diff --git a/CHANGELOG.md b/CHANGELOG.md index ebecf62..e53f3b3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,7 @@ project adheres to [Semantic Versioning](http://semver.org/). ### Added - Write your awesome addition here (by @you) +- Added minimum inbound traffic rule to the cluster worker security group as per the [EKS security group requirements](https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html) (by @sc250024) ### Changed diff --git a/workers.tf b/workers.tf index 949d964..7790c62 100644 --- a/workers.tf +++ b/workers.tf @@ -93,7 +93,7 @@ resource "aws_security_group_rule" "workers_ingress_self" { } resource "aws_security_group_rule" "workers_ingress_cluster" { - description = "Allow workers Kubelets and pods to receive communication from the cluster control plane." + description = "Allow workers pods to receive communication from the cluster control plane." protocol = "tcp" security_group_id = "${aws_security_group.workers.id}" source_security_group_id = "${local.cluster_security_group_id}" @@ -103,6 +103,17 @@ resource "aws_security_group_rule" "workers_ingress_cluster" { count = "${var.worker_create_security_group ? 1 : 0}" } +resource "aws_security_group_rule" "workers_ingress_cluster_kubelet" { + description = "Allow workers Kubelets to receive communication from the cluster control plane." + protocol = "tcp" + security_group_id = "${aws_security_group.workers.id}" + source_security_group_id = "${local.cluster_security_group_id}" + from_port = 10250 + to_port = 10250 + type = "ingress" + count = "${var.worker_create_security_group ? (var.worker_sg_ingress_from_port > 10250 ? 1 : 0) : 0}" +} + resource "aws_security_group_rule" "workers_ingress_cluster_https" { description = "Allow pods running extension API servers on port 443 to receive communication from cluster control plane." protocol = "tcp"