tencent cloud

Tencent Kubernetes Engine

Release Notes and Announcements
Release Notes
Announcements
Release Notes
Product Introduction
Overview
Strengths
Architecture
Scenarios
Features
Concepts
Native Kubernetes Terms
Common High-Risk Operations
Regions and Availability Zones
Service Regions and Service Providers
Open Source Components
Purchase Guide
Purchase Instructions
Purchase a TKE General Cluster
Purchasing Native Nodes
Purchasing a Super Node
Getting Started
Beginner’s Guide
Quickly Creating a Standard Cluster
Examples
Container Application Deployment Check List
Cluster Configuration
General Cluster Overview
Cluster Management
Network Management
Storage Management
Node Management
GPU Resource Management
Remote Terminals
Application Configuration
Workload Management
Service and Configuration Management
Component and Application Management
Auto Scaling
Container Login Methods
Observability Configuration
Ops Observability
Cost Insights and Optimization
Scheduler Configuration
Scheduling Component Overview
Resource Utilization Optimization Scheduling
Business Priority Assurance Scheduling
QoS Awareness Scheduling
Security and Stability
TKE Security Group Settings
Identity Authentication and Authorization
Application Security
Multi-cluster Management
Planned Upgrade
Backup Center
Cloud Native Service Guide
Cloud Service for etcd
TMP
TKE Serverless Cluster Guide
TKE Registered Cluster Guide
Use Cases
Cluster
Serverless Cluster
Scheduling
Security
Service Deployment
Network
Release
Logs
Monitoring
OPS
Terraform
DevOps
Auto Scaling
Containerization
Microservice
Cost Management
Hybrid Cloud
AI
Troubleshooting
Disk Full
High Workload
Memory Fragmentation
Cluster DNS Troubleshooting
Cluster kube-proxy Troubleshooting
Cluster API Server Inaccessibility Troubleshooting
Service and Ingress Inaccessibility Troubleshooting
Common Service & Ingress Errors and Solutions
Engel Ingres appears in Connechtin Reverside
CLB Ingress Creation Error
Troubleshooting for Pod Network Inaccessibility
Pod Status Exception and Handling
Authorizing Tencent Cloud OPS Team for Troubleshooting
CLB Loopback
API Documentation
History
Introduction
API Category
Making API Requests
Elastic Cluster APIs
Resource Reserved Coupon APIs
Cluster APIs
Third-party Node APIs
Relevant APIs for Addon
Network APIs
Node APIs
Node Pool APIs
TKE Edge Cluster APIs
Cloud Native Monitoring APIs
Scaling group APIs
Super Node APIs
Other APIs
Data Types
Error Codes
TKE API 2022-05-01
FAQs
TKE General Cluster
TKE Serverless Cluster
About OPS
Hidden Danger Handling
About Services
Image Repositories
About Remote Terminals
Event FAQs
Resource Management
Service Agreement
TKE Service Level Agreement
TKE Serverless Service Level Agreement
Contact Us
Glossary
DocumentationTencent Kubernetes EngineCluster Configuration Network Management VPC-CNI ModeSecurity Group of VPC-CNI Mode

Security Group of VPC-CNI Mode

PDF
Focus Mode
Font Size
Last updated: 2023-05-06 19:15:14
You can bind specified security group to the ENI created in VPC-CNI mode through the following methods:

Prerequisites

The version of IPAMD component is v3.2.0 or later version. You can check the version through image tag.
The IPAMD component has enabled the capability of security group (not enabled by default). The launch parameter is --enable-security-groups.
Currently, only multiple Pods with shared ENI mode is supported.

Enabling Security Group Feature for the IPAMD Component

tke-eni-ipamd v3.5.0 or later

1. Log in to the TKE console and select Cluster in the left sidebar.
2. On the Cluster Management page, click the ID of the target cluster to go to the cluster details page.
3. On the cluster details page, select Add-On Management on the left of the page, click Update configuration in the Operation column of the eniipamd add-on.


4. On the Update configuration page, select Security group. If you want to use the security group of the primary ENI, do not specify a security group. Otherwise, specify one.


5. Click Done.

tke-eni-ipamd earlier than v3.5.0 or no eniipamd to manage

Modify the existing tke-eni-ipamd deployment:
kubectl edit deploy tke-eni-ipamd -n kube-system
Run the following command to add the launch parameter to spec.template.spec.containers[0].args. After the modification, ipamd will restart and take effect automatically. For a secondary ENI that is not associated with a security group on an existing node, a security group will be bound to it based on the following policy. If a security group has been bound, strong synchronization will be performed for the set security group unless the feature has been enabled before and a security group has been set on the node. The following security group will be bound to all ENIs on a new node.
- --enable-security-groups
# If you want to use the security groups of the primary ENI/instance by default, do not add the security-groups parameter.
- --security-groups=sg-xxxxxxxx,sg-xxxxxxxx

Method of synchronizing ENI security group settings of existing nodes

If you want the security group policy to take effect on the existing nodes that have been set the security groups, you need to manually disable the security group, and then enable the security group again to achieve synchronization. You can operate as follows:
1. Add an annotation to clear and disable the security groups bound to the ENIs of the node. After the annotation is added, the existing ENIs of the node will unbind all security groups:
kubectl annotate node <nodeName> --overwrite tke.cloud.tencent.com/disable-node-eni-security-groups="yes"
2. (Wait 2-5s after the first step.) After the value is reset to "no", the security groups configured based on the above policy can be rebound.
kubectl annotate node <nodeName> --overwrite tke.cloud.tencent.com/disable-node-eni-security-groups="no"

Feature Logic

If the launch parameter --security-groups is not set, or its value is empty, the security group of each node will use the security group bound to the node instance (security group bound to the primary ENI). If the feature is enabled, when the security group of a node instance (security group of the primary ENI) changes, the security group of the secondary ENI will not be synchronized automatically. Instead, you need to disable the security group on the node and enable it again for synchronization. For operation details, see Method of synchronizing ENI security group settings of existing nodes.
After the feature is enabled, if --security-groups is set, the security group of each node is set to this security group set.
After the feature is enabled, if --security-groups is modified, the settings of security groups on new nodes will be synchronized with global parameters, and the settings of security groups on existing nodes will remain unchanged. If you want to synchronize the settings of security groups on existing nodes, you need to disable the security group on the node and enable it again. For operation details, see Method of synchronizing ENI security group settings of existing nodes.
The priority for setting a security group is consistent with the sequence of setting a security group on a node. If the security group of the primary ENI is used, the priority is consistent with that of the primary ENI.
Run the following command to view the security group of the node. The spec.securityGroups contains the information of the security group of the node.
kubectl get nec <nodeName> -oyaml
Run the following command to modify the security group of the node. The modification will take effect immediately.
kubectl edit nec <nodeName>
After the feature is enabled, if an existing ENI is not bound with a security group, the security group of the node will be bound to it. Security group of an existing ENI will be strong synced with the security group of the node to ensure consistency with the security group of the node. A new ENI will be bound with security group of the node.
Previous Topic: Interconnection Between VPC-CNI and Other Cloud Resources/IDC ResourcesNext Topic: Instructions on Binding an EIP to a Pod

Help and Support

Was this page helpful?

Help us improve! Rate your documentation experience in 5 mins.

Feedback