For both kubectl logs and kubectl exec to work the master needs to be able to access the kubelet port (default 10250) on the workers.

https://github.com/giantswarm/k8scloudconfig/blob/master/templates.go#L1371

We also need port 179 in both directions from master to worker for the Calico BGP backend.