You can connect a self-managed Kubernetes cluster to Security Center and manage the cluster on the Assets page in a centralized manner. This topic describes how to connect a self-managed Kubernetes cluster to Security Center.

Limits

Only the Ultimate edition of Security Center supports this feature. For more information about how to purchase and upgrade Security Center, see Purchase Security Center and Upgrade and downgrade Security Center.

Limits

  • You can connect a maximum of 10 self-managed Kubernetes clusters.
  • If a self-managed Kubernetes cluster that you want to connect is deployed in a virtual private cloud (VPC), the cluster must reside in the China (Hangzhou), China (Beijing), China (Shanghai), China (Shenzhen), or China (Hong Kong) region.
    Note If a self-managed Kubernetes cluster that you want to connect is deployed on the Internet, no limits are imposed on the region of the cluster.

Prerequisites

  • A Kubernetes cluster is created on your server.
  • Docker is installed.
  • If your self-managed Kubernetes cluster is deployed in a hybrid cloud and is not accessible over the Internet, make sure that traffic forwarding rules are configured and the network connection is normal.

    Specify an Elastic Compute Service (ECS) instance and configure traffic forwarding rules to forward the traffic destined for the ECS instance to an on-premises server on which the API server for the self-managed Kubernetes cluster is installed.

    In the following command examples, the traffic on Port A of the ECS instance that uses the IP address 10.0.XX.XX is forwarded to Port B of the on-premises server that uses the IP address 192.168.XX.XX.

    • Command examples for CentOS 7
      • Use firewall-cmd

        firewall-cmd --permanent --add-forward-port=port=<Port A>:proto=tcp:toaddr=<192.168.XX.XX>:toport=<Port B>

      • Use iptables
        1. Enable port forwarding.

          # echo "1" > /proc/sys/net/ipv4/ip_forward

        2. Configure port forwarding.

          # iptables -t nat -A PREROUTING -p tcp --dport <Port A> -j DNAT --to-destination <192.168.XX.XX>:<Port B>

    • Command example for Windows

      netsh interface portproxy add v4tov4 listenport=<Port A> listenaddress=* connectaddress=<192.168.XX.XX > connectport=<Port B> protocol=tcp

  • If you create an access control policy for your cluster, make sure that the access control policy allows access from the region in which the container resides.
    Region Public IP address Private IP address
    China (Hangzhou) 121.41.35.192, 121.41.39.7, 121.41.39.39, 121.41.39.153, and 121.41.38.32 100.104.177.0/26
    China (Shanghai) 47.103.62.83, 47.103.60.134, 47.103.58.177, 47.103.54.252, and 47.103.49.93 100.104.7.192/26
    China (Qingdao) 47.104.111.68 100.104.87.192/26
    China (Beijing) 123.57.55.56, 123.57.55.21, 123.57.55.18, 123.57.55.7, and 123.57.55.6 100.104.20.128/26
    China (Zhangjiakou) 39.99.229.195 100.104.187.64/26
    China (Hohhot) 39.104.147.68 100.104.36.0/26
    China (Shenzhen) 47.106.245.198, 47.107.237.185, 47.107.237.182, 47.107.237.170, and 47.107.237.152 100.104.9.192/26
    China (Hong Kong) 47.106.245.198, 47.107.237.185, 47.107.237.182, 47.107.237.170, and 47.107.237.152 100.104.111.128/26
    Japan (Tokyo) 47.74.24.20 100.104.69.0/26
    Singapore (Singapore) 47.74.238.176, 47.74.238.61, 47.74.237.201, 47.74.237.166, and 47.74.237.91 100.104.41.128/26
    US (Silicon Valley) 47.254.39.224 100.104.145.64/26
    US (Virginia) 47.252.4.238 100.104.36.0/26
    Germany (Frankfurt) 47.254.158.71 172.16.0.0/20
    UK (London) 8.208.14.12 172.16.0.0/20
    Indonesia (Jakarta) 149.129.238.99 100.104.193.128/26

Connect a self-managed Kubernetes cluster to Security Center

  1. Log on to the Security Center console.In the left-side navigation pane, choose Assets > Container.
  2. On the Container page, click the Cluster tab and click Self-built cluster access.
  3. In the Self-built cluster management panel, click Self-built cluster access. In the panel that appears, configure the following parameters and click Generate Command.
    Parameter Description
    Cluster name Enter the name of the self-managed Kubernetes cluster. Example: text-001.
    Expiration Time Select the expiration time of the command that is used to connect the self-managed Kubernetes cluster.
    Group Select the group to which you want to add the cluster. Set this parameter to the group of the server on which the cluster is created.
    Service Provider Select the provider of the server on which the cluster is created.
  4. Log on to the server on which the cluster is created, create a file named text-001.yaml on the server, copy the generated command to the file, and then run the kubectl apply -f text-001.yaml command on the server. Then, the cluster is connected to Security Center.
    Note In the preceding operations, text-001 in both text-001.yaml and kubectl apply -f text-001.yaml is an example value of the Cluster name parameter. When you connect a cluster to Security Center, you must replace text-001 in text-001.yaml and kubectl apply -f text-001.yaml with the actual value that you specify for the Cluster name parameter.
    After the self-managed Kubernetes cluster is connected to Security Center, you can view the cluster information in the cluster list of the Cluster tab.