tencent cloud

Feedback

Security Group Open Description

Last updated: 2024-08-15 16:32:27

    Overview

    This document describes the port that needs to be opened for security groups of managed clusters and user clusters during the process of integrating TKE for TMP. It also describes solutions for security group related issues that arise when managed clusters and user clusters are bound.

    Managed Cluster

    Managed cluster Security Groups are created by TMP and generally do not need modifications.

    Security Group

    Rule
    Protocol Port
    Policy
    Inbound rule
    TCP:9093, 9090, 10901, 10902, 9990, 3000, 8080, and 8008
    Allow
    Inbound rule
    TCP:8100-8200
    Allow
    Outbound rule
    ALL
    Allow

    Port Description

    Port
    Function
    Remarks
    TCP:8008
    proxy-server listens for the proxy-agent connection port
    -
    TCP:8080
    Cluster internal API calls port
    -
    TCP:3000
    grafana proxy port
    -
    TCP:9990
    cm-notify synchronization port
    About to be decommissioned
    TCP:10901,10902
    thanos sidecar listening address
    -
    TCP:9090
    Configure reload port, and collect data query API
    -
    TCP:9093
    Alarm port
    -
    TCP:8100-8200
    proxy-server listening collection port
    Since the collection port range is 100, the maximum number of associated clusters cannot exceed 100.

    Viewing Method

    log in to Prometheus Monitoring, select the instance's ID/Name > instance diagnostics, choose Integration Center for diagnostics, in the data collection architecture diagram you can see the Managed Cluster Security Group, click it to jump to the security group interface via hyperlink to view the Managed Cluster Security Group.
    
    
    

    User Cluster

    The user cluster security group is specified when the user creates a node. If not specified, the default security group will be used.

    Security Group

    Rule
    Cluster Type
    Protocol Port
    Policy
    Description
    Outbound rule
    -
    TCP:8008
    Allow
    Ensure that the proxy-agent and proxy-server can establish a connection
    Inbound rule
    Standard cluster
    -
    
    The standard cluster does not need opening ports.
    Inbound rule
    Independent cluster
    TCP: 9092, 8180, 443, 10249, 9100, 60002, 10252, 10257, 10259, and 10251
    Allow
    The independent cluster needs to open additional master node-related ports to ensure proxy-agent can pull master node-related monitoring data

    Viewing Method

    log in to Prometheus Monitoring, select the instance ID/Name > Data Collection, and click the cluster ID/Name to jump to the cluster's TKE interface.

    Native Nodes

    Click Node Management > Worker Node > Node pool, and click Node Pool ID. In the Details page, you can see the security group. In the Security group, search by security group ID to view specific rules.
    
    
    

    Common Nodes

    Click Node Management > Worker Node > Node Pool, and click Node Pool ID. In the Details page, hover over the Node ID and click Details:
    
    
    
    After navigating to the Instance Details page, click Security groups to view specific security group information:
    
    
    

    Super Nodes

    Click Node Management > Worker Node > Node Pool, and click Node Pool ID. In Node pool information, you can view the security group:
    
    
    

    Related Issues

    Issue Description

    Abnormal binding status, "Install tmp-agent CR" step shows "context deadline exceeded":
    
    
    

    Troubleshooting

    Is the VPC the Same or Interconnected?

    1. Click the user cluster link, open the associated cluster, and view the cluster node network (i.e., vpcid):
    
    
    
    2. On the Prometheus Instance's Basic Info page, click Network to view the cluster network:
    
    
    
    3. Compare the vpcid. If they are different, check if the VPCs are interconnected via CCN. If not, you need to associate the CCN to interconnect both VPCs or select Create Public Network CLB Instance when associating clusters. If CCN is interconnected but still unsuccessful, check if the CCN bandwidth limit is reached. If so, increase the CCN bandwidth limit.
    Associate with CCN:
    
    
    
    Select Create Public Network CLB Instance:
    
    
    

    Does the Security Group Allow Access?

    1. View the user cluster security group. For viewing methods, see User Cluster Security Group Viewing Method. Check if the rules meet the requirements.
    2. If the user cluster is an independent cluster, view the Master&Etcd security group information. Click Node Management > Master&Etcd > Node Pool, click the Node Pool ID, hover over the Node ID, and then click Jump to CVM Instance Details Page. On the CVM Security groups page, you can view specific security group information:
    
    
    
    Check if the security group rules meet the requirements.
    
    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support