and pod vSwitches.

    • The pod CIDR block. This rule is required only in Flannel network mode. Do not add this rule if the Terway network mode is used.

    TCP

    • 10250 (kubelet)

    • 10255 (kubelet)

    • 443 (API server)

    • 6443 (API server)

    All protocols

    Ports of applications and components that you want to expose.

    The IP addresses or security groups to which you want to expose applications or components.