diff --git a/pkg/model/awsmodel/api_loadbalancer.go b/pkg/model/awsmodel/api_loadbalancer.go index 5a7ca79d99..ac7930a61b 100644 --- a/pkg/model/awsmodel/api_loadbalancer.go +++ b/pkg/model/awsmodel/api_loadbalancer.go @@ -189,7 +189,9 @@ func (b *APILoadBalancerBuilder) Build(c *fi.ModelBuilderContext) error { // Allow traffic into the ELB from KubernetesAPIAccess CIDRs { for _, cidr := range b.Cluster.Spec.KubernetesAPIAccess { - t := &awstasks.SecurityGroupRule{ + + // Allow https traffic + c.AddTask(&awstasks.SecurityGroupRule{ Name: s("https-api-elb-" + cidr), Lifecycle: b.SecurityLifecycle, @@ -198,8 +200,19 @@ func (b *APILoadBalancerBuilder) Build(c *fi.ModelBuilderContext) error { FromPort: i64(443), ToPort: i64(443), Protocol: s("tcp"), - } - c.AddTask(t) + }) + + // Allow ICMP traffic required for PMTU discovery + c.AddTask(&awstasks.SecurityGroupRule{ + Name: s("icmp-pmtu-api-elb-" + cidr), + Lifecycle: b.SecurityLifecycle, + + SecurityGroup: lbSG, + CIDR: s(cidr), + FromPort: i64(3), + ToPort: i64(4), + Protocol: s("icmp"), + }) } } diff --git a/tests/integration/update_cluster/bastionadditional_user-data/kubernetes.tf b/tests/integration/update_cluster/bastionadditional_user-data/kubernetes.tf index 196d0bd5ce..fc49043563 100644 --- a/tests/integration/update_cluster/bastionadditional_user-data/kubernetes.tf +++ b/tests/integration/update_cluster/bastionadditional_user-data/kubernetes.tf @@ -660,6 +660,15 @@ resource "aws_security_group_rule" "https-elb-to-master" { protocol = "tcp" } +resource "aws_security_group_rule" "icmp-pmtu-api-elb-0-0-0-0--0" { + type = "ingress" + security_group_id = "${aws_security_group.api-elb-bastionuserdata-example-com.id}" + from_port = 3 + to_port = 4 + protocol = "icmp" + cidr_blocks = ["0.0.0.0/0"] +} + resource "aws_security_group_rule" "master-egress" { type = "egress" security_group_id = "${aws_security_group.masters-bastionuserdata-example-com.id}" diff --git a/tests/integration/update_cluster/complex/kubernetes.tf b/tests/integration/update_cluster/complex/kubernetes.tf index 51e87c74c7..f7685c7b99 100644 --- a/tests/integration/update_cluster/complex/kubernetes.tf +++ b/tests/integration/update_cluster/complex/kubernetes.tf @@ -454,6 +454,15 @@ resource "aws_security_group_rule" "https-elb-to-master" { protocol = "tcp" } +resource "aws_security_group_rule" "icmp-pmtu-api-elb-0-0-0-0--0" { + type = "ingress" + security_group_id = "${aws_security_group.api-elb-complex-example-com.id}" + from_port = 3 + to_port = 4 + protocol = "icmp" + cidr_blocks = ["0.0.0.0/0"] +} + resource "aws_security_group_rule" "master-egress" { type = "egress" security_group_id = "${aws_security_group.masters-complex-example-com.id}" diff --git a/tests/integration/update_cluster/existing_sg/kubernetes.tf b/tests/integration/update_cluster/existing_sg/kubernetes.tf index c63adc5ebe..c6e77a253a 100644 --- a/tests/integration/update_cluster/existing_sg/kubernetes.tf +++ b/tests/integration/update_cluster/existing_sg/kubernetes.tf @@ -713,6 +713,15 @@ resource "aws_security_group_rule" "https-elb-to-master-sg-master-1b" { protocol = "tcp" } +resource "aws_security_group_rule" "icmp-pmtu-api-elb-0-0-0-0--0" { + type = "ingress" + security_group_id = "sg-elb" + from_port = 3 + to_port = 4 + protocol = "icmp" + cidr_blocks = ["0.0.0.0/0"] +} + resource "aws_security_group_rule" "master-egress" { type = "egress" security_group_id = "${aws_security_group.masters-existingsg-example-com.id}" diff --git a/tests/integration/update_cluster/private-shared-subnet/kubernetes.tf b/tests/integration/update_cluster/private-shared-subnet/kubernetes.tf index 9860c42d2f..b02a5c0865 100644 --- a/tests/integration/update_cluster/private-shared-subnet/kubernetes.tf +++ b/tests/integration/update_cluster/private-shared-subnet/kubernetes.tf @@ -574,6 +574,15 @@ resource "aws_security_group_rule" "https-elb-to-master" { protocol = "tcp" } +resource "aws_security_group_rule" "icmp-pmtu-api-elb-0-0-0-0--0" { + type = "ingress" + security_group_id = "${aws_security_group.api-elb-private-shared-subnet-example-com.id}" + from_port = 3 + to_port = 4 + protocol = "icmp" + cidr_blocks = ["0.0.0.0/0"] +} + resource "aws_security_group_rule" "master-egress" { type = "egress" security_group_id = "${aws_security_group.masters-private-shared-subnet-example-com.id}" diff --git a/tests/integration/update_cluster/privatecalico/kubernetes.tf b/tests/integration/update_cluster/privatecalico/kubernetes.tf index 509d3cd8ec..2c7cdb36bb 100644 --- a/tests/integration/update_cluster/privatecalico/kubernetes.tf +++ b/tests/integration/update_cluster/privatecalico/kubernetes.tf @@ -659,6 +659,15 @@ resource "aws_security_group_rule" "https-elb-to-master" { protocol = "tcp" } +resource "aws_security_group_rule" "icmp-pmtu-api-elb-0-0-0-0--0" { + type = "ingress" + security_group_id = "${aws_security_group.api-elb-privatecalico-example-com.id}" + from_port = 3 + to_port = 4 + protocol = "icmp" + cidr_blocks = ["0.0.0.0/0"] +} + resource "aws_security_group_rule" "master-egress" { type = "egress" security_group_id = "${aws_security_group.masters-privatecalico-example-com.id}" diff --git a/tests/integration/update_cluster/privatecanal/kubernetes.tf b/tests/integration/update_cluster/privatecanal/kubernetes.tf index d15ed4f8b4..7d584a7de0 100644 --- a/tests/integration/update_cluster/privatecanal/kubernetes.tf +++ b/tests/integration/update_cluster/privatecanal/kubernetes.tf @@ -659,6 +659,15 @@ resource "aws_security_group_rule" "https-elb-to-master" { protocol = "tcp" } +resource "aws_security_group_rule" "icmp-pmtu-api-elb-0-0-0-0--0" { + type = "ingress" + security_group_id = "${aws_security_group.api-elb-privatecanal-example-com.id}" + from_port = 3 + to_port = 4 + protocol = "icmp" + cidr_blocks = ["0.0.0.0/0"] +} + resource "aws_security_group_rule" "master-egress" { type = "egress" security_group_id = "${aws_security_group.masters-privatecanal-example-com.id}" diff --git a/tests/integration/update_cluster/privatedns1/kubernetes.tf b/tests/integration/update_cluster/privatedns1/kubernetes.tf index 78859f5d40..843d9f2c7b 100644 --- a/tests/integration/update_cluster/privatedns1/kubernetes.tf +++ b/tests/integration/update_cluster/privatedns1/kubernetes.tf @@ -664,6 +664,15 @@ resource "aws_security_group_rule" "https-elb-to-master" { protocol = "tcp" } +resource "aws_security_group_rule" "icmp-pmtu-api-elb-0-0-0-0--0" { + type = "ingress" + security_group_id = "${aws_security_group.api-elb-privatedns1-example-com.id}" + from_port = 3 + to_port = 4 + protocol = "icmp" + cidr_blocks = ["0.0.0.0/0"] +} + resource "aws_security_group_rule" "master-egress" { type = "egress" security_group_id = "${aws_security_group.masters-privatedns1-example-com.id}" diff --git a/tests/integration/update_cluster/privatedns2/kubernetes.tf b/tests/integration/update_cluster/privatedns2/kubernetes.tf index 247df11adc..db479231d5 100644 --- a/tests/integration/update_cluster/privatedns2/kubernetes.tf +++ b/tests/integration/update_cluster/privatedns2/kubernetes.tf @@ -644,6 +644,15 @@ resource "aws_security_group_rule" "https-elb-to-master" { protocol = "tcp" } +resource "aws_security_group_rule" "icmp-pmtu-api-elb-0-0-0-0--0" { + type = "ingress" + security_group_id = "${aws_security_group.api-elb-privatedns2-example-com.id}" + from_port = 3 + to_port = 4 + protocol = "icmp" + cidr_blocks = ["0.0.0.0/0"] +} + resource "aws_security_group_rule" "master-egress" { type = "egress" security_group_id = "${aws_security_group.masters-privatedns2-example-com.id}" diff --git a/tests/integration/update_cluster/privateflannel/kubernetes.tf b/tests/integration/update_cluster/privateflannel/kubernetes.tf index 5c0aac853a..50cb5ccd8f 100644 --- a/tests/integration/update_cluster/privateflannel/kubernetes.tf +++ b/tests/integration/update_cluster/privateflannel/kubernetes.tf @@ -659,6 +659,15 @@ resource "aws_security_group_rule" "https-elb-to-master" { protocol = "tcp" } +resource "aws_security_group_rule" "icmp-pmtu-api-elb-0-0-0-0--0" { + type = "ingress" + security_group_id = "${aws_security_group.api-elb-privateflannel-example-com.id}" + from_port = 3 + to_port = 4 + protocol = "icmp" + cidr_blocks = ["0.0.0.0/0"] +} + resource "aws_security_group_rule" "master-egress" { type = "egress" security_group_id = "${aws_security_group.masters-privateflannel-example-com.id}" diff --git a/tests/integration/update_cluster/privatekopeio/kubernetes.tf b/tests/integration/update_cluster/privatekopeio/kubernetes.tf index 283dd1b49d..c4870a3645 100644 --- a/tests/integration/update_cluster/privatekopeio/kubernetes.tf +++ b/tests/integration/update_cluster/privatekopeio/kubernetes.tf @@ -680,6 +680,15 @@ resource "aws_security_group_rule" "https-elb-to-master" { protocol = "tcp" } +resource "aws_security_group_rule" "icmp-pmtu-api-elb-0-0-0-0--0" { + type = "ingress" + security_group_id = "${aws_security_group.api-elb-privatekopeio-example-com.id}" + from_port = 3 + to_port = 4 + protocol = "icmp" + cidr_blocks = ["0.0.0.0/0"] +} + resource "aws_security_group_rule" "master-egress" { type = "egress" security_group_id = "${aws_security_group.masters-privatekopeio-example-com.id}" diff --git a/tests/integration/update_cluster/privateweave/kubernetes.tf b/tests/integration/update_cluster/privateweave/kubernetes.tf index 7179a10672..6cb3ffa07d 100644 --- a/tests/integration/update_cluster/privateweave/kubernetes.tf +++ b/tests/integration/update_cluster/privateweave/kubernetes.tf @@ -659,6 +659,15 @@ resource "aws_security_group_rule" "https-elb-to-master" { protocol = "tcp" } +resource "aws_security_group_rule" "icmp-pmtu-api-elb-0-0-0-0--0" { + type = "ingress" + security_group_id = "${aws_security_group.api-elb-privateweave-example-com.id}" + from_port = 3 + to_port = 4 + protocol = "icmp" + cidr_blocks = ["0.0.0.0/0"] +} + resource "aws_security_group_rule" "master-egress" { type = "egress" security_group_id = "${aws_security_group.masters-privateweave-example-com.id}"