Security groups act as virtual firewalls and provide Stateful Packet Inspection (SPI) and packet filtering capabilities. You can use security groups to define security domains in the cloud. You can add security group rules to control inbound and outbound traffic of elastic container instance-based pods (elastic container instances) within security groups.
Introduction to security groups
A security group is a logically isolated group of instances that reside in the same virtual private cloud (VPC). All instances in a security group are mutually trusted and protected under the same security group rules. Security group rules control access to or from the Internet or internal network for the elastic container instances in the security group. For more information about security groups, see Overview.
Each security group can manage multiple elastic container instances within the same VPC.
Each elastic container instance must belong to a security group.
Security groups are classified into basic security groups and advanced security groups. If your business requires a large number of elastic container instances and high O&M efficiency, we recommend that you use advanced security groups. Compared with basic security groups, advanced security groups can accommodate more elastic container instances and make it easier to configure security group rules. For more information about the differences between the two types of security groups, see Basic security groups and advanced security groups.
Assign a security group
If a self-managed Kubernetes cluster uses elastic container instances by connecting to a VNode, the elastic container instance-based pods in the cluster use the security group that is assigned to the VNode by default. You can also assign a security group for elastic container instance-based pods based on your business requirements.
Assign a security group for the cluster
A VNode needs to be created
When you create the VNode, you can assign a security group to the VNode. For more information, see the Step 2: Create a VNode section in the Connect a self-managed Kubernetes cluster to a VNode topic.
A VNode already exists
If a VNode already exists, you can call the UpdateVirtualNode API operation to update the VNode information. You can use the
SecurityGroupIdparameter to change the security group ID. For more information, see UpdateVirtualNode.
Pod configuration
For some Elastic Container Instance-based pods that have special requirements, you can add the k8s.aliyun.com/eci-security-group annotation to assign security groups. The following requirements must be met:
You can assign up to five security groups.
The assigned security groups must belong to the same virtual private cloud (VPC).
The assigned security groups must be of the same type.
Annotations must be added to the metadata in the configuration file of the pod. For example, when you create a Deployment, you must add annotations in the spec.template.metadata section.
To use features of Elastic Container Instance, you can add annotations only when you create Elastic Container Instance-based pods. If you add or modify annotations when you update pods, these annotations do not take effect.
Example:
apiVersion: apps/v1
kind: Deployment
metadata:
name: test
labels:
app: test
spec:
replicas: 2
selector:
matchLabels:
app: nginx
template:
metadata:
name: nginx-test
labels:
app: nginx
alibabacloud.com/eci: "true"
annotations:
k8s.aliyun.com/eci-security-group: "sg-bp1dktddjsg5nktv****,sg-2ze0b9o8pjjzts4h****" # Assign security groups.
spec:
containers:
- name: nginx
image: registry.cn-shanghai.aliyuncs.com/eci_open/nginx:1.14.2
ports:
- containerPort: 80Add a security group rule
You can add a security group rule to an elastic container instance in a security group. The security group rule controls the access to the instance. Examples:
If the elastic container instance needs to communicate with a service outside the security group, you can add a security group rule to implement service interconnection.
When attacks that are performed by request sources are detected, you can add a security group rule to block access from the sources.
For more information, see Add a security group rule.