Comment 5 for bug 1905008

I couldn't reproduce it in the first place, but I think I know what's happening here.

tl;dr `juju expose kubernetes-master` may be the easiest workaround but it will expose the port 8443 to everywhere.

It would be nice to tweak the LB members' rule to make it work out of the box though.

(there is a discussion about the expose feature but it's separate anyway: https://discourse.charmhub.io/t/granular-control-of-application-expose-parameters-in-the-upcoming-2-9-juju-release/3597)

The k8s-master unit/machine is covered by 3 security groups. Juju model, unit/machine, and lb members' one.

$ openstack server show juju-f8a3c5-k8s-on-openstack-0 -c security_groups
+-----------------+-----------------------------------------------------------------------------------------+
| Field | Value |
+-----------------+-----------------------------------------------------------------------------------------+
| security_groups | name='openstack-integrator-f4720ef8a3c5-kubernetes-master-members' |
| | name='juju-6fda9e38-0c87-4a13-88f7-563386e719a9-fad73522-1466-41c0-8570-f4720ef8a3c5-0' |
| | name='juju-6fda9e38-0c87-4a13-88f7-563386e719a9-fad73522-1466-41c0-8570-f4720ef8a3c5' |
+-----------------+-----------------------------------------------------------------------------------------+

The model one is to allow all traffic inside the same model which is not applicable to Amphora instance <-> k8s-master since Amphora is outside of Juju model's security group.

Then, lb members' rule allows traffic to 6443 only from /32 which is LB's vip_address.

$ openstack security group rule list openstack-integrator-f4720ef8a3c5-kubernetes-master-members
+--------------------------------------+-------------+-----------+---------------+------------+-----------+-----------------------+----------------------+
| ID | IP Protocol | Ethertype | IP Range | Port Range | Direction | Remote Security Group | Remote Address Group |
+--------------------------------------+-------------+-----------+---------------+------------+-----------+-----------------------+----------------------+
| 1b5a9b4a-c9f5-4730-a6ee-b53ed672d3aa | None | IPv6 | ::/0 | | egress | None | None |
| 7e7cf826-6732-4f26-89b0-0c27f4b2788e | None | IPv4 | 0.0.0.0/0 | | egress | None | None |
| ea4e048d-a164-431c-b44f-96076a41c859 | tcp | IPv4 | 10.5.5.116/32 | 6443:6443 | ingress | None | None |
+--------------------------------------+-------------+-----------+---------------+------------+-----------+-----------------------+----------------------+

But the unit/machine one can allow access to 6443 from anywhere when the application is expose=true in Juju model. And it's enabled by default in charmstore bundles: https://github.com/charmed-kubernetes/bundle/blob/045be1ee3cf544f67298fd22050cfbca98337bd4/fragments/k8s/core/bundle.yaml#L6-L13

$ openstack security group rule list juju-6fda9e38-0c87-4a13-88f7-563386e719a9-fad73522-1466-41c0-8570-f4720ef8a3c5-0
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+
| ID | IP Protocol | Ethertype | IP Range | Port Range | Direction | Remote Security Group | Remote Address Group |
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+
| 3a9bd197-ceba-40e6-a812-fda6c6552d11 | tcp | IPv4 | 0.0.0.0/0 | 6443:6443 | ingress | None | None |
| 893a858f-015a-4f84-b46a-068a68cddfbc | None | IPv6 | ::/0 | | egress | None | None |
| 8de817bb-8a8a-44d2-a47f-468cbd538cad | tcp | IPv6 | ::/0 | 6443:6443 | ingress | None | None |
| 99d3eb2a-09a5-48ac-9437-55a5fab56a26 | None | IPv4 | 0.0.0.0/0 | | egress | None | None |
+--------------------------------------+-------------+-----------+-----------+------------+-----------+-----------------------+----------------------+