tencent cloud

PrevNext

Feedback

search by keyword

Recent Pages

Documentation
Tencent Cloud Observability Platform
    Documentation
    Download PDF

    Security Group Open Description

    Last updated: 2024-08-15 16:32:27
    Download PDF

      Overview

      This document describes the port that needs to be opened for security groups of managed clusters and user clusters during the process of integrating TKE for TMP. It also describes solutions for security group related issues that arise when managed clusters and user clusters are bound.

      Managed Cluster

      Managed cluster Security Groups are created by TMP and generally do not need modifications.

      Security Group

      Rule
      Protocol Port
      Policy
      Inbound rule
      TCP:9093, 9090, 10901, 10902, 9990, 3000, 8080, and 8008
      Allow
      Inbound rule
      TCP:8100-8200
      Allow
      Outbound rule
      ALL
      Allow

      Port Description

      Port
      Function
      Remarks
      TCP:8008
      proxy-server listens for the proxy-agent connection port
      -
      TCP:8080
      Cluster internal API calls port
      -
      TCP:3000
      grafana proxy port
      -
      TCP:9990
      cm-notify synchronization port
      About to be decommissioned
      TCP:10901,10902
      thanos sidecar listening address
      -
      TCP:9090
      Configure reload port, and collect data query API
      -
      TCP:9093
      Alarm port
      -
      TCP:8100-8200
      proxy-server listening collection port
      Since the collection port range is 100, the maximum number of associated clusters cannot exceed 100.

      Viewing Method

      log in to Prometheus Monitoring, select the instance's ID/Name > instance diagnostics, choose Integration Center for diagnostics, in the data collection architecture diagram you can see the Managed Cluster Security Group, click it to jump to the security group interface via hyperlink to view the Managed Cluster Security Group.
      
      
      

      User Cluster

      The user cluster security group is specified when the user creates a node. If not specified, the default security group will be used.

      Security Group

      Rule
      Cluster Type
      Protocol Port
      Policy
      Description
      Outbound rule
      -
      TCP:8008
      Allow
      Ensure that the proxy-agent and proxy-server can establish a connection
      Inbound rule
      Standard cluster
      -
      
      The standard cluster does not need opening ports.
      Inbound rule
      Independent cluster
      TCP: 9092, 8180, 443, 10249, 9100, 60002, 10252, 10257, 10259, and 10251
      Allow
      The independent cluster needs to open additional master node-related ports to ensure proxy-agent can pull master node-related monitoring data

      Viewing Method

      log in to Prometheus Monitoring, select the instance ID/Name > Data Collection, and click the cluster ID/Name to jump to the cluster's TKE interface.

      Native Nodes

      Click Node Management > Worker Node > Node pool, and click Node Pool ID. In the Details page, you can see the security group. In the Security group, search by security group ID to view specific rules.
      
      
      

      Common Nodes

      Click Node Management > Worker Node > Node Pool, and click Node Pool ID. In the Details page, hover over the Node ID and click Details:
      
      
      
      After navigating to the Instance Details page, click Security groups to view specific security group information:
      
      
      

      Super Nodes

      Click Node Management > Worker Node > Node Pool, and click Node Pool ID. In Node pool information, you can view the security group:
      
      
      

      Related Issues

      Issue Description

      Abnormal binding status, "Install tmp-agent CR" step shows "context deadline exceeded":
      
      
      

      Troubleshooting

      Is the VPC the Same or Interconnected?

      1. Click the user cluster link, open the associated cluster, and view the cluster node network (i.e., vpcid):
      
      
      
      2. On the Prometheus Instance's Basic Info page, click Network to view the cluster network:
      
      
      
      3. Compare the vpcid. If they are different, check if the VPCs are interconnected via CCN. If not, you need to associate the CCN to interconnect both VPCs or select Create Public Network CLB Instance when associating clusters. If CCN is interconnected but still unsuccessful, check if the CCN bandwidth limit is reached. If so, increase the CCN bandwidth limit.
      Associate with CCN:
      
      
      
      Select Create Public Network CLB Instance:
      
      
      

      Does the Security Group Allow Access?

      1. View the user cluster security group. For viewing methods, see User Cluster Security Group Viewing Method. Check if the rules meet the requirements.
      2. If the user cluster is an independent cluster, view the Master&Etcd security group information. Click Node Management > Master&Etcd > Node Pool, click the Node Pool ID, hover over the Node ID, and then click Jump to CVM Instance Details Page. On the CVM Security groups page, you can view specific security group information:
      
      
      
      Check if the security group rules meet the requirements.
      
      Contact Us

      Contact our sales team or business advisors to help your business.

      Contact Us
      Technical Support

      Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

      Submit a Ticket
      7x24 Phone Support
      Copyright © 2013-2024 Tencent Cloud. All Rights Reserved.
      Privacy PolicyLegalCookie Policy