diff --git a/examples/full-cluster-tf-upgrade/1.25/securitygroup.tf b/examples/full-cluster-tf-upgrade/1.25/securitygroup.tf
index f06a43e..15672a4 100644
--- a/examples/full-cluster-tf-upgrade/1.25/securitygroup.tf
+++ b/examples/full-cluster-tf-upgrade/1.25/securitygroup.tf
@@ -20,7 +20,9 @@
 # We absorbe the local 10.x.x.x/x cidr into the 10/8
 #
 #   extra_cluster_sg
+#   * in any from self
 #   * in port 443 from census on-prem, and 10/8
+#   * in port 10250 for kubectl logs from census on-prem, and 10/8
 
 resource "aws_security_group" "additional_eks_cluster_sg" {
   name = format("%v%v-cluster", local._prefixes["eks-security-group"], var.cluster_name)
@@ -137,6 +139,13 @@ resource "aws_security_group" "extra_cluster_sg" {
 
   vpc_id = data.aws_vpc.eks_vpc.id
 
+  ingress {
+    from_port = 0
+    to_port   = 0
+    protocol  = -1
+    self = true
+  }
+
   ingress {
     from_port   = 443
     to_port     = 443