Adding minimum communication security group rule for Kubelet (#318)

sc250024 · max-rocket-internet · commit 97c79643fbcd · 2019-03-25T11:58:55.000+01:00
* Adding minimum communication The docs at https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html specify that port 10250 is needed at a minimum for communication between the control plane, and the worker nodes. If you specify a `worker_sg_ingress_from_port` as something like `30000`, then this minimum communication is never established. * Adding description to CHANGELOG.md * Adjusting the naming of the resources * Ensuring creation is conditional on the value of `worker_sg_ingress_from_port` * Mistake, should be greater than port 10250
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -12,6 +12,7 @@ project adheres to [Semantic Versioning](http://semver.org/).
 ### Added
 
 - Write your awesome addition here (by @you)
+- Added minimum inbound traffic rule to the cluster worker security group as per the [EKS security group requirements](https://docs.aws.amazon.com/eks/latest/userguide/sec-group-reqs.html) (by @sc250024)
 
 ### Changed
 
diff --git a/workers.tf b/workers.tf
@@ -93,7 +93,7 @@ resource "aws_security_group_rule" "workers_ingress_self" {
 }
 
 resource "aws_security_group_rule" "workers_ingress_cluster" {
-  description              = "Allow workers Kubelets and pods to receive communication from the cluster control plane."
+  description              = "Allow workers pods to receive communication from the cluster control plane."
   protocol                 = "tcp"
   security_group_id        = "${aws_security_group.workers.id}"
   source_security_group_id = "${local.cluster_security_group_id}"
@@ -103,6 +103,17 @@ resource "aws_security_group_rule" "workers_ingress_cluster" {
   count                    = "${var.worker_create_security_group ? 1 : 0}"
 }
 
+resource "aws_security_group_rule" "workers_ingress_cluster_kubelet" {
+  description              = "Allow workers Kubelets to receive communication from the cluster control plane."
+  protocol                 = "tcp"
+  security_group_id        = "${aws_security_group.workers.id}"
+  source_security_group_id = "${local.cluster_security_group_id}"
+  from_port                = 10250
+  to_port                  = 10250
+  type                     = "ingress"
+  count                    = "${var.worker_create_security_group ? (var.worker_sg_ingress_from_port > 10250 ? 1 : 0) : 0}"
+}
+
 resource "aws_security_group_rule" "workers_ingress_cluster_https" {
   description              = "Allow pods running extension API servers on port 443 to receive communication from cluster control plane."
   protocol                 = "tcp"
