Add firewall rule to allow apiserver to proxy other controller kubelets

* Prometheus proxies through the apiserver to scrape kubelets
* In multi-controller setups, an apiserver must be able to scrape
kubelets (10250) on other controllers
This commit is contained in:
Dalton Hubble 2017-11-06 00:08:14 -08:00
parent 90f8d62204
commit ccc832f468
1 changed files with 10 additions and 0 deletions

View File

@ -169,6 +169,16 @@ resource "aws_security_group_rule" "controller-node-exporter" {
source_security_group_id = "${aws_security_group.worker.id}" source_security_group_id = "${aws_security_group.worker.id}"
} }
resource "aws_security_group_rule" "controller-kubelet-self" {
security_group_id = "${aws_security_group.controller.id}"
type = "ingress"
protocol = "tcp"
from_port = 10250
to_port = 10250
self = true
}
resource "aws_security_group_rule" "controller-kubelet-read" { resource "aws_security_group_rule" "controller-kubelet-read" {
security_group_id = "${aws_security_group.controller.id}" security_group_id = "${aws_security_group.controller.id}"