We used a rule from a comment thread in another git repository, so we assumed the configuration was correct. However, it appears to grant too wide a range of ports for control plane access into the EKS nodes. This is a very minor security issue, but we should still fix it.
ingress_4443_from_control_plane = {
# This is important for Kubernetes internals such as the metrics server
# to reach the cluster nodes. See this comment: https://github.com/kubernetes-sigs/metrics-server/issues/1024#issuecomment-1129914389
# TODO this appears to have the wrong range--should be 4443 to 4443
description = "Cluster API to Nodegroup for metrics server"
protocol = "-1"
from_port = 0
to_port = 4443
type = "ingress"
source_cluster_security_group = true
}
We used a rule from a comment thread in another git repository, so we assumed the configuration was correct. However, it appears to grant too wide a range of ports for control plane access into the EKS nodes. This is a very minor security issue, but we should still fix it.