Security is a matter of utmost importance. Tencent Cloud considers security as a top priority in product design and requires all its products to be fully isolated and provides multiple layers of security protection with its basic network. TKE is a typical example. It adopts VPC as the underlying network of container services. This document describes the best practice of security group usage in TKE to help you select the most appropriate security group policy.
A security group is a virtual firewall capable of filtering stateful packets. As an important network security isolation means provided by Tencent Cloud, it can be used to configure network access control for one or more CVM instances. For more information, see Security Group.
Some ports must be opened to the Internet to ensure normal communication between cluster nodes. To avoid cluster creation failures due to binding to invalid security groups, TKE provides default security group rules, as described in the following table.
Note:If the current default security group cannot meet your service requirements and you have created a cluster bound to this security group, you can view and modify the security group rules for the cluster. For more information, please see Managing Security Group Rules.
Protocol | Port Number | Source IP Address | Rule | Description |
---|---|---|---|---|
All | All | CIDR of the container network | Allow | Enable the communication between pods in the container network. |
All | All | CIDR of the cluster network | Allow | Enable the communication between nodes in the cluster network. |
tcp | 30000 - 32768 | 0.0.0.0/0 | Allow | Open NodePort to the Internet (Services in LoadBalancer type need to be forwarded through NodePort). |
udp | 30000 - 32768 | 0.0.0.0/0 | Allow | Open NodePort to the Internet (Services in LoadBalancer type need to be forwarded through NodePort). |
ICMP | - | 0.0.0.0/0 | Allow | Enable the support for Internet Control Message Protocol (ICMP) and ping operations. |
Protocol | Port Number | Source IP Address | Rule |
---|---|---|---|
All | All | 0.0.0.0/0 | Allow |
Note:
- To customize outbound rules, you need to open the node IP range and container IP range.
- If you configure this rule for container nodes, the services in the cluster can be accessed using different access methods.
- For more information on how to access a service in a cluster, please see "Service Access" in Overview.
When you create a self-deployed cluster, the default TKE security group will be bound to the master node by default to reduce the risks where the master node cannot communicate with other nodes normally or Services cannot be accessed normally. The configuration rules of default security group are as detailed below:
Note:The security group creation permission is inherited from the TKE service role. For more information, see Description of Role Permissions Related to Service Authorization.
Protocol | Port | IP Range | Policy | Remarks |
---|---|---|---|---|
ICMP | All | 0.0.0.0/0 | Supported | Ping operations are supported. |
TCP | 30000–32768 | Cluster network CIDR | Supported | It is used to open NodePort to the Internet (Services in LoadBalancer type need to be forwarded through NodePort). |
UDP | 30000–32768 | Cluster network CIDR | Supported | It is used to open NodePort to the Internet (Services in LoadBalancer type need to be forwarded through NodePort). |
TCP | 60001, 60002, 10250, 2380, 2379, 53, 17443, 50055, 443, 61678 |
Cluster network CIDR | Supported | It is used to open API Server communication to the Internet. |
TCP | 60001, 60002, 10250, 2380, 2379, 53, 17443 | Container network CIDR | Supported | It is used to open API Server communication to the internet. |
TCP | 30000–32768 | Container network CIDR | Supported | It is used to open NodePort to the Internet (Services in LoadBalancer type need to be forwarded through NodePort). |
UDP | 30000–32768 | Container network CIDR | Supported | It is used to open NodePort to the Internet (Services in LoadBalancer type need to be forwarded through NodePort). |
UDP | 53 | Container network CIDR | Supported | It is used to open CoreDNS communication to the internet. |
UDP | 53 | Cluster network CIDR | Supported | It is used to open CoreDNS communication to the internet. |
Protocol | Port Number | Source IP Address | Rule |
---|---|---|---|
All | All | 0.0.0.0/0 | Allow |
Was this page helpful?