Overview
This document describes the port that needs to be opened for security groups of managed clusters and user clusters during the process of integrating TKE for TMP. It also describes solutions for security group related issues that arise when managed clusters and user clusters are bound. Managed Cluster
Managed cluster Security Groups are created by TMP and generally do not need modifications.
Security Group
|
Inbound rule | TCP:9093, 9090, 10901, 10902, 9990, 3000, 8080, and 8008 | Allow |
Inbound rule | TCP:8100-8200 | Allow |
Outbound rule | ALL | Allow |
Port Description
|
TCP:8008 | proxy-server listens for the proxy-agent connection port | - |
TCP:8080 | Cluster internal API calls port | - |
TCP:3000 | grafana proxy port | - |
TCP:9990 | cm-notify synchronization port | About to be decommissioned |
TCP:10901,10902 | thanos sidecar listening address | - |
TCP:9090 | Configure reload port, and collect data query API | - |
TCP:9093 | Alarm port | - |
TCP:8100-8200 | proxy-server listening collection port | Since the collection port range is 100, the maximum number of associated clusters cannot exceed 100. |
Viewing Method
log in to Prometheus Monitoring, select the instance's ID/Name > instance diagnostics, choose Integration Center for diagnostics, in the data collection architecture diagram you can see the Managed Cluster Security Group, click it to jump to the security group interface via hyperlink to view the Managed Cluster Security Group. User Cluster
The user cluster security group is specified when the user creates a node. If not specified, the default security group will be used.
Security Group
|
Outbound rule | - | TCP:8008 | Allow | Ensure that the proxy-agent and proxy-server can establish a connection |
Inbound rule | Standard cluster | - |
| The standard cluster does not need opening ports. |
Inbound rule | Independent cluster | TCP: 9092, 8180, 443, 10249, 9100, 60002, 10252, 10257, 10259, and 10251 | Allow | The independent cluster needs to open additional master node-related ports to ensure proxy-agent can pull master node-related monitoring data |
Viewing Method
log in to Prometheus Monitoring, select the instance ID/Name > Data Collection, and click the cluster ID/Name to jump to the cluster's TKE interface. Native Nodes
Click Node Management > Worker Node > Node pool, and click Node Pool ID. In the Details page, you can see the security group. In the Security group, search by security group ID to view specific rules.
Common Nodes
Click Node Management > Worker Node > Node Pool, and click Node Pool ID. In the Details page, hover over the Node ID and click Details:
After navigating to the Instance Details page, click Security groups to view specific security group information:
Super Nodes
Click Node Management > Worker Node > Node Pool, and click Node Pool ID. In Node pool information, you can view the security group:
Related Issues
Issue Description
Abnormal binding status, "Install tmp-agent CR" step shows "context deadline exceeded":
Troubleshooting
Is the VPC the Same or Interconnected?
1. Click the user cluster link, open the associated cluster, and view the cluster node network (i.e., vpcid):
2. On the Prometheus Instance's Basic Info page, click Network to view the cluster network:
3. Compare the vpcid. If they are different, check if the VPCs are interconnected via CCN. If not, you need to associate the CCN to interconnect both VPCs or select Create Public Network CLB Instance when associating clusters. If CCN is interconnected but still unsuccessful, check if the CCN bandwidth limit is reached. If so, increase the CCN bandwidth limit.
Associate with CCN:
Select Create Public Network CLB Instance:
Does the Security Group Allow Access?
2. If the user cluster is an independent cluster, view the Master&Etcd security group information. Click Node Management > Master&Etcd > Node Pool, click the Node Pool ID, hover over the Node ID, and then click Jump to CVM Instance Details Page. On the CVM Security groups page, you can view specific security group information:
Check if the security group rules meet the requirements.
Was this page helpful?