fix(firewall): open node to master ICMP security group

Cilium health check mechanism requires ICMP and TCP/4240 port to be opened between every node in the cluster including control plane nodes. If one of these 2 checks fails the node is considered as unreachable.
kubernetes · Apr 20, 2023 · 7f5b0dd · 7f5b0dd
1 parent 2ef477f
commit 7f5b0dd
Showing 1 changed file with 8 additions and 3 deletions.
diff --git a/pkg/model/awsmodel/firewall.go b/pkg/model/awsmodel/firewall.go
@@ -31,6 +31,7 @@ type Protocol int
 
 const (
 	ProtocolIPIP Protocol = 4
+	ProtocolICMP Protocol = 1
 )
 
 // FirewallModelBuilder configures firewall network objects
@@ -135,9 +136,11 @@ func (b *FirewallModelBuilder) applyNodeToMasterBlockSpecificPorts(c *fi.Cloudup
 	udpRanges := []portRange{{From: 1, To: 65535}}
 	protocols := []Protocol{}
 
-	if b.Cluster.Spec.Networking.Cilium != nil && b.Cluster.Spec.Networking.Cilium.EtcdManaged {
-		// Block the etcd peer port
-		tcpBlocked[2382] = true
+	if b.Cluster.Spec.Networking.Cilium != nil {
+		protocols = append(protocols, ProtocolICMP)
+		if b.Cluster.Spec.Networking.Cilium.EtcdManaged {
+			tcpBlocked[2382] = true
+		}
 	}
 
 	if b.Cluster.Spec.Networking.Calico != nil {
@@ -196,6 +199,8 @@ func (b *FirewallModelBuilder) applyNodeToMasterBlockSpecificPorts(c *fi.Cloudup
 				switch protocol {
 				case ProtocolIPIP:
 					name = "ipip"
+				case ProtocolICMP:
+					name = "icmp"
 				default:
 					klog.Warningf("unknown protocol %q - naming by number", awsName)
 				}