From 3a883c990524e86eeda1cfd82777ca8c3d07c2c7 Mon Sep 17 00:00:00 2001
From: upodroid <cy@borg.dev>
Date: Wed, 11 Mar 2026 14:05:34 +0300
Subject: [PATCH] allow pods to reach metric ports running on control plane
 nodes when using gce alias ip

---
 pkg/model/gcemodel/firewall.go       |  6 ++++++
 pkg/wellknownports/wellknownports.go | 12 ++++++++++++
 2 files changed, 18 insertions(+)

diff --git a/pkg/model/gcemodel/firewall.go b/pkg/model/gcemodel/firewall.go
index 29e0be8770169..fac972eb1f0bf 100644
--- a/pkg/model/gcemodel/firewall.go
+++ b/pkg/model/gcemodel/firewall.go
@@ -154,6 +154,12 @@ func (b *FirewallModelBuilder) Build(c *fi.CloudupModelBuilderContext) error {
 				t.Allowed = append(t.Allowed, fmt.Sprintf("tcp:%d", wellknownports.EtcdCiliumClientPort))
 			}
 		}
+		if b.NetworkingIsIPAlias() {
+			t.Allowed = append(t.Allowed, fmt.Sprintf("tcp:%d", wellknownports.KubeControllerManagerMetricsPort))
+			t.Allowed = append(t.Allowed, fmt.Sprintf("tcp:%d", wellknownports.KubeSchedulerMetricsPort))
+			t.Allowed = append(t.Allowed, fmt.Sprintf("tcp:%d", wellknownports.KubeProxyMetricsPort))
+			t.Allowed = append(t.Allowed, fmt.Sprintf("tcp:%d", wellknownports.EtcdMetricsPort))
+		}
 		c.AddTask(t)
 	}
 
diff --git a/pkg/wellknownports/wellknownports.go b/pkg/wellknownports/wellknownports.go
index a7a05e64981b5..f814596dc63ab 100644
--- a/pkg/wellknownports/wellknownports.go
+++ b/pkg/wellknownports/wellknownports.go
@@ -20,6 +20,9 @@ const (
 	// KubeAPIServer is the port where kube-apiserver listens.
 	KubeAPIServer = 443
 
+	// EtcdMetricsPort is used to serve etcd metrics
+	EtcdMetricsPort = 2382
+
 	// NodeupChallenge is the port where nodeup listens for challenges.
 	NodeupChallenge = 3987
 
@@ -90,6 +93,15 @@ const (
 
 	// KubeletAPI is the port where kubelet listens
 	KubeletAPI = 10250
+
+	// KubeProxyMetricsPort is used by kube-proxy to expose metrics
+	KubeProxyMetricsPort = 10249
+
+	// KubeSchedulerMetricsPort is used by kube-scheduler to expose metrics
+	KubeSchedulerMetricsPort = 10259
+
+	// KubeControllerManagerMetricsPort is used by kube-controller-manager to expose metrics
+	KubeControllerManagerMetricsPort = 10257
 )
 
 type PortRange struct {