In a cluster that uses the Terway network plug-in, Terway uses elastic network interfaces (ENIs) to assign IP addresses to containers. You can associate at most five security groups with an ENI that is created by Terway. This helps you regulate access control on pods in a flexible manner. This topic describes how to associate multiple security groups with an ENI in Terway mode.
Prerequisites
You can associate multiple security groups with an ENI only if the version of Terway is 1.1.1 or later. For more information about how to update Terway, see Manage components.
Background information
By default, Terway associates only one security group with an ENI when it creates the ENI. You can configure Terway to associate multiple security groups with an ENI.
After you modify the configurations of the security group, the configurations apply only to newly created ENIs. The existing ENIs use the previous configurations. To make the configurations take effect, you can restart the node. For more information, see Remove a node and Add existing ECS instances to an ACK cluster.
Associate multiple security groups with an ENI
Run the following command to modify the eni_conf ConfigMap of the Terway configurations:
kubectl edit cm eni-config -n kube-system
Add the following content to the eni_conf ConfigMap:
"security_groups": ["sg-foo","sg-bar"]
Example:
"security_group": "sg-bp19k3sj8dk3dcd7****", "security_groups": ["sg-bp1b39sjf3v49c33****","sg-bp1bpdfg35tg****"],
NoteTerway uses all security groups specified in
security_group
andsecurity_groups
. Make sure that all security groups are in the same VPC and of the same type. You can specify at most five security groups.Run the following command to recreate the Terway pod for the security group configurations to take effect:
kubectl delete pod -n kube-system -l app=terway-eniip
Verify the configuration
Log on to the ECS console. In the left-side navigation pane, choose .
On the Instances page, find and click the ECS instance that you want to manage.
On the details page of the ECS instance, click the ENIs tab.
On the ENIs tab, you can find that the security groups specified in the ConfigMap are associated with the secondary ENI.
Associate multiple security groups with an ENI when you create a cluster
You can associate multiple security groups with an ENI when you call the API to create a cluster. The SecurityGroupIDs
parameter specifies the security groups that you want to associate with the ENI. The following code block shows an example:
{
"name": "your_cluster_name",
"cluster_type": "ManagedKubernetes",
"addons": [
{
"name": "terway-eniip",
"config": "{\"IPVlan\":\"true\",\"NetworkPolicy\":\"false\",\"ENITrunking\":\"true\",\"SecurityGroupIDs\": \"[\\\"sg-foo\\\"]\" }"
}
],
....
}