Adding minimum communication security group rule for Kubelet (#318)

* Adding minimum communication The docs at https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html specify that port 10250 is needed at a minimum for communication between the control plane, and the worker nodes. If you specify a `worker_sg_ingress_from_port` as something like `30000`, then this minimum communication is never established. * Adding description to CHANGELOG.md * Adjusting the naming of the resources * Ensuring creation is conditional on the value of `worker_sg_ingress_from_port` * Mistake, should be greater than port 10250
2026-01-16 08:37:18 +01:00 · 2019-03-25 11:58:55 +01:00
parent a26a43ae63
commit 97c79643fb
2 changed files with 13 additions and 1 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,6 +12,7 @@ project adheres to [Semantic Versioning](http://semver.org/).
 ### Added

 - Write your awesome addition here (by @you)
+- Added minimum inbound traffic rule to the cluster worker security group as per the [EKS security group requirements](https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html) (by @sc250024)

 ### Changed

--- a/workers.tf
+++ b/workers.tf
@@ -93,7 +93,7 @@ resource "aws_security_group_rule" "workers_ingress_self" {
 }

 resource "aws_security_group_rule" "workers_ingress_cluster" {
-  description              = "Allow workers Kubelets and pods to receive communication from the cluster control plane."
+  description              = "Allow workers pods to receive communication from the cluster control plane."
  protocol                 = "tcp"
  security_group_id        = "${aws_security_group.workers.id}"
  source_security_group_id = "${local.cluster_security_group_id}"
@@ -103,6 +103,17 @@ resource "aws_security_group_rule" "workers_ingress_cluster" {
  count                    = "${var.worker_create_security_group ? 1 : 0}"
 }

+resource "aws_security_group_rule" "workers_ingress_cluster_kubelet" {
+  description              = "Allow workers Kubelets to receive communication from the cluster control plane."
+  protocol                 = "tcp"
+  security_group_id        = "${aws_security_group.workers.id}"
+  source_security_group_id = "${local.cluster_security_group_id}"
+  from_port                = 10250
+  to_port                  = 10250
+  type                     = "ingress"
+  count                    = "${var.worker_create_security_group ? (var.worker_sg_ingress_from_port > 10250 ? 1 : 0) : 0}"
+}
+
 resource "aws_security_group_rule" "workers_ingress_cluster_https" {
  description              = "Allow pods running extension API servers on port 443 to receive communication from cluster control plane."
  protocol                 = "tcp"