Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Additional node security group rule for metrics-server #2389

Closed
AndreiBanaruTakeda opened this issue Jan 10, 2023 · 5 comments
Closed

Additional node security group rule for metrics-server #2389

AndreiBanaruTakeda opened this issue Jan 10, 2023 · 5 comments

Comments

@AndreiBanaruTakeda
Copy link

AndreiBanaruTakeda commented Jan 10, 2023
edited
Loading

Is your request related to a new offering from AWS?

Is this functionality available in the AWS provider for Terraform? See CHANGELOG.md, too.

  • No

Is your request related to a problem? Please describe.

No

Describe the solution you'd like.

So far we used two additional SG rules for our nodes to enable metrics-server communication:

node_security_group_additional_rules = {
    metrics-server_ingress = {
      description                   = "communication between control plane and the metrics-server endpoint"
      protocol                      = "tcp"
      from_port                     = "4443"
      to_port                       = "4443"
      type                          = "ingress"
      source_cluster_security_group = true
    },
    metrics-server_pod_ingress = {
      description = "communication between the metrics-server pod and the kubelet running on each worker node"
      protocol    = "tcp"
      from_port   = "10250"
      to_port     = "10250"
      type        = "ingress"
      self        = true
    }
}

Looks like the first one was included implicitly with #2353 so we commented it out in our module's IaC.

As per metrics-server documentation the second one is also needed - https://github.com/kubernetes-sigs/metrics-server#requirements

I am more than happy to open a PR for this.

Describe alternatives you've considered.

I can continue to have the SG rule added with our IaC.

Additional context

N/A
@bryantbiggs
Copy link
Member

I believe we already cover the 2nd rule, but please feel free to open a PR for the first rule to be added to the recommended security group rules

@AndreiBanaruTakeda
Copy link
Author

You cover just the first one - https://github.com/terraform-aws-modules/terraform-aws-eks/blob/master/node_groups.tf#L119

@bryantbiggs
Copy link
Member

ah, overlooked that one. We cover the first one in

terraform-aws-eks/node_groups.tf

Lines 110 to 117 in 0e3cb9a

ingress_nodes_ephemeral = {
description = "Node to node ingress on ephemeral ports"
protocol = "tcp"
from_port = 1025
to_port = 65535
type = "ingress"
self = true
}
so by all accounts, there shouldn't be any changes required, no?

@AndreiBanaruTakeda
Copy link
Author

Agreed, looks like you added that in release 19.0, excellent. I will go ahead and remove it from our own module.

@github-actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Feb 14, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bryantbiggs @AndreiBanaruTakeda