Fix API ELB security group rules

2016-12-18 16:03:55 -05:00 · 2016-12-18 16:03:55 -05:00 · b7522cea28
parent 125b9badd8
commit b7522cea28
1 changed files with 15 additions and 3 deletions
--- a/pkg/model/api_loadbalancer.go
+++ b/pkg/model/api_loadbalancer.go
@ -98,13 +98,12 @@ func (b *APILoadBalancerBuilder) Build(c *fi.ModelBuilderContext) error {
 		c.AddTask(t)
 	}

-	// Allow HTTPS to the master instances from the ELB
+	// Allow traffic into the ELB from APIAccess CIDRs
 	{
 		for _, cidr := range b.Cluster.Spec.APIAccess {
 			t := &awstasks.SecurityGroupRule{
 				Name:          s("https-api-elb-" + cidr),
-				SecurityGroup: b.LinkToSecurityGroup(kops.InstanceGroupRoleMaster),
-				SourceGroup:   b.LinkToELBSecurityGroup("api"),
+				SecurityGroup: b.LinkToELBSecurityGroup("api"),
 				CIDR:          s(cidr),
 				FromPort:      i64(443),
 				ToPort:        i64(443),
@ -114,6 +113,19 @@ func (b *APILoadBalancerBuilder) Build(c *fi.ModelBuilderContext) error {
 		}
 	}

+	// Allow HTTPS to the master instances from the ELB
+	{
+		t := &awstasks.SecurityGroupRule{
+			Name:          s("https-elb-to-master"),
+			SecurityGroup: b.LinkToSecurityGroup(kops.InstanceGroupRoleMaster),
+			SourceGroup:   b.LinkToELBSecurityGroup("api"),
+			FromPort:      i64(443),
+			ToPort:        i64(443),
+			Protocol:      s("tcp"),
+		}
+		c.AddTask(t)
+	}
+
 	for _, ig := range b.MasterInstanceGroups() {
 		t := &awstasks.LoadBalancerAttachment{
 			Name: s("api-" + ig.ObjectMeta.Name),