From de8c550d5d10017eba4b2c0b492360511fe0c34b Mon Sep 17 00:00:00 2001
From: Peter Winter <pwntr@users.noreply.github.com>
Date: Mon, 27 Oct 2025 20:40:06 +0100
Subject: [PATCH] feat: Add recommended security group rule for port `10251` to
 match EKS addon for `metrics-server` (#3562)

* add current metrics-server default port 10251 to the recommended security group rules, add TODO note to remove the metrics-server legacy port 4443 on the next breaking change

* Update node_groups.tf

Co-authored-by: Bryant Biggs <bryantbiggs@gmail.com>

---------

Co-authored-by: Bryant Biggs <bryantbiggs@gmail.com>
---
 node_groups.tf | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/node_groups.tf b/node_groups.tf
index 5a16556..f43a3e3 100644
--- a/node_groups.tf
+++ b/node_groups.tf
@@ -117,7 +117,7 @@ locals {
       type        = "ingress"
       self        = true
     }
-    # metrics-server
+    # metrics-server, legacy port - TODO: remove this on the next breaking change at v22
     ingress_cluster_4443_webhook = {
       description                   = "Cluster API to node 4443/tcp webhook"
       protocol                      = "tcp"
@@ -126,6 +126,15 @@ locals {
       type                          = "ingress"
       source_cluster_security_group = true
     }
+    # metrics-server, current EKS default port
+    ingress_cluster_10251_webhook = {
+      description                   = "Cluster API to node 10251/tcp webhook"
+      protocol                      = "tcp"
+      from_port                     = 10251
+      to_port                       = 10251
+      type                          = "ingress"
+      source_cluster_security_group = true
+    }
     # prometheus-adapter
     ingress_cluster_6443_webhook = {
       description                   = "Cluster API to node 6443/tcp webhook"