All Products
Search
Document Center

Container Service for Kubernetes:Configure multiple security groups for an ENI

Last Updated:Dec 05, 2023

In a cluster that uses the Terway network plug-in, Terway uses elastic network interfaces (ENIs) to assign IP addresses to containers. You can associate at most five security groups with an ENI that is created by Terway. This helps you regulate access control on pods in a flexible manner. This topic describes how to associate multiple security groups with an ENI in Terway mode.

Prerequisites

You can associate multiple security groups with an ENI only if the version of Terway is 1.1.1 or later. For more information about how to update Terway, see Manage components.

Background information

By default, Terway associates only one security group with an ENI when it creates the ENI. You can configure Terway to associate multiple security groups with an ENI.

Note

After you modify the configurations of the security group, the configurations apply only to newly created ENIs. The existing ENIs use the previous configurations. To make the configurations take effect, you can restart the node. For more information, see Remove a node and Add existing ECS instances to an ACK cluster.

Associate multiple security groups with an ENI

  1. Run the following command to modify the eni_conf ConfigMap of the Terway configurations:

    kubectl edit cm eni-config -n kube-system
  2. Add the following content to the eni_conf ConfigMap:

    "security_groups": ["sg-foo","sg-bar"]

    Example:

    "security_group": "sg-bp19k3sj8dk3dcd7****",
    "security_groups": ["sg-bp1b39sjf3v49c33****","sg-bp1bpdfg35tg****"],
    Note

    Terway uses all security groups specified in security_group and security_groups. Make sure that all security groups are in the same VPC and of the same type. You can specify at most five security groups.

  3. Run the following command to recreate the Terway pod for the security group configurations to take effect:

    kubectl delete pod -n kube-system -l app=terway-eniip

    Verify the configuration

    1. Log on to the ECS console. In the left-side navigation pane, choose Instances & Images > Instances.

    2. On the Instances page, find and click the ECS instance that you want to manage.

    3. On the details page of the ECS instance, click the ENIs tab.

      On the ENIs tab, you can find that the security groups specified in the ConfigMap are associated with the secondary ENI.ENI配置.png

Associate multiple security groups with an ENI when you create a cluster

You can associate multiple security groups with an ENI when you call the API to create a cluster. The SecurityGroupIDs parameter specifies the security groups that you want to associate with the ENI. The following code block shows an example:

{
  "name": "your_cluster_name",
  "cluster_type": "ManagedKubernetes",
  "addons": [
    {
      "name": "terway-eniip",
      "config": "{\"IPVlan\":\"true\",\"NetworkPolicy\":\"false\",\"ENITrunking\":\"true\",\"SecurityGroupIDs\": \"[\\\"sg-foo\\\"]\" }"
    }
  ],
  ....
}