Release Notes and Announcements

Release Notes

Announcements

Release Notes

Product Introduction

Overview

Strengths

Architecture

Scenarios

Features

Concepts

Native Kubernetes Terms

Common High-Risk Operations

Regions and Availability Zones

Service Regions and Service Providers

Open Source Components

Purchase Guide

Purchase Instructions

Purchase a TKE General Cluster

Purchasing Native Nodes

Purchasing a Super Node

Getting Started

Beginner’s Guide

Quickly Creating a Standard Cluster

Examples

Container Application Deployment Check List

Cluster Configuration

General Cluster Overview

Cluster Management

Network Management

Storage Management

Node Management

GPU Resource Management

Remote Terminals

Application Configuration

Workload Management

Service and Configuration Management

Component and Application Management

Auto Scaling

Container Login Methods

Observability Configuration

Ops Observability

Cost Insights and Optimization

Scheduler Configuration

Scheduling Component Overview

Resource Utilization Optimization Scheduling

Business Priority Assurance Scheduling

QoS Awareness Scheduling

Security and Stability

TKE Security Group Settings

Identity Authentication and Authorization

Application Security

Multi-cluster Management

Planned Upgrade

Backup Center

Cloud Native Service Guide

Cloud Service for etcd

TMP

TKE Serverless Cluster Guide

TKE Registered Cluster Guide

Use Cases

Cluster

Serverless Cluster

Scheduling

Security

Service Deployment

Network

Release

Logs

Monitoring

OPS

Terraform

DevOps

Auto Scaling

Containerization

Microservice

Cost Management

Hybrid Cloud

Troubleshooting

Disk Full

High Workload

Memory Fragmentation

Cluster DNS Troubleshooting

Cluster kube-proxy Troubleshooting

Cluster API Server Inaccessibility Troubleshooting

Service and Ingress Inaccessibility Troubleshooting

Common Service & Ingress Errors and Solutions

Engel Ingres appears in Connechtin Reverside

CLB Ingress Creation Error

Troubleshooting for Pod Network Inaccessibility

Pod Status Exception and Handling

Authorizing Tencent Cloud OPS Team for Troubleshooting

CLB Loopback

API Documentation

History

Introduction

API Category

Making API Requests

Elastic Cluster APIs

Resource Reserved Coupon APIs

Cluster APIs

Third-party Node APIs

Relevant APIs for Addon

Network APIs

Node APIs

Node Pool APIs

TKE Edge Cluster APIs

Cloud Native Monitoring APIs

Scaling group APIs

Super Node APIs

Other APIs

Data Types

Error Codes

TKE API 2022-05-01

FAQs

TKE General Cluster

TKE Serverless Cluster

About OPS

Hidden Danger Handling

About Services

Image Repositories

About Remote Terminals

Event FAQs

Resource Management

Service Agreement

TKE Service Level Agreement

TKE Serverless Service Level Agreement

Glossary

TKE Security Group Settings

PDF

Mode fokus

Ukuran font

Terakhir diperbarui: 2024-12-11 18:11:19

Security is a matter of utmost importance. Tencent Cloud considers security as a top priority in product design and requires all its products to be fully isolated and provides multiple layers of security protection with its basic network. TKE is a typical example. It adopts VPC as the underlying network of container services. This document describes the best practice of security group usage in TKE to help you select the most appropriate security group policy.
Security Groups
A security group is a virtual firewall capable of filtering stateful packets. As an important network security isolation means provided by Tencent Cloud, it can be used to configure network access control for one or more CVM instances. For more information, see Security Group.
How to Select a Security Group for TKE
In a container cluster, service pods are distributed on different nodes. We recommend that you bind all CVM instances in one cluster to the same security group and do not add non-clustered CVMs to a security group for a cluster.
A security group only grants the minimum permission externally.
You must enable the following rules for using TKE:
Open the container pod network and the cluster node network to the Internet.
 When a node receives a service access request, the node forwards the request to a service pod according to the iptables rule configured by the kube-proxy module. If the service pod is on another node, cross-node access occurs. For example, the destination IP addresses of the access request include the IP address of the service pod, IP addresses of other nodes in the cluster, and the IP address of the cluster’s cbr0 bridge on the node. In this case, the container pod network and the cluster node network on the peer node must be open to the Internet.
If clusters in the same VPC need to communicate with each other, you must open the container networks and node networks of the corresponding clusters to the Internet.
Open port 22 to the Internet if SSH login is required.
Open ports 30000 to 32768 on nodes to the Internet.
 In the access path, you must use a load balancer to forward data packets to NodeIP:NodePort of the container cluster. NodeIP is the CVM instance IP of any node in the cluster. NodePort is assigned by the container cluster by default when the service is created. NodePort ranges from 30000 to 32768.
 The following figure uses service access from the public network as an example.
  
﻿
﻿
Default Security Group Rules for TKE
Default security group rules for node
Some ports must be opened to the Internet to ensure normal communication between cluster nodes. To avoid cluster creation failures due to binding to invalid security groups, TKE provides default security group rules, as described in the following table.
Note: 
 If the current default security group cannot meet your service requirements and you have created a cluster bound to this security group, you can view and modify the security group rules for the cluster. For more information, please see Managing Security Group Rules.
Inbound rules
Protocol
Port Number
Source IP Address
Rule
Description
All
All
CIDR of the container network
Allow
Enable the communication between pods in the container network.
All
All
CIDR of the cluster network
Allow
Enable the communication between nodes in the cluster network.
tcp
30000 - 32768
0.0.0.0/0
Allow
Open NodePort to the Internet (Services in LoadBalancer type need to be forwarded through NodePort).
udp
30000 - 32768
0.0.0.0/0
Allow
Open NodePort to the Internet (Services in LoadBalancer type need to be forwarded through NodePort).
ICMP
-
0.0.0.0/0
Allow
Enable the support for Internet Control Message Protocol (ICMP) and ping operations.
Outbound rules
Protocol
Port Number
Source IP Address
Rule
All
All
0.0.0.0/0
Allow
Note: 
To customize outbound rules, you need to open the node IP range and container IP range.
If you configure this rule for container nodes, the services in the cluster can be accessed using different access methods.
For more information on how to access a service in a cluster, please see "Service Access" in Overview.
Default security group rules for master node in self-deployed cluster
When you create a self-deployed cluster, the default TKE security group will be bound to the master node by default to reduce the risks where the master node cannot communicate with other nodes normally or Services cannot be accessed normally. The configuration rules of default security group are as detailed below:
Note: 
The security group creation permission is inherited from the TKE service role. For more information, see Description of Role Permissions Related to Service Authorization.
Inbound rules
Protocol
Port
IP Range
Policy
Remarks
ICMP
All
0.0.0.0/0
Supported
Ping operations are supported.
TCP
30000–32768
Cluster network CIDR
Supported
It is used to open NodePort to the Internet (Services in LoadBalancer type need to be forwarded through NodePort).
UDP
30000–32768
Cluster network CIDR
Supported
It is used to open NodePort to the Internet (Services in LoadBalancer type need to be forwarded through NodePort).
TCP
60001, 60002, 10250, 2380, 2379, 53, 17443,50055, 443, 61678
Cluster network CIDR
Supported
It is used to open API Server communication to the Internet.
TCP
60001, 60002, 10250, 2380, 2379, 53, 17443
Container network CIDR
Supported
It is used to open API Server communication to the internet.
TCP
30000–32768
Container network CIDR
Supported
It is used to open NodePort to the Internet (Services in LoadBalancer type need to be forwarded through NodePort).
UDP
30000–32768
Container network CIDR
Supported
It is used to open NodePort to the Internet (Services in LoadBalancer type need to be forwarded through NodePort).
UDP
53
Container network CIDR
Supported
It is used to open CoreDNS communication to the internet.
UDP
53
Cluster network CIDR
Supported
It is used to open CoreDNS communication to the internet.
﻿
Outbound rules
Protocol
Port Number
Source IP Address
Rule
All
All
0.0.0.0/0
Allow

Bantuan dan Dukungan

Apakah halaman ini membantu?

Anda juga dapat Menghubungi Penjualan atau Mengirimkan Tiket untuk meminta bantuan.

masukan

tencent cloud

Tencent Kubernetes Engine

TKE Security Group Settings

Security Groups

How to Select a Security Group for TKE

Default Security Group Rules for TKE

Default security group rules for node

Inbound rules

Outbound rules

Default security group rules for master node in self-deployed cluster

Inbound rules

Outbound rules

Bantuan dan Dukungan

Protocol	Port Number	Source IP Address	Rule	Description
All	All	CIDR of the container network	Allow	Enable the communication between pods in the container network.
All	All	CIDR of the cluster network	Allow	Enable the communication between nodes in the cluster network.
tcp	30000 - 32768	0.0.0.0/0	Allow	Open NodePort to the Internet (Services in LoadBalancer type need to be forwarded through NodePort).
udp	30000 - 32768	0.0.0.0/0	Allow	Open NodePort to the Internet (Services in LoadBalancer type need to be forwarded through NodePort).
ICMP	-	0.0.0.0/0	Allow	Enable the support for Internet Control Message Protocol (ICMP) and ping operations.

Protocol	Port	IP Range	Policy	Remarks
ICMP	All	0.0.0.0/0	Supported	Ping operations are supported.
TCP	30000–32768	Cluster network CIDR	Supported	It is used to open NodePort to the Internet (Services in LoadBalancer type need to be forwarded through NodePort).
UDP	30000–32768	Cluster network CIDR	Supported	It is used to open NodePort to the Internet (Services in LoadBalancer type need to be forwarded through NodePort).
TCP	60001, 60002, 10250, 2380, 2379, 53, 17443,50055, 443, 61678	Cluster network CIDR	Supported	It is used to open API Server communication to the Internet.
TCP	60001, 60002, 10250, 2380, 2379, 53, 17443	Container network CIDR	Supported	It is used to open API Server communication to the internet.
TCP	30000–32768	Container network CIDR	Supported	It is used to open NodePort to the Internet (Services in LoadBalancer type need to be forwarded through NodePort).
UDP	30000–32768	Container network CIDR	Supported	It is used to open NodePort to the Internet (Services in LoadBalancer type need to be forwarded through NodePort).
UDP	53	Container network CIDR	Supported	It is used to open CoreDNS communication to the internet.
UDP	53	Cluster network CIDR	Supported	It is used to open CoreDNS communication to the internet.