From 90f8d62204bb6ff786a17c9a8d19213634dfb649 Mon Sep 17 00:00:00 2001 From: Dalton Hubble Date: Sun, 5 Nov 2017 23:40:12 -0800 Subject: [PATCH] Add firewall rules to allow prometheus to reach node-exporter * node_exporter service endpoints run on hostNetwork port 9100 * Re-evaluate after https://github.com/kubernetes-incubator/bootkube/pull/711 --- aws/container-linux/kubernetes/controllers.tf | 10 ++++++++++ aws/container-linux/kubernetes/workers.tf | 10 ++++++++++ 2 files changed, 20 insertions(+) diff --git a/aws/container-linux/kubernetes/controllers.tf b/aws/container-linux/kubernetes/controllers.tf index 990bc631..bfd2f75e 100644 --- a/aws/container-linux/kubernetes/controllers.tf +++ b/aws/container-linux/kubernetes/controllers.tf @@ -159,6 +159,16 @@ resource "aws_security_group_rule" "controller-flannel-self" { self = true } +resource "aws_security_group_rule" "controller-node-exporter" { + security_group_id = "${aws_security_group.controller.id}" + + type = "ingress" + protocol = "tcp" + from_port = 9100 + to_port = 9100 + source_security_group_id = "${aws_security_group.worker.id}" +} + resource "aws_security_group_rule" "controller-kubelet-read" { security_group_id = "${aws_security_group.controller.id}" diff --git a/aws/container-linux/kubernetes/workers.tf b/aws/container-linux/kubernetes/workers.tf index f9f74616..09cf01af 100644 --- a/aws/container-linux/kubernetes/workers.tf +++ b/aws/container-linux/kubernetes/workers.tf @@ -142,6 +142,16 @@ resource "aws_security_group_rule" "worker-flannel-self" { self = true } +resource "aws_security_group_rule" "worker-node-exporter" { + security_group_id = "${aws_security_group.worker.id}" + + type = "ingress" + protocol = "tcp" + from_port = 9100 + to_port = 9100 + self = true +} + resource "aws_security_group_rule" "worker-kubelet" { security_group_id = "${aws_security_group.worker.id}"