Available in VPC
The cluster created by Ncloud Kubernetes Service uses the cluster named as nks-*-*, ACG (Access Control Group).
nks-*-* ACG's cluster configuration nodes are applied to the network interface you use, and rules for cluster networking are configured.
Basic ACG rules
When creating a cluster, ACG's inbound and outbound rules are basically configured as below:
- Inbound
| Protocol | Access source | Allowed port | Notes |
|---|---|---|---|
| ICMP | nks-*-* | automatically created, don't delete it | |
| TCP | nks-*-* | 1-65535 | automatically created, don't delete it |
| UDP | nks-*-* | 1-65535 | automatically created, don't delete it |
- Outbound
| Protocol | Destination | Allowed port | Notes |
|---|---|---|---|
| ICMP | 0.0.0.0/0 | automatically created, don't delete it | |
| TCP | 0.0.0.0/0 | 1-65535 | automatically created, don't delete it |
| UDP | 0.0.0.0/0 | 1-65535 | automatically created, don't delete it |
Required ACG rules
Note
- It applies when you select Cilium as the CNI plugin.
Users can modify and use the cluster ACG when port limitations are needed between configuration nodes.
As Kubernetes operates as various components interact, at least the following rules have to be permitted for cluster networking.
Caution
- You need to check the ports being used in the cluster other than the required ACG rules.
- SLA does not apply to the errors occurring from cluster ACG modification, and technical support is not provided.
- Inbound
| Protocol | Access source | Allowed port | Notes |
|---|---|---|---|
| ICMP | nks-*-* | host ping failure check | |
| TCP | nks-*-* | 2379-2380 | etcd |
| TCP | nks-*-* | 4240 | cilium health check |
| TCP | nks-*-* | 4443 | metrics server |
| TCP | nks-*-* | 6443 | kube control |
| TCP | nks-*-* | 10250 | kubelet |
| TCP | nks-*-* | 30000-32768 | range for health checks on node ports |
| UDP | nks-*-* | 8472 | vxlan overlay |
- Outbound
| Protocol | Destination | Allowed port | Notes |
|---|---|---|---|
| ICMP | nks-*-* | host ping failure check | |
| TCP | nks-*-* | 2379-2380 | etcd |
| TCP | nks-*-* | 4240 | cilium health check |
| TCP | nks-*-* | 4443 | metrics server |
| TCP | nks-*-* | 6443 | kube control |
| TCP | nks-*-* | 10250 | kubelet |
| TCP | nks-*-* | 30000-32768 | range for health checks on node ports |
| UDP | nks-*-* | 8472 | vxlan overlay |
Automatically configured ACG rules
Ncloud Kubernetes Service automatically adds rules to ACG in the following circumstances.
- When creating
Network Load Balancer(NLB), it uses the TCP protocol as the inbound rules and allows the node port of the services that use 0.0.0.0/0 as the access source.- You can check the ACG update status and set the inbound access source through Annotation.
- When creating
Network Proxy Load Balancer(NPLB), it uses the TCP protocol as the inbound rules and allows 1-65535 port that uses load balancer subnet range as the access source.- You can set the ACG update status through Annotation.
- When creating
Application Load Balancer(ALB), it uses the TCP protocol as the inbound rules and allows 1-65535 port that uses load balancer subnet range as the access source.