diff --git a/terraform/firewall.tf b/terraform/firewall.tf
index b585cd6009b6cc4a51db4fb4ff13bf902d9c4c03..ec4916515ca094f56b42e749c4b9d8a0d01b2ca2 100644
--- a/terraform/firewall.tf
+++ b/terraform/firewall.tf
@@ -16,6 +16,13 @@ resource "hcloud_firewall" "k8s-node" {
"::/0"
]
}
+ rule {
+ description = "cAdvisor"
+ direction = "in"
+ protocol = "tcp"
+ port = "4194"
+ source_ips = [for s in concat(module.controllers.ipv4_addresses, module.workers.ipv4_addresses) : "${s}/32"]
+ }
rule {
description = "Kublet"
direction = "in"
@@ -23,6 +30,13 @@ resource "hcloud_firewall" "k8s-node" {
port = "10250"
source_ips = [for s in concat(module.controllers.ipv4_addresses, module.workers.ipv4_addresses) : "${s}/32"]
}
+ rule {
+ description = "kube-proxy-metrics"
+ direction = "in"
+ protocol = "tcp"
+ port = "10249"
+ source_ips = [for s in concat(module.controllers.ipv4_addresses, module.workers.ipv4_addresses) : "${s}/32"]
+ }
rule {
description = "Kubernetes NodePort"
direction = "in"
@@ -113,18 +127,25 @@ resource "hcloud_firewall" "k8s-master" {
description = "etcd"
direction = "in"
protocol = "tcp"
- port = "2379-2381"
+ port = "2380-2381"
source_ips = [for s in module.controllers.ipv4_addresses : "${s}/32"]
}
rule {
- description = "kube-scheduler"
+ description = "etcd-metrics"
+ direction = "in"
+ protocol = "tcp"
+ port = "2379"
+ source_ips = [for s in concat(module.controllers.ipv4_addresses, module.workers.ipv4_addresses) : "${s}/32"]
+ }
+ rule {
+ description = "kube-scheduler-metrics"
direction = "in"
protocol = "tcp"
port = "10251"
source_ips = [for s in concat(module.controllers.ipv4_addresses, module.workers.ipv4_addresses) : "${s}/32"]
}
rule {
- description = "kube-controller-manager"
+ description = "kube-controller-manager-metrics"
direction = "in"
protocol = "tcp"
port = "10252"