Change kube-apiserver port from 443 to 6443

* Adjust firewall rules, security groups, cloud load balancers, and generated kubeconfig's * Facilitates some future simplifications and cost reductions * Bare-Metal users who exposed kube-apiserver on a WAN via their router or load balancer will need to adjust its configuration. This is uncommon, most apiserver are on LAN and/or behind VPN so no routing infrastructure is configured with the port number
2025-07-29 09:11:37 +02:00 · 2018-06-18 21:57:58 -07:00
parent 6e64634748
commit 6c5a1964aa
15 changed files with 47 additions and 19 deletions
--- a/aws/container-linux/kubernetes/apiserver.tf
+++ b/aws/container-linux/kubernetes/apiserver.tf
@ -28,7 +28,7 @@ resource "aws_lb" "apiserver" {
 resource "aws_lb_listener" "apiserver-https" {
  load_balancer_arn = "${aws_lb.apiserver.arn}"
  protocol          = "TCP"
-  port              = "443"
+  port              = "6443"

  default_action {
    type             = "forward"
@ -43,12 +43,12 @@ resource "aws_lb_target_group" "controllers" {
  target_type = "instance"

  protocol = "TCP"
-  port     = 443
+  port     = 6443

  # TCP health check for apiserver
  health_check {
    protocol = "TCP"
-    port     = 443
+    port     = 6443

    # NLBs required to use same healthy and unhealthy thresholds
    healthy_threshold   = 3
@ -65,5 +65,5 @@ resource "aws_lb_target_group_attachment" "controllers" {

  target_group_arn = "${aws_lb_target_group.controllers.arn}"
  target_id        = "${element(aws_instance.controllers.*.id, count.index)}"
-  port             = 443
+  port             = 6443
 }
--- a/aws/container-linux/kubernetes/bootkube.tf
+++ b/aws/container-linux/kubernetes/bootkube.tf
@ -1,6 +1,6 @@
 # Self-hosted Kubernetes assets (kubeconfig, manifests)
 module "bootkube" {
-  source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=0e98e89e14a074768db13c4e050ed0c13319a0c1"
+  source = "git::https://github.com/poseidon/terraform-render-bootkube.git?ref=2bcf61b2b5f6268fcf99e6b803165b08fd0b73c0"

  cluster_name          = "${var.cluster_name}"
  api_servers           = ["${format("%s.%s", var.cluster_name, var.dns_zone)}"]
--- a/aws/container-linux/kubernetes/security.tf
+++ b/aws/container-linux/kubernetes/security.tf
@ -36,8 +36,8 @@ resource "aws_security_group_rule" "controller-apiserver" {

  type        = "ingress"
  protocol    = "tcp"
-  from_port   = 443
-  to_port     = 443
+  from_port   = 6443
+  to_port     = 6443
  cidr_blocks = ["0.0.0.0/0"]
 }