yexinru/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
Files
0b3a43371a4bcc99577594de0a685249d676a567
doc-exports/docs/cce/umn/cce_10_1078.html
qiujiandong1 6d480dcc20 CCE UMN update 20250912 version 
Reviewed-by: Eotvos, Oliver <oliver.eotvos@t-systems.com>
Co-authored-by: qiujiandong1 <qiujiandong1@huawei.com>
Co-committed-by: qiujiandong1 <qiujiandong1@huawei.com>
2025-10-29 10:20:57 +00:00

7.4 KiB
Raw Blame History

Comparison of Workload Security Group Configuration Methods

In CCE Turbo clusters, pods can be directly bound to security groups using VPC network interfaces or supplementary network interfaces. CCE Turbo provides multi-dimensional security group binding methods to meet your service needs.

If multiple security group configuration methods are used, the method with the highest priority will be applied. In the table below, smaller values indicate higher priorities.

Table 1 Comparison between methods for configuring workload security groups

Priority

How to Configure

Application and Advantage

Constraint

1

Binding a Security Group to a Pod Using an Annotation
  • This method is suitable for debugging services.
  • Security groups added using this method can be used by other configuration methods.
  • Newly added security groups apply only to new pods. To apply the configuration to existing pods, they must be rebuilt.
  • Pre-bound container network interfaces cannot be associated with a target security group.

2

Binding a Security Group to a Workload Using a Security Group Policy
  • This method applies to the entire namespace and requires workloads within the namespace.
  • Security group settings can be updated for pods in real time. This eliminates the need to rebuild existing pods.

Pre-bound container network interfaces cannot be associated with a target security group.

3

Using Node Pool Settings to Bind the Default Security Group to Pods in the Node Pool
  • Services are classified by node pool. You may need to configure associated scheduling policies based on your services.
  • Pre-bound container network interfaces can be associated with a target security group.
  • Newly added security groups apply only to new pods. To apply the configuration to existing pods, they must be rebuilt.
  • Only newly bound container network interfaces on the node can be associated with a target security group.

4

Binding a Subnet and Security Group to a Namespace or Workload Using a Container Network Configuration
  • This method applies to the entire cluster and supports multiple namespaces.
  • Security groups can be configured with subnets.
  • Newly added security groups apply only to new pods. To apply the configuration to existing pods, they must be rebuilt.
  • Pre-bound container network interfaces cannot be associated with a target security group.

5

Default network interface security group of a Turbo cluster

  • This method is the default configuration. If your cluster requires general security hardening, you can directly modify the rules in the default security group.
  • Pre-bound container network interfaces can be associated with a target security group.

None