Open konnectivity port

patrickdillon · patrickdillon · commit 836e8d26938b · 2026-03-02T17:14:02.000-05:00
This updates all platforms to open the konnectivity port. Baremetal
and on-prem platform have user-provisioned networks, so that
will need be handled up front.
diff --git a/pkg/asset/manifests/aws/cluster.go b/pkg/asset/manifests/aws/cluster.go
@@ -141,6 +141,13 @@ func GenerateClusterAssets(ic *installconfig.InstallConfig, clusterID *installco
 						ToPort:                   10259,
 						SourceSecurityGroupRoles: []capa.SecurityGroupRole{"controlplane", "node"},
 					},
+					{
+						Description:              "Konnectivity agent traffic from cluster nodes",
+						Protocol:                 capa.SecurityGroupProtocolTCP,
+						FromPort:                 8091,
+						ToPort:                   8091,
+						SourceSecurityGroupRoles: []capa.SecurityGroupRole{"controlplane", "node"},
+					},
 					{
 						Description: BootstrapSSHDescription,
 						Protocol:    capa.SecurityGroupProtocolTCP,
diff --git a/pkg/asset/manifests/azure/cluster.go b/pkg/asset/manifests/azure/cluster.go
@@ -93,6 +93,17 @@ func GenerateClusterAssets(installConfig *installconfig.InstallConfig, clusterID
 					Destination:      ptr.To("*"),
 					Action:           capz.SecurityRuleActionAllow,
 				},
+				{
+					Name:             "konnectivity_in",
+					Protocol:         capz.SecurityGroupProtocolTCP,
+					Direction:        capz.SecurityRuleDirectionInbound,
+					Priority:         103,
+					SourcePorts:      ptr.To("*"),
+					DestinationPorts: ptr.To("8091"),
+					Source:           ptr.To(source),
+					Destination:      ptr.To("*"),
+					Action:           capz.SecurityRuleActionAllow,
+				},
 				{
 					Name:             fmt.Sprintf("%s_ssh_in", clusterID.InfraID),
 					Protocol:         capz.SecurityGroupProtocolTCP,
diff --git a/pkg/asset/manifests/ibmcloud/securitygroups.go b/pkg/asset/manifests/ibmcloud/securitygroups.go
@@ -421,6 +421,24 @@ func buildControlPlaneSecurityGroup(infraID string) capibmcloud.VPCSecurityGroup
 					},
 				},
 			},
+			{
+				// Konnectivity
+				Action:    capibmcloud.VPCSecurityGroupRuleActionAllow,
+				Direction: capibmcloud.VPCSecurityGroupRuleDirectionInbound,
+				Source: &capibmcloud.VPCSecurityGroupRulePrototype{
+					PortRange: &capibmcloud.VPCSecurityGroupPortRange{
+						MaximumPort: 8091,
+						MinimumPort: 8091,
+					},
+					Protocol: capibmcloud.VPCSecurityGroupRuleProtocolTCP,
+					Remotes: []capibmcloud.VPCSecurityGroupRuleRemote{
+						{
+							RemoteType:        capibmcloud.VPCSecurityGroupRuleRemoteTypeSG,
+							SecurityGroupName: clusterWideSGNamePtr,
+						},
+					},
+				},
+			},
 		},
 	}
 }
diff --git a/pkg/asset/manifests/powervs/securitygroups.go b/pkg/asset/manifests/powervs/securitygroups.go
@@ -50,6 +50,23 @@ func buildControlPlaneSecurityGroup(infraID string) capibmcloud.VPCSecurityGroup
 					},
 				},
 			},
+			{
+				// Konnectivity
+				Action:    capibmcloud.VPCSecurityGroupRuleActionAllow,
+				Direction: capibmcloud.VPCSecurityGroupRuleDirectionInbound,
+				Source: &capibmcloud.VPCSecurityGroupRulePrototype{
+					PortRange: &capibmcloud.VPCSecurityGroupPortRange{
+						MaximumPort: 8091,
+						MinimumPort: 8091,
+					},
+					Protocol: capibmcloud.VPCSecurityGroupRuleProtocolTCP,
+					Remotes: []capibmcloud.VPCSecurityGroupRuleRemote{
+						{
+							RemoteType: capibmcloud.VPCSecurityGroupRuleRemoteTypeAny,
+						},
+					},
+				},
+			},
 			{
 				Action:    capibmcloud.VPCSecurityGroupRuleActionAllow,
 				Direction: capibmcloud.VPCSecurityGroupRuleDirectionInbound,
diff --git a/pkg/infrastructure/gcp/clusterapi/firewallrules.go b/pkg/infrastructure/gcp/clusterapi/firewallrules.go
@@ -58,6 +58,12 @@ func getControlPlanePorts() []*compute.FirewallAllowed {
 				"10259", // Kube scheduler
 			},
 		},
+		{
+			IPProtocol: "tcp",
+			Ports: []string{
+				"8091", // Konnectivity
+			},
+		},
 	}
 }
 
diff --git a/pkg/infrastructure/openstack/preprovision/securitygroups.go b/pkg/infrastructure/openstack/preprovision/securitygroups.go
@@ -138,6 +138,7 @@ func SecurityGroups(ctx context.Context, installConfig *installconfig.InstallCon
 		serviceIKENat        = service{udp, 4500, 4500}
 		serviceInternal      = service{tcp | udp, 9000, 9999}
 		serviceKCM           = service{tcp, 10257, 10257}
+		serviceKonnectivity  = service{tcp, 8091, 8091}
 		serviceKubeScheduler = service{tcp, 10259, 10259}
 		serviceKubelet       = service{tcp, 10250, 10250}
 		serviceMCS           = service{tcp, 22623, 22623}
@@ -234,6 +235,7 @@ func SecurityGroups(ctx context.Context, installConfig *installconfig.InstallCon
 		addMasterRules(serviceDNS, ipVersion, CIDRs)
 		addMasterRules(serviceETCD, ipVersion, CIDRs)
 		addMasterRules(serviceKCM, ipVersion, CIDRs)
+		addMasterRules(serviceKonnectivity, ipVersion, CIDRs)
 		addMasterRules(serviceKubeScheduler, ipVersion, CIDRs)
 		addMasterRules(serviceMCS, ipVersion, CIDRs)
 		addMasterRules(serviceOVNDB, ipVersion, CIDRs)

Original file line number	Diff line number	Diff line change
`@@ -58,6 +58,12 @@ func getControlPlanePorts() []*compute.FirewallAllowed {`
`58`	`58`	`"10259", // Kube scheduler`
`59`	`59`	`},`
`60`	`60`	`},`
	`61`	`+ {`
	`62`	`+ IPProtocol: "tcp",`
	`63`	`+ Ports: []string{`
	`64`	`+ "8091", // Konnectivity`
	`65`	`+ },`
	`66`	`+ },`
`61`	`67`	`}`
`62`	`68`	`}`
`63`	`69`