vpruthi/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
doc-exports/docs/cce/umn/cce_faq_00265.html
Dong, Qiu Jian b05d81fd8b CCE UMN for 1.23 reuploaded -20221103 
Reviewed-by: gtema <artem.goncharov@gmail.com>
Co-authored-by: Dong, Qiu Jian <qiujiandong1@huawei.com>
Co-committed-by: Dong, Qiu Jian <qiujiandong1@huawei.com>
2022-11-10 19:50:29 +00:00

20 lines
5.2 KiB
HTML
Raw Blame History

<a name="cce_faq_00265"></a><a name="cce_faq_00265"></a>
<h1 class="topictitle1">How Do I Harden the VPC Security Group Rules for CCE Cluster Nodes?</h1>
<div id="body0000001197314929"><p id="cce_faq_00265__en-us_topic_0241651987_p3796101412309">CCE is a universal container platform. Its default security group rules apply to common scenarios. Based on security requirements, you can harden the security group rules set for CCE clusters on the <strong id="cce_faq_00265__en-us_topic_0241651987_b191111018205820">Security Groups</strong> page of <strong id="cce_faq_00265__en-us_topic_0241651987_b081632115815">Network Console</strong>.</p>
<div class="note" id="cce_faq_00265__en-us_topic_0241651987_note9176182532413"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><p id="cce_faq_00265__en-us_topic_0241651987_p117718256249">To view security groups, log in to the CCE console, choose <span class="uicontrol" id="cce_faq_00265__en-us_topic_0241651987_uicontrol9231030607"><b>Service List</b></span> &gt; <span class="uicontrol" id="cce_faq_00265__en-us_topic_0241651987_uicontrol324814381902"><b>Network</b></span> &gt; <span class="uicontrol" id="cce_faq_00265__en-us_topic_0241651987_uicontrol4979242708"><b>Virtual Private Cloud</b></span>, and choose <span class="uicontrol" id="cce_faq_00265__en-us_topic_0241651987_uicontrol17956184525310"><b>Access Control</b></span> &gt; <span class="uicontrol" id="cce_faq_00265__en-us_topic_0241651987_uicontrol1892015216537"><b>Security Groups</b></span> in the navigation pane.</p>
</div></div>
<p id="cce_faq_00265__en-us_topic_0241651987_p479619141307">The security group name of a master node is {Cluster name}-cce-control-{Random ID}. The security group name of a worker node is {Cluster name}-cce-node-{Random ID}.</p>
<p id="cce_faq_00265__en-us_topic_0241651987_p6796914183018">Enable the following ports in security groups:</p>
<p id="cce_faq_00265__en-us_topic_0241651987_p97961414203014"><strong id="cce_faq_00265__en-us_topic_0241651987_b12796171418300">For {</strong><strong id="cce_faq_00265__en-us_topic_0241651987_b1979614146301">Cluster name}-cce-control-{</strong><strong id="cce_faq_00265__en-us_topic_0241651987_b2796114203011">Random ID}</strong><strong id="cce_faq_00265__en-us_topic_0241651987_b8796101483014">:</strong></p>
<ul id="cce_faq_00265__en-us_topic_0241651987_ul12796114193010"><li id="cce_faq_00265__en-us_topic_0241651987_li1679619141308">The source IP addresses defined in the security group rules must be permitted.</li><li class="msonormal" id="cce_faq_00265__en-us_topic_0241651987_li10590171192310"><strong id="cce_faq_00265__en-us_topic_0241651987_b242718391022">4789</strong>: used for network access between containers.</li><li class="msonormal" id="cce_faq_00265__en-us_topic_0241651987_li059011112231"><strong id="cce_faq_00265__en-us_topic_0241651987_b12936114643810">5443</strong> and <strong id="cce_faq_00265__en-us_topic_0241651987_b881145003810">5444</strong>: ports to which kube-apiserver of the master node listens. The two ports must permit requests from VPC and container CIDR blocks and control plane CIDR blocks of the hosting mesh.</li><li class="msonormal" id="cce_faq_00265__en-us_topic_0241651987_li195901111192314"><strong id="cce_faq_00265__en-us_topic_0241651987_b52521829174715">9443</strong>: used by canal of the node to listen to canal-api of the master node.</li><li class="msonormal" id="cce_faq_00265__en-us_topic_0241651987_li11590211172315"><strong id="cce_faq_00265__en-us_topic_0241651987_b3483151116483">8445</strong>: used by storage_driver of the node to access csms-storagemgr of the master node.</li></ul>
<p id="cce_faq_00265__en-us_topic_0241651987_p6796181423015"><strong id="cce_faq_00265__en-us_topic_0241651987_b479613144303">For {</strong><strong id="cce_faq_00265__en-us_topic_0241651987_b18796151463017">Cluster name}-cce-node-{</strong><strong id="cce_faq_00265__en-us_topic_0241651987_b18796111415308">Random ID}</strong><strong id="cce_faq_00265__en-us_topic_0241651987_b12796014173018">:</strong></p>
<ul id="cce_faq_00265__en-us_topic_0241651987_ul19796191423018"><li id="cce_faq_00265__en-us_topic_0241651987_li137961114153019">The source IP addresses defined in the security group rules must be permitted.</li><li id="cce_faq_00265__en-us_topic_0241651987_li87965145302"><strong id="cce_faq_00265__en-us_topic_0241651987_b1529374111485">4789</strong>: used for network access between containers.</li><li id="cce_faq_00265__en-us_topic_0241651987_li4547576419"><strong id="cce_faq_00265__en-us_topic_0241651987_b8661758114817">10250</strong>: used by the master node to proactively access kubelet of the node (for example, by running <strong id="cce_faq_00265__en-us_topic_0241651987_b1319655264911">kubectl exec {<em id="cce_faq_00265__en-us_topic_0241651987_i19586205744915">pod</em>}</strong>).</li><li id="cce_faq_00265__en-us_topic_0241651987_li27961314163012"><strong id="cce_faq_00265__en-us_topic_0241651987_b1059316402117">30000</strong> to <strong id="cce_faq_00265__en-us_topic_0241651987_b32807435118">32767</strong> must permit requests from VPC, container, and ELB CIDR blocks.</li></ul>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="cce_faq_0083.html">Reference</a></div>
</div>
</div>
View Git Blame Copy Permalink