fix(firewall): update various firewall rules

terraform/firewall.tf

@@ -16,6 +16,13 @@ resource "hcloud_firewall" "k8s-node" {
       "::/0"
     ]
   }
+  rule {
+    description = "cAdvisor"
+    direction   = "in"
+    protocol    = "tcp"
+    port        = "4194"
+    source_ips  = [for s in concat(module.controllers.ipv4_addresses, module.workers.ipv4_addresses) : "${s}/32"]
+  }
   rule {
     description = "Kublet"
     direction   = "in"
@@ -23,6 +30,13 @@ resource "hcloud_firewall" "k8s-node" {
     port        = "10250"
     source_ips  = [for s in concat(module.controllers.ipv4_addresses, module.workers.ipv4_addresses) : "${s}/32"]
   }
+  rule {
+    description = "kube-proxy-metrics"
+    direction   = "in"
+    protocol    = "tcp"
+    port        = "10249"
+    source_ips  = [for s in concat(module.controllers.ipv4_addresses, module.workers.ipv4_addresses) : "${s}/32"]
+  }
   rule {
     description = "Kubernetes NodePort"
     direction   = "in"
@@ -113,18 +127,25 @@ resource "hcloud_firewall" "k8s-master" {
     description = "etcd"
     direction   = "in"
     protocol    = "tcp"
-    port        = "2379-2381"
+    port        = "2380-2381"
     source_ips  = [for s in module.controllers.ipv4_addresses : "${s}/32"]
   }
   rule {
-    description = "kube-scheduler"
+    description = "etcd-metrics"
+    direction   = "in"
+    protocol    = "tcp"
+    port        = "2379"
+    source_ips  = [for s in concat(module.controllers.ipv4_addresses, module.workers.ipv4_addresses) : "${s}/32"]
+  }
+  rule {
+    description = "kube-scheduler-metrics"
     direction   = "in"
     protocol    = "tcp"
     port        = "10251"
     source_ips  = [for s in concat(module.controllers.ipv4_addresses, module.workers.ipv4_addresses) : "${s}/32"]
   }
   rule {
-    description = "kube-controller-manager"
+    description = "kube-controller-manager-metrics"
     direction   = "in"
     protocol    = "tcp"
     port        = "10252"