Add firewall rules to allow prometheus to reach node-exporter

* node_exporter service endpoints run on hostNetwork port 9100 * Re-evaluate after https://github.com/kubernetes-incubator/bootkube/pull/711
2017-11-05 23:40:12 -08:00 · 2017-11-05 23:40:12 -08:00 · 90f8d62204
parent af5c413abf
commit 90f8d62204
2 changed files with 20 additions and 0 deletions
--- a/aws/container-linux/kubernetes/controllers.tf
+++ b/aws/container-linux/kubernetes/controllers.tf
@ -159,6 +159,16 @@ resource "aws_security_group_rule" "controller-flannel-self" {
  self      = true
 }

+resource "aws_security_group_rule" "controller-node-exporter" {
+  security_group_id = "${aws_security_group.controller.id}"
+
+  type                     = "ingress"
+  protocol                 = "tcp"
+  from_port                = 9100
+  to_port                  = 9100
+  source_security_group_id = "${aws_security_group.worker.id}"
+}
+
 resource "aws_security_group_rule" "controller-kubelet-read" {
  security_group_id = "${aws_security_group.controller.id}"

--- a/aws/container-linux/kubernetes/workers.tf
+++ b/aws/container-linux/kubernetes/workers.tf
@ -142,6 +142,16 @@ resource "aws_security_group_rule" "worker-flannel-self" {
  self      = true
 }

+resource "aws_security_group_rule" "worker-node-exporter" {
+  security_group_id = "${aws_security_group.worker.id}"
+
+  type        = "ingress"
+  protocol    = "tcp"
+  from_port   = 9100
+  to_port     = 9100
+  self = true
+}
+
 resource "aws_security_group_rule" "worker-kubelet" {
  security_group_id = "${aws_security_group.worker.id}"