Add firewall rule to allow apiserver to proxy other controller kubelets

* Prometheus proxies through the apiserver to scrape kubelets
* In multi-controller setups, an apiserver must be able to scrape
kubelets (10250) on other controllers

aws/container-linux/kubernetes/controllers.tf

@@ -169,6 +169,16 @@ resource "aws_security_group_rule" "controller-node-exporter" {
   source_security_group_id = "${aws_security_group.worker.id}"
 }
 
+resource "aws_security_group_rule" "controller-kubelet-self" {
+  security_group_id = "${aws_security_group.controller.id}"
+
+  type      = "ingress"
+  protocol  = "tcp"
+  from_port = 10250
+  to_port   = 10250
+  self      = true
+}
+
 resource "aws_security_group_rule" "controller-kubelet-read" {
   security_group_id = "${aws_security_group.controller.id}"