CCE Security Group
Description of CCE Security Group
The CCE security group system has been upgraded, and the new version contains the following 4 CCE security groups (see Section 2 in this document for the detailed rules):
- CCE Master default security group
- Additional security group “CCE Master”
- CCE Node (Worker) Default security group
- CCE Node (Worker) Additional security group
The rules for the use of the CCE security group are as follows:
(1) The default security group contains all security group rules necessary for CCE Master/Worker to operate soundly. We highly recommend you to check the default security group “CCE Master/Worker”, or make sure that the security group you specify contains these rules.
(2) If the CCE cluster supports access by a public network, check the CCE Master additional security group, or ensure that the security group you specify contains rules on access by an apiserver public network.
(3) If Worker supports access by a public network, check the additional security group CCE Worker, or ensure that the security group you specify contains rules on access by a public network.
(4) If Worker supports IPv6, check the additional security group “CCE Worker”, or ensure that the security group you specify contains the rules on IPv6.
## CCE security Group Rules
Default Security Groups Rules for CCE Master
| Direction | Protocol | IP address range | Port | IP type | Policy | Remarks |
|---|---|---|---|---|---|---|
| Inbound | ALL | 10.0.0.0/8 | 1*65535 | IPv4 | Allowed | CCE default rules: Private network communication between nodes |
| Inbound | ALL | 172.16.0.0/12 | 1*65535 | IPv4 | Allowed | CCE default rules: Private network communication between nodes |
| Inbound | ALL | 192.168.0.0/16 | 1*65535 | IPv4 | Allowed | CCE default rules: Private network communication between nodes |
| Outbound | ALL | ALL | 1*65535 | IPv4 | Allowed | CCE default rules: Outbound all-pass |
Additional Security Group Rules for CCE Master
| Direction | Protocol | IP address range | Port | IP type | Policy | Remarks |
|---|---|---|---|---|---|---|
| Inbound | tcp | ALL | 6443 | IPv4 | Allowed | CCE optional rules: Open access by an apiserver public network |
Default Security Group Rules for CCE Worker
| Direction | Protocol | IP address range | Port | IP type | Policy | Remarks |
|---|---|---|---|---|---|---|
| Inbound | ALL | 10.0.0.0/8 | 1*65535 | IPv4 | Allowed | CCE default rules: Private network communication between nodes |
| Inbound | ALL | 172.16.0.0/12 | 1*65535 | IPv4 | Allowed | CCE default rules: Private network communication between nodes |
| Inbound | ALL | 192.168.0.0/16 | 1*65535 | IPv4 | Allowed | CCE default rules: Private network communication between nodes |
| Inbound | ALL | 100.64.230.0/24 | 1*65535 | IPv4 | Allowed | CCE default rules: Intranet communication with hidden subnet nodes |
| Inbound | ALL | ALL | 30000*32768 | IPv4 | Allowed | CCE default rules: External users K8s NodePort default range |
| Inbound | ALL | ALL | 8000*9000 | IPv4 | Allowed | CCE default rules: Internal users K8s NodePort default range |
| Outbound | ALL | ALL | 1*65535 | IPv4 | Allowed | CCE default rules: Outbound all-pass |
Default Security Group Rules for CCE Worker
| Direction | Protocol | IP address range | Port | IP type | Policy | Remarks |
|---|---|---|---|---|---|---|
| Inbound | tcp | ALL | 22 | IPv4 | Allowed | CCE optional rules: Log in to SSH via the public network |
| Inbound | icmp | ALL | Not involved | IPv4 | Allowed | CCE optional rules: Public network ping command |
| Inbound | ALL | VPC IPv6 CIDR | 1*65535 | IPv6 | Allowed | CCE optional rules: Node intranet IPv6 intercommunication |
| Inbound | ALL | fc00::/7 | 1*65535 | IPv6 | Allowed | CCE optional rules: Container IP range intercommunication, container IPv6 address range |
| Inbound | ALL | ALL | 30000*32768 | IPv6 | Allowed | CCE optional rules: External users K8s NodePort default range |
| Inbound | ALL | ALL | 8000*9000 | IPv6 | Allowed | CCE optional rules: Internal users K8s NodePort default range |
| Outbound | ALL | ALL | 1*65535 | IPv6 | Allowed | CCE optional rules: IPv6 outbound all-pass |