Allow managed node group to connect to port 10250 of Fargate node #3396
Description
Is your request related to a new offering from AWS?
N/A
Is your request related to a problem? Please describe.
I created metrics-server in managed node group but it can't get metrics of Fargate nodes with error
E0627 02:16:27.208309 1 scraper.go:147] "Failed to scrape node, timeout to access kubelet" err="Get \"https://10.x.x.x:10250/metrics/resource\": context deadline exceeded" node="fargate-ip-10-x-1x-x.us-east-2.compute.internal" timeout="10s
That is because Fargate nodes use cluster primary security group, while managed node group use node security group.
I have to create a security rule outside of the module as workaround
resource "aws_security_group_rule" "cluster_primary_security_group" {
description = "Allow incoming metrics scrape from metrics-server in managed nodes(This is default security group for fargate pods)"
protocol = "tcp"
security_group_id = module.eks.cluster_primary_security_group_id
source_security_group_id = module.eks.node_security_group_id
from_port = 10250
to_port = 10250
type = "ingress"
}
Describe the solution you'd like.
Because metrics-server is popular solution, create default rule to allow port 10250 in cluster primary security group.
Allow all traffic will work but not good in terms of security.
Possible allow user define additional rules, But I can't think of scenario it is required.
Describe alternatives you've considered.
N/A
Additional context
Issue in v20.28.0
It used to work at least in v17.20.0 where a similar allow all traffic rule exist