From 90f8d62204bb6ff786a17c9a8d19213634dfb649 Mon Sep 17 00:00:00 2001
From: Dalton Hubble <dghubble@gmail.com>
Date: Sun, 5 Nov 2017 23:40:12 -0800
Subject: [PATCH] Add firewall rules to allow prometheus to reach node-exporter

* node_exporter service endpoints run on hostNetwork port 9100
* Re-evaluate after https://github.com/kubernetes-incubator/bootkube/pull/711
---
 aws/container-linux/kubernetes/controllers.tf | 10 ++++++++++
 aws/container-linux/kubernetes/workers.tf     | 10 ++++++++++
 2 files changed, 20 insertions(+)

diff --git a/aws/container-linux/kubernetes/controllers.tf b/aws/container-linux/kubernetes/controllers.tf
index 990bc631..bfd2f75e 100644
--- a/aws/container-linux/kubernetes/controllers.tf
+++ b/aws/container-linux/kubernetes/controllers.tf
@@ -159,6 +159,16 @@ resource "aws_security_group_rule" "controller-flannel-self" {
   self      = true
 }
 
+resource "aws_security_group_rule" "controller-node-exporter" {
+  security_group_id = "${aws_security_group.controller.id}"
+
+  type                     = "ingress"
+  protocol                 = "tcp"
+  from_port                = 9100
+  to_port                  = 9100
+  source_security_group_id = "${aws_security_group.worker.id}"
+}
+
 resource "aws_security_group_rule" "controller-kubelet-read" {
   security_group_id = "${aws_security_group.controller.id}"
 
diff --git a/aws/container-linux/kubernetes/workers.tf b/aws/container-linux/kubernetes/workers.tf
index f9f74616..09cf01af 100644
--- a/aws/container-linux/kubernetes/workers.tf
+++ b/aws/container-linux/kubernetes/workers.tf
@@ -142,6 +142,16 @@ resource "aws_security_group_rule" "worker-flannel-self" {
   self      = true
 }
 
+resource "aws_security_group_rule" "worker-node-exporter" {
+  security_group_id = "${aws_security_group.worker.id}"
+
+  type        = "ingress"
+  protocol    = "tcp"
+  from_port   = 9100
+  to_port     = 9100
+  self = true
+}
+
 resource "aws_security_group_rule" "worker-kubelet" {
   security_group_id = "${aws_security_group.worker.id}"