Creating and managing VPC security groups

Virtual Private Cloud

Adding security groups during cluster creation

When you create a VPC cluster, the default worker security group, which is named kube-<clusterID>, is automatically created and applied to all workers in the cluster. You can also attach additional security groups alongside the default worker security group. The security groups applied to the workers in the cluster are a combination of the security groups applied when you create the cluster and when you create the worker pool. A total of five security groups can be applied to workers, including the default security groups and any security groups applied to the worker pool. Note that the option to add custom security groups to workers is only available in the CLI.

The security groups applied to a cluster cannot be changed once the cluster is created. You can change the rules of the security groups that are applied to the cluster, but you cannot add or remove security groups at the cluster level. If you apply the incorrect security groups at cluster create time, you must delete the cluster and create a new one.

If you only want the default security groups

VPC security group Worker security group

Note that this is the default behavior at cluster create time.

When you create your cluster, do not specify any additional security groups.

Example command to create a VPC cluster with only the default VPC and kube-<clusterID> cluster security groups:

 ibmcloud ks cluster create vpc-gen2 --name <cluster-name> --zone <zone> --vpc-id <vpc-id> --subnet-id <subnet-id>

The following security groups are applied:

The default VPC security group (randomly generated name)
The kube-<clusterID> worker security group.

If you want the cluster security group and your own additional security groups

VPC security group Worker security group Your own security groups

When you create the cluster, specify --cluster-security-group cluster and up to four additional security groups that you own. You must include a separate --cluster-security-group option for each individual security group you want to add. Note that at maximum of five security groups can be applied to workers, including the security groups that are applied by default.

Example command to create a VPC cluster with the kube-<clusterID> cluster security group and your own additional security groups:

 ibmcloud ks cluster create vpc-gen2 --name <cluster-name> --zone <zone> --vpc-id <vpc-id> --subnet-id <subnet-id> --cluster-security-group cluster --cluster-security-group <group-id-1> --cluster-security-group <group-id-2> --cluster-security-group <group-id-3>

The following security groups are applied:

The default VPC security group (randomly generated name).
kube-<clusterID> worker security group
Up to four of your own additional security groups, for a maximum of five total security groups.

If you only want your own security groups

VPC security group Your own security groups

This option is only available in clusters created at versions 1.29 and earlier. Beginning with 1.30, all clusters get the worker node security group as well.

When you create the cluster, specify up to five security groups that you own. You must include a separate --cluster-security-group option for each individual security group you want to add.

Example command to create a VPC cluster with only your own security groups:

 ibmcloud ks cluster create vpc-gen2 --name <cluster-name> --zone <zone> --vpc-id <vpc-id> --subnet-id <subnet-id> --cluster-security-group <group-id-1> --cluster-security-group <group-id-2> --cluster-security-group <group-id-3>

The following security groups are applied:

The default VPC security group (randomly generated name)
Up to four of your own additional security groups, for a maximum of five total security groups.

Adding security groups to worker pools during creation

By default, the security groups applied to a worker pool are the same security groups that are indicated at cluster create time. However, you can specify additional security groups to apply to a worker pool. If you apply additional security groups to the worker pool, then the security group applied to the workers on the cluster is a combination of the security groups applied at cluster create and the security groups applied to the worker pool.

A maximum of five security groups can be applied to a worker, including the security groups applied by default.

The security groups applied to a worker pool cannot be changed once the worker pool is created. You can change the rules of the security groups that are applied to the worker pool, but you cannot add or remove security groups at the worker pool level. If you apply the incorrect security groups at worker pool create time, you must delete the worker pool and create a new one.

If you do not want to attach additional security groups to the worker pool

When you create the worker pool, do not specify any additional security groups.

This scenario only applies to versions 1.29 and earlier.

Example command to create a worker pool with no security groups applied:

ibmcloud ks worker-pool create vpc-gen2 --name <worker_pool_name> --cluster <cluster_name_or_ID> --flavor <flavor> --size-per-zone <number_of_workers_per_zone>

Only the security groups applied to the cluster are applied to the workers.

If you want to attach extra security groups to the worker pool

When you create the worker pool specify extra security groups at worker pool create time. You must include a separate --security-group option for each individual security group you want to add.

Example command to create a worker pool with your own security groups applied:

ibmcloud ks worker-pool create vpc-gen2 --name <worker_pool_name> --cluster <cluster_name_or_ID> --flavor <flavor> --size-per-zone <number_of_workers_per_zone> --security-group <group-id-1> --security-group <group-id-2> --security-group <group-id-3>

The security groups applied to the workers in the worker pool are a combination of those applied to the cluster that the worker pool is attached to and those applied to the worker pool at create time.

Viewing security groups

Follow the steps to view details about the VPC security groups.

List your clusters and note the ID of the cluster that you are working in.

To check what VPC a cluster is in, run ibmcloud ks cluster get --cluster <cluster_name_or_id> and check the VPC ID in the output.
```
ibmcloud ks cluster ls --provider vpc-gen2
```

List the security groups attached to the VPC that your cluster is in. The VPC security group is assigned a randomly generated name, such as trench-hexagon-matriarch-flower. The cluster security group is named in the format of kube-<cluster-ID>. The VPC security group is named in the format of kube-<vpc-ID>.

ibmcloud is sgs | grep <vpc_name>

Example output

ID                                          Name                                             Rules   Network interfaces   VPC                          Resource group   

r006-111aa1aa-1a1a-1a11-1111-a111aaa1a11a   trench-hexagon-matriarch-flower                    4       0                    my-vpc                      default   
r006-222aa2aa-2a2a-2a22-2222-a222aaa2a22a   kube-a111a11a11aa1aa11a11                          4       0                    my-vpc                      default   
r006-333aa3aa-3a3a-3a33-3333-a333aaa3a33a   kube-r006-111a11aa-aaa1-1a1a-aa11-1a1a111aa11      4       0                    my-vpc                      default

Get the details of a security group. Find the Rules section in the output to view the inbound and outbound rules attached to the security group.

ibmcloud is sg GROUP

Example output

...
Rules      
ID                                          Direction   IP version   Protocol                  Remote   
r006-111bb1bb-1b1b-1b11-1111-b111bbb1b11b   outbound    ipv4         all                       0.0.0.0/0   
r006-222bb2bb-2b2b-2b22-2222-b222bbb2b22b   inbound     ipv4         all                       behind-unbuilt-guidable-anthill   
r006-333bb3bb-3b3b-3b33-3333-b333bbb3b33b   inbound     ipv4         icmp Type=8               0.0.0.0/0   
r006-444bb4bb-4b4b-4b44-4444-b444bbb4b44b   inbound     ipv4         tcp Ports:Min=22,Max=22   0.0.0.0/0

Viewing security groups in the console

From the Security groups for VPC dashboard, find the security groups that are attached to the VPC that your cluster is in.
Click on the security group.

To sort the security groups by the VPC they are attached to, click the Virtual Private Cloud column heading in the table.
To view the inbound and outbound rules attached to the security group, click the Rules tab.

Creating security group rules in the console

From the Virtual private cloud dashboard, click the name of the Default Security Group for the VPC that your cluster is in.
Click the Rules tab.
- To create new inbound rules to control inbound traffic to your worker nodes, in the Inbound rules section, click Create.
- To create new rules to control outbound traffic to your worker nodes, in the Outbound rules section, delete the default rule that allows all outbound traffic. Then, in the Outbound rules section, click Create.

Keep in mind that in addition to any rules you create, you must also create the required inbound and outbound rules.

Creating security group rules in the command line

Use the IBM Cloud CLI to add inbound and outbound rules to the default security group for your cluster.

Install the infrastructure-service plug-in. The prefix for running commands is ibmcloud is.
```
ibmcloud plugin install infrastructure-service
```
Target the region that your VPC is in.
```
ibmcloud target -r REGION
```
Get your cluster's ID.
```
ibmcloud ks cluster get -c CLUSTER
```

List your security groups and note the ID of the default security group for your VPC. Note that the default security group uses a randomly generated name and not the format kube-<cluster_ID>.

ibmcloud is sgs

Example output with the default security group for the VPC of a randomly generated name, chamomile-dislodge-showier-unfilled.

ID                                          Name                                       Rules   Network interfaces   VPC          Resource group
1a111a1a-a111-11a1-a111-111111111111        chamomile-dislodge-showier-unfilled        5       2                    events-vpc   default
2b222b2b-b222-22b2-b222-222222222222        kube-df253b6025d64744ab99ed63bb4567b6      5       3                    gen2-vpn     default

Store the security group ID as an environment variable.
```
sg=GROUP
```

Review the default rules for the security group. Keep in mind that in addition to any rules you create, you must also create the required inbound and outbound rules.

ibmcloud is sg $sg

To create inbound traffic rules, use the ibmcloud is sg-rulec <sg> inbound command.

ibmcloud is sg-rulec $sg inbound <protocol> [--remote <remote_address> | <CIDR_block> | <security_group_ID>] [--icmp-type <icmp_type> [--icmp-code <icmp_code>]] [--port-min <port_min>] [--port-max <port_max>]

To create outbound traffic rules, use the ibmcloud is sg-rulec <sg> outbound command.

ibmcloud is sg-rulec $sg outbound <protocol> [--remote <remote_address> | <CIDR_block> | <security_group_ID>] [--icmp-type <icmp_type> [--icmp-code <icmp_code>]] [--port-min <port_min>] [--port-max <port_max>]

After you create custom outbound rules, get the ID of the default rule that allows all outbound traffic.

ibmcloud is sg $sg

Example output

Rules
ID                                          Direction   IP version   Protocol                        Remote
r010-e3a34cbb-d5e8-4713-a57e-3e35a7458272   inbound     ipv4         all                             freeload-flavored-surging-repaying
r010-036c3a13-1c16-4425-9667-a4ec34b1702b   inbound     ipv4         icmp Type=8                     0.0.0.0/0
r010-15591636-6976-493f-a94f-70721702860a   inbound     ipv4         tcp Ports:Min=22,Max=22         0.0.0.0/0

Delete the default rule that allows all outbound traffic.
```
ibmcloud is security-group-rule-delete $sg <rule_ID>
```

Keep in mind that you can create your own security groups as well as add or remove rules addition to any rules you create, you must also create the required inbound and outbound rules.

Allow worker nodes to connect to the Ingress LoadBalancer

Follow the steps to allow worker nodes to connect to the Ingress LoadBalancer.

This scenario applies only to versions 1.29 and earlier.

Get the EXTERNAL-IP of the LoadBalancer service.

kubectl get svc -o wide -n openshift-ingress router-default

Run dig on the EXTERNAL-IP to get the IP addresses associated with the LoadBalancer.
```
dig <EXTERNAL-IP> +short
```
Example output
```
150.XXX.XXX.XXX
169.XX.XXX.XXX
```
Create outbound security rules to each of the IP address that you retrieved earlier and port 443.
```
ibmcloud is sg-rulec <sg> outbound tcp --port-min 443 --port-max 443 --remote 150.XXX.XXX.XXX
```

If the Ingress or console operators fail their health checks, you can repeat these steps to see if the LoadBalancer IP addresses changed. While rare, if the amount of traffic to your LoadBalancers varies widely, these IP addresses might change to handle the increased or decreased load.