diff --git a/examples/full-cluster-tf-upgrade/1.24/securitygroup.tf b/examples/full-cluster-tf-upgrade/1.24/securitygroup.tf
index a2e3baa..1e6eebd 100644
--- a/examples/full-cluster-tf-upgrade/1.24/securitygroup.tf
+++ b/examples/full-cluster-tf-upgrade/1.24/securitygroup.tf
@@ -20,7 +20,9 @@
 # We absorbe the local 10.x.x.x/x cidr into the 10/8
 #
 #   extra_cluster_sg
+#   * in any from self
 #   * in port 443 from census on-prem, and 10/8
+#   * in port 10250 for kubectl logs from census on-prem, and 10/8
 
 resource "aws_security_group" "additional_eks_cluster_sg" {
   name = format("%v%v-cluster", local._prefixes["eks-security-group"], var.cluster_name)
@@ -137,6 +139,13 @@ resource "aws_security_group" "extra_cluster_sg" {
 
   vpc_id = data.aws_vpc.eks_vpc.id
 
+  ingress {
+    from_port = 0
+    to_port   = 0
+    protocol  = -1
+    self      = true
+  }
+
   ingress {
     from_port   = 443
     to_port     = 443
@@ -144,6 +153,14 @@ resource "aws_security_group" "extra_cluster_sg" {
     cidr_blocks = concat(var.census_private_cidr, ["10.0.0.0/8"])
   }
 
+  # kubectl logs
+  ingress {
+    from_port   = 10250
+    to_port     = 10250
+    protocol    = "tcp"
+    cidr_blocks = concat(var.census_private_cidr, ["10.0.0.0/8"])
+  }
+
   egress {
     from_port   = 0
     to_port     = 0