allow pods to reach metric ports running on control plane nodes when using gce alias ip

upodroid · upodroid · commit 3a883c990524 · 2026-03-11T14:05:34.000+03:00
diff --git a/pkg/model/gcemodel/firewall.go b/pkg/model/gcemodel/firewall.go
@@ -154,6 +154,12 @@ func (b *FirewallModelBuilder) Build(c *fi.CloudupModelBuilderContext) error {
 				t.Allowed = append(t.Allowed, fmt.Sprintf("tcp:%d", wellknownports.EtcdCiliumClientPort))
 			}
 		}
+		if b.NetworkingIsIPAlias() {
+			t.Allowed = append(t.Allowed, fmt.Sprintf("tcp:%d", wellknownports.KubeControllerManagerMetricsPort))
+			t.Allowed = append(t.Allowed, fmt.Sprintf("tcp:%d", wellknownports.KubeSchedulerMetricsPort))
+			t.Allowed = append(t.Allowed, fmt.Sprintf("tcp:%d", wellknownports.KubeProxyMetricsPort))
+			t.Allowed = append(t.Allowed, fmt.Sprintf("tcp:%d", wellknownports.EtcdMetricsPort))
+		}
 		c.AddTask(t)
 	}
 
diff --git a/pkg/wellknownports/wellknownports.go b/pkg/wellknownports/wellknownports.go
@@ -20,6 +20,9 @@ const (
 	// KubeAPIServer is the port where kube-apiserver listens.
 	KubeAPIServer = 443
 
+	// EtcdMetricsPort is used to serve etcd metrics
+	EtcdMetricsPort = 2382
+
 	// NodeupChallenge is the port where nodeup listens for challenges.
 	NodeupChallenge = 3987
 
@@ -90,6 +93,15 @@ const (
 
 	// KubeletAPI is the port where kubelet listens
 	KubeletAPI = 10250
+
+	// KubeProxyMetricsPort is used by kube-proxy to expose metrics
+	KubeProxyMetricsPort = 10249
+
+	// KubeSchedulerMetricsPort is used by kube-scheduler to expose metrics
+	KubeSchedulerMetricsPort = 10259
+
+	// KubeControllerManagerMetricsPort is used by kube-controller-manager to expose metrics
+	KubeControllerManagerMetricsPort = 10257
 )
 
 type PortRange struct {

Original file line number	Diff line number	Diff line change
`@@ -154,6 +154,12 @@ func (b FirewallModelBuilder) Build(c fi.CloudupModelBuilderContext) error {`
`154`	`154`	`t.Allowed = append(t.Allowed, fmt.Sprintf("tcp:%d", wellknownports.EtcdCiliumClientPort))`
`155`	`155`	`}`
`156`	`156`	`}`
	`157`	`+ if b.NetworkingIsIPAlias() {`
	`158`	`+ t.Allowed = append(t.Allowed, fmt.Sprintf("tcp:%d", wellknownports.KubeControllerManagerMetricsPort))`
	`159`	`+ t.Allowed = append(t.Allowed, fmt.Sprintf("tcp:%d", wellknownports.KubeSchedulerMetricsPort))`
	`160`	`+ t.Allowed = append(t.Allowed, fmt.Sprintf("tcp:%d", wellknownports.KubeProxyMetricsPort))`
	`161`	`+ t.Allowed = append(t.Allowed, fmt.Sprintf("tcp:%d", wellknownports.EtcdMetricsPort))`
	`162`	`+ }`
`157`	`163`	`c.AddTask(t)`
`158`	`164`	`}`
`159`	`165`