diff --git a/pkg/model/openstackmodel/firewall.go b/pkg/model/openstackmodel/firewall.go
index 9d2607a9aee86..13eb34231d0ba 100644
--- a/pkg/model/openstackmodel/firewall.go
+++ b/pkg/model/openstackmodel/firewall.go
@@ -270,7 +270,7 @@ func (b *FirewallModelBuilder) addHTTPSRules(c *fi.ModelBuilderContext, sgMap ma
 	return nil
 }
 
-// addKubeletRules - Add rules to 10250 to the KubernetesAPIAccess list
+// addKubeletRules - Add rules to 10250 port
 func (b *FirewallModelBuilder) addKubeletRules(c *fi.ModelBuilderContext, sgMap map[string]*openstacktasks.SecurityGroup) error {
 
 	//TODO: This is the default port for kubelet and may be overwridden
@@ -278,18 +278,20 @@ func (b *FirewallModelBuilder) addKubeletRules(c *fi.ModelBuilderContext, sgMap
 	nodeName := b.SecurityGroupName(kops.InstanceGroupRoleNode)
 	masterSG := sgMap[masterName]
 	nodeSG := sgMap[nodeName]
+
+	kubeletRule := &openstacktasks.SecurityGroupRule{
+		Lifecycle:    b.Lifecycle,
+		Direction:    s(string(rules.DirIngress)),
+		Protocol:     s(IPProtocolTCP),
+		EtherType:    s(IPV4),
+		PortRangeMin: i(10250),
+		PortRangeMax: i(10250),
+	}
+
+	// allow node-node, node-master and master-master and master-node
 	for _, sgName := range []*openstacktasks.SecurityGroup{masterSG, nodeSG} {
-		for _, apiAccess := range b.Cluster.Spec.KubernetesAPIAccess {
-			addDirectionalGroupRule(c, sgName, nil, &openstacktasks.SecurityGroupRule{
-				Lifecycle:      b.Lifecycle,
-				Direction:      s(string(rules.DirIngress)),
-				Protocol:       s(IPProtocolTCP),
-				EtherType:      s(IPV4),
-				PortRangeMin:   i(10250),
-				PortRangeMax:   i(10250),
-				RemoteIPPrefix: s(apiAccess),
-			})
-		}
+		addDirectionalGroupRule(c, masterSG, sgName, kubeletRule)
+		addDirectionalGroupRule(c, nodeSG, sgName, kubeletRule)
 	}
 	return nil
 }