Security is a matter of utmost importance. Tencent Cloud considers security as a top priority in product design and requires all its products to be fully isolated and provides multiple layers of security protection with its basic network. TKE is a typical example. It uses VPC as the underlying network of container services. This document describes the best practice of using security groups in TKE to help you select the most appropriate security group policy.
A security group is a virtual firewall that can filter stateful packets. As an important network security isolation means provided by Tencent Cloud, it can be used to configure network access control for one or more CVM instances. For more information, see Security Groups.
Some ports need to be opened to ensure normal communication between cluster nodes. To avoid cluster creation failures resulting from binding invalid security groups, TKE provides default security group rules, as described in the following table.
If the current default security group cannot meet the service requirements, and you have created a cluster that is bound to this security group, you can view and modify the security group rules of the cluster by referring to Managing Security Group Rules.
|ALL||ALL||Container network CIDR||Allow||Allow communication between pods within the container network|
|ALL||ALL||Cluster network CIDR||Allow||Allow communication between nodes within the cluster network|
|TCP||22||0.0.0.0/0||Allow||Open port 22 for login attempts over SSH|
|TCP||30000-32768||0.0.0.0/0||Allow||Allow communication between the master and worker nodes|
|UDP||30000-32768||0.0.0.0/0||Allow||Allow communication between the master and worker nodes|
|ICMP||-||0.0.0.0/0||Allow||Enable ICMP to support pings|
- Configuring this policy for container nodes makes services in the cluster accessible through different access means.
- For more information on how to access services in a cluster, see the Service Management Introduction.