Security is always of utmost importance. Tencent Cloud prioritizes security in product design and strictly requires that all products are fully isolated. The Tencent Cloud classic network provides multiple layers of security protection. Tencent Kubernetes Engine (TKE) also pays special attention to security. TKE selects VPC with richer network features as the underlying network. This document describes the best practice of using security groups in TKE, helping you select the most appropriate security group policy.
A security group is a virtual firewall for stateful data packet filtering. As an important network isolation approach provided by Tencent Cloud, a security group is used to set network access control of one or more Cloud Virtual Machine (CVMs). For more information on security groups, please see Security Groups.
Some ports must be opened to the Internet to ensure normal communication between cluster nodes. To avoid cluster creation failures due to binding to invalid security groups, TKE provides default security group rules, as described in the following table.
If the current default security group cannot meet your service requirements and you have created a cluster bound to this security group, you can view and modify the security group rules for the cluster. For more information, please see Managing Security Group Rules.
|Protocol||Port Number||Source IP Address||Rule||Description|
|All||All||CIDR of the container network||Allow||Enable the communication between pods in the container network.|
|All||All||CIDR of the cluster network||Allow||Enable the communication between nodes in the cluster network.|
|TCP||22||0.0.0.0/0||Allow||Open the SSH login port to the Internet.|
|TCP||30000 to 32768||0.0.0.0/0||Allow||Enable the communication between master and worker nodes.|
|UDP||30000 to 32768||0.0.0.0/0||Allow||Enable the communication between master and worker nodes.|
|ICMP||-||0.0.0.0/0||Allow||Enable the support for Internet Control Message Protocol (ICMP) and ping operations.|
|Protocol||Port Number||Source IP Address||Rule|
- To customize outbound rules, you need to open the node IP range and container IP range.
- If you configure this rule for container nodes, the services in the cluster can be accessed using different access methods.
- For more information on how to access a service in a cluster, please see "Service Access" in Overview.