From 531b4f6028f6661ebc341e195eb0d36992436a19 Mon Sep 17 00:00:00 2001
From: Sheogorath <sheogorath@shivering-isles.com>
Date: Fri, 5 Nov 2021 20:00:17 +0100
Subject: [PATCH] fix(firewall): update various firewall rules

---
 terraform/firewall.tf | 27 ++++++++++++++++++++++++---
 1 file changed, 24 insertions(+), 3 deletions(-)

diff --git a/terraform/firewall.tf b/terraform/firewall.tf
index b585cd600..ec4916515 100644
--- a/terraform/firewall.tf
+++ b/terraform/firewall.tf
@@ -16,6 +16,13 @@ resource "hcloud_firewall" "k8s-node" {
       "::/0"
     ]
   }
+  rule {
+    description = "cAdvisor"
+    direction   = "in"
+    protocol    = "tcp"
+    port        = "4194"
+    source_ips  = [for s in concat(module.controllers.ipv4_addresses, module.workers.ipv4_addresses) : "${s}/32"]
+  }
   rule {
     description = "Kublet"
     direction   = "in"
@@ -23,6 +30,13 @@ resource "hcloud_firewall" "k8s-node" {
     port        = "10250"
     source_ips  = [for s in concat(module.controllers.ipv4_addresses, module.workers.ipv4_addresses) : "${s}/32"]
   }
+  rule {
+    description = "kube-proxy-metrics"
+    direction   = "in"
+    protocol    = "tcp"
+    port        = "10249"
+    source_ips  = [for s in concat(module.controllers.ipv4_addresses, module.workers.ipv4_addresses) : "${s}/32"]
+  }
   rule {
     description = "Kubernetes NodePort"
     direction   = "in"
@@ -113,18 +127,25 @@ resource "hcloud_firewall" "k8s-master" {
     description = "etcd"
     direction   = "in"
     protocol    = "tcp"
-    port        = "2379-2381"
+    port        = "2380-2381"
     source_ips  = [for s in module.controllers.ipv4_addresses : "${s}/32"]
   }
   rule {
-    description = "kube-scheduler"
+    description = "etcd-metrics"
+    direction   = "in"
+    protocol    = "tcp"
+    port        = "2379"
+    source_ips  = [for s in concat(module.controllers.ipv4_addresses, module.workers.ipv4_addresses) : "${s}/32"]
+  }
+  rule {
+    description = "kube-scheduler-metrics"
     direction   = "in"
     protocol    = "tcp"
     port        = "10251"
     source_ips  = [for s in concat(module.controllers.ipv4_addresses, module.workers.ipv4_addresses) : "${s}/32"]
   }
   rule {
-    description = "kube-controller-manager"
+    description = "kube-controller-manager-metrics"
     direction   = "in"
     protocol    = "tcp"
     port        = "10252"
-- 
GitLab