add config item to open worker-to-worker communication for steadybit

Martin Linkhorst · Martin Linkhorst · commit 2e255692b2b4 · 2025-06-03T14:50:26.000+02:00
diff --git a/cluster/cluster.yaml b/cluster/cluster.yaml
@@ -143,6 +143,7 @@ Resources:
       IpProtocol: tcp
       SourceSecurityGroupId: !Ref EKSWorkerSecurityGroup
       ToPort: 443
+{{- if eq .Cluster.ConfigItems.open_sg_for_steadybit "true" }}
   EKSWorkerSecurityGroupIngressFromWorkerToWorkerSteadyBit:
     Properties:
       FromPort: 8085
@@ -151,6 +152,7 @@ Resources:
       SourceSecurityGroupId: !Ref EKSWorkerSecurityGroup
       ToPort: 8087
     Type: 'AWS::EC2::SecurityGroupIngress'
+{{- end }}
   EKSCluster:
     Type: AWS::EKS::Cluster
     Properties:
@@ -939,6 +941,7 @@ Resources:
       SourceSecurityGroupId: !Ref WorkerSecurityGroup
       ToPort: 10250 # Kubelet
     Type: 'AWS::EC2::SecurityGroupIngress'
+{{- if eq .Cluster.ConfigItems.open_sg_for_steadybit "true" }}
   WorkerSecurityGroupIngressFromWorkerToWorkerSteadyBit:
     Properties:
       FromPort: 8085
@@ -947,6 +950,7 @@ Resources:
       SourceSecurityGroupId: !Ref WorkerSecurityGroup
       ToPort: 8087
     Type: 'AWS::EC2::SecurityGroupIngress'
+{{- end }}
   WorkerSecurityGroupIngressFromWorkerToWorkerSkipperMetrics:
     Properties:
       FromPort: 9911
diff --git a/cluster/config-defaults.yaml b/cluster/config-defaults.yaml
@@ -1129,6 +1129,9 @@ enable_statefulset_autodelete_pvc: "true"
 # Source for the template function: sgIngressRanges: https://github.com/zalando-incubator/cluster-lifecycle-manager/blob/42695865a251fef58e22ce612d6549e75fa5d103/provisioner/template.go#L336-L417
 open_sg_ingress_ranges: ""
 
+# open ports 8085-8087 between worker nodes for steadybit components
+open_sg_for_steadybit: "false"
+
 # Each subdomain can reach a max of 63 bytes on Route53
 # This custom value sets the subdomain max allowed length taking into consideration the 'cname-' prefix added by external-dns
 subdomain_max_length: "57"
