From 6c97025af335d9e10b37e012aafee6d8597f7b6a Mon Sep 17 00:00:00 2001
From: Varac <varac@varac.net>
Date: Wed, 19 Jun 2019 12:46:56 +0200
Subject: [PATCH] Allow prometheus to reach all targets

Closes #214,#219
---
 ansible/roles/setup/tasks/main.yml       |  1 +
 ansible/roles/setup/tasks/prometheus.yml | 28 ++++++++++++++++++++++++
 2 files changed, 29 insertions(+)
 create mode 100644 ansible/roles/setup/tasks/prometheus.yml

diff --git a/ansible/roles/setup/tasks/main.yml b/ansible/roles/setup/tasks/main.yml
index f630839ba..198e758b5 100644
--- a/ansible/roles/setup/tasks/main.yml
+++ b/ansible/roles/setup/tasks/main.yml
@@ -3,5 +3,6 @@
 - import_tasks: rke.yml
 - import_tasks: tiller.yml
 - import_tasks: cert-manager.yml
+- import_tasks: prometheus.yml
 - import_tasks: helmfiles.yml
 - import_tasks: krew.yml
diff --git a/ansible/roles/setup/tasks/prometheus.yml b/ansible/roles/setup/tasks/prometheus.yml
new file mode 100644
index 000000000..41a2ddee5
--- /dev/null
+++ b/ansible/roles/setup/tasks/prometheus.yml
@@ -0,0 +1,28 @@
+---
+- name: Allow internal access to node-exporter metrics
+  tags:
+    - iptables
+  iptables:
+    chain: "INPUT"
+    protocol: "tcp"
+    # We'll allow the whole private IP space for 10.0.0.0/8 here
+    # because calico might use different IPs in this space to
+    # contact the node-exporter
+    source: "10.0.0.0/8"
+    destination_port: 9100
+    jump: "ACCEPT"
+  become: true
+
+- name: Allow internal access to kubelet metrics
+  tags:
+    - iptables
+  iptables:
+    chain: "INPUT"
+    protocol: "tcp"
+    # We'll allow the whole private IP space for 10.0.0.0/8 here
+    # because calico might use different IPs in this space to
+    # contact the node-exporter
+    source: "10.0.0.0/8"
+    destination_port: 10250
+    jump: "ACCEPT"
+  become: true
-- 
GitLab