Fix some lints and firewalld policies

README.md

@@ -60,15 +60,15 @@ Setting up a loadbalancer or VIP beforehand to use as the API endpoint is possib
 Start provisioning of the cluster using the following command:
 
 ```bash
-ansible-playbook playbook/site.yml -i inventory.yml
+ansible-playbook playbooks/site.yml -i inventory.yml
 ```
 
 ## Upgrading
 
 A playbook is provided to upgrade K3s on all nodes in the cluster. To use it, update `k3s_version` with the desired version in `inventory.yml` and run:
 
 ```bash
-ansible-playbook playbook/upgrade.yml -i inventory.yml
+ansible-playbook playbooks/upgrade.yml -i inventory.yml
 ```
 
 ## Airgap Install
@@ -77,7 +77,7 @@ Airgap installation is supported via the `airgap_dir` variable. This variable sh
 
 An example folder for an x86_64 cluster:
 ```bash
-$ ls ./playbook/my-airgap/
+$ ls ./playbooks/my-airgap/
 total 248M
 -rwxr-xr-x 1 $USER $USER  58M Nov 14 11:28 k3s
 -rw-r--r-- 1 $USER $USER 190M Nov 14 11:30 k3s-airgap-images-amd64.tar.gz

inventory-sample.yml

@@ -19,7 +19,7 @@ k3s_cluster:
     extra_server_args: ""
     extra_agent_args: ""
 
-  # Optional vars
+    # Optional vars
     # cluster_context: k3s-ansible
     # api_port: 6443
     # k3s_server_location: /var/lib/rancher/k3s
@@ -29,12 +29,13 @@ k3s_cluster:
     # List of locally available manifests to apply to the cluster, useful for PVCs or Traefik modifications.
     # extra_manifests: [ '/path/to/manifest1.yaml', '/path/to/manifest2.yaml' ]
     # airgap_dir: /tmp/k3s-airgap-images
-    # user_kubectl: true, by default kubectl is symlinked and configured for use by ansible_user. Set to false to only kubectl via root user.
+    # user_kubectl: true, by default kubectl is symlinked and configured for use by ansible_user.
+    #   Set to false to only kubectl via root user.
     # server_config_yaml:  |
-      # This is now an inner yaml file. Maintain the indentation.
-      # YAML here will be placed as the content of /etc/rancher/k3s/config.yaml
-      # See https://docs.k3s.io/installation/configuration#configuration-file
+    #   This is now an inner yaml file. Maintain the indentation.
+    #   YAML here will be placed as the content of /etc/rancher/k3s/config.yaml
+    #   See https://docs.k3s.io/installation/configuration#configuration-file
     # registries_config_yaml:  |
-      # Containerd can be configured to connect to private registries and use them to pull images as needed by the kubelet.
-      # YAML here will be placed as the content of /etc/rancher/k3s/registries.yaml
-      # See https://docs.k3s.io/installation/private-registry
+    #   Containerd can be configured to connect to private registries and use them to pull images as needed
+    #   by the kubelet. YAML here will be placed as the content of /etc/rancher/k3s/registries.yaml
+    #   See https://docs.k3s.io/installation/private-registry

roles/airgap/tasks/main.yml

@@ -15,31 +15,31 @@
         url: https://get.k3s.io/
         timeout: 120
         dest: "{{ airgap_dir }}/k3s-install.sh"
-        mode: 0755
+        mode: "0755"
 
     - name: Distribute K3s install script
       ansible.builtin.copy:
         src: "{{ airgap_dir }}/k3s-install.sh"
         dest: /usr/local/bin/k3s-install.sh
         owner: root
         group: root
-        mode: 0755
+        mode: "0755"
 
     - name: Distribute K3s binary
       ansible.builtin.copy:
         src: "{{ airgap_dir }}/k3s"
         dest: /usr/local/bin/k3s
         owner: root
         group: root
-        mode: 0755
+        mode: "0755"
 
     - name: Distribute K3s SELinux RPM
       ansible.builtin.copy:
         src: "{{ item }}"
         dest: /tmp/
         owner: root
         group: root
-        mode: 0755
+        mode: "0755"
       with_fileglob:
         - "{{ airgap_dir }}/k3s-selinux*.rpm"
       register: selinux_copy
@@ -57,7 +57,7 @@
     - name: Make images directory
       ansible.builtin.file:
         path: "/var/lib/rancher/k3s/agent/images/"
-        mode: 0755
+        mode: "0755"
         state: directory
 
     - name: Determine Architecture
@@ -71,7 +71,7 @@
         dest: /var/lib/rancher/k3s/agent/images/{{ item | basename }}
         owner: root
         group: root
-        mode: 0755
+        mode: "0755"
       with_first_found:
         - files:
             - "{{ airgap_dir }}/k3s-airgap-images-amd64.tar.zst"
@@ -86,7 +86,7 @@
         dest: /var/lib/rancher/k3s/agent/images/{{ item | basename }}
         owner: root
         group: root
-        mode: 0755
+        mode: "0755"
       with_first_found:
         - files:
             - "{{ airgap_dir }}/k3s-airgap-images-arm64.tar.zst"
@@ -101,7 +101,7 @@
         dest: /var/lib/rancher/k3s/agent/images/{{ item | basename }}
         owner: root
         group: root
-        mode: 0755
+        mode: "0755"
       with_first_found:
         - files:
             - "{{ airgap_dir }}/k3s-airgap-images-arm.tar.zst"

roles/k3s_agent/tasks/main.yml

@@ -24,7 +24,7 @@
         dest: /usr/local/bin/k3s-install.sh
         owner: root
         group: root
-        mode: 0755
+        mode: "0755"
 
     - name: Download K3s binary
       ansible.builtin.command:

roles/k3s_server/tasks/main.yml

@@ -24,7 +24,7 @@
         dest: /usr/local/bin/k3s-install.sh
         owner: root
         group: root
-        mode: 0755
+        mode: "0755"
 
     - name: Download K3s binary
       ansible.builtin.command:
@@ -46,13 +46,13 @@
     - name: Make config directory
       ansible.builtin.file:
         path: "/etc/rancher/k3s"
-        mode: 0755
+        mode: "0755"
         state: directory
     - name: Copy config values
       ansible.builtin.copy:
         content: "{{ server_config_yaml }}"
         dest: "/etc/rancher/k3s/config.yaml"
-        mode: 0644
+        mode: "0644"
 
 - name: Init first server node
   when: inventory_hostname == groups['server'][0]
@@ -64,7 +64,7 @@
         dest: "{{ systemd_dir }}/k3s.service"
         owner: root
         group: root
-        mode: 0644
+        mode: "0644"
 
     - name: Copy K3s service file [HA]
       when: groups['server'] | length > 1
@@ -73,7 +73,7 @@
         dest: "{{ systemd_dir }}/k3s.service"
         owner: root
         group: root
-        mode: 0644
+        mode: "0644"
 
     - name: Add service environment variables
       when: extra_service_envs is defined
@@ -113,7 +113,7 @@
 
         - name: Change server address in kubeconfig on control node
           ansible.builtin.shell: |
             KUBECONFIG={{ kubeconfig }} kubectl config set-cluster default --server=https://{{ api_endpoint }}:{{ api_port }}
           delegate_to: 127.0.0.1
           become: false
           register: csa_result
@@ -133,7 +133,7 @@
           when: kubeconfig != "~/.kube/config"
           ansible.builtin.shell: |
             TFILE=$(mktemp)
             KUBECONFIG={{ kubeconfig }} kubectl config set-context {{ cluster_context }} --user={{ cluster_context }} --cluster={{ cluster_context }}
             KUBECONFIG={{ kubeconfig }} kubectl config view --flatten > ${TFILE}
             mv ${TFILE} {{ kubeconfig }}
           delegate_to: 127.0.0.1
@@ -154,7 +154,7 @@
         dest: "{{ systemd_dir }}/k3s.service"
         owner: root
         group: root
-        mode: 0644
+        mode: "0644"
 
     - name: Enable and check K3s service
       ansible.builtin.systemd:

roles/prereq/defaults/main.yml

@@ -1,2 +1,13 @@
 ---
+# Zone for inter-node traffic
+k3s_firewalld_node_zone: internal
+
+# List of IP addresses or cidr masks of your nodes
+k3s_firewalld_node_cidrs: []
+
+# List of public services
+k3s_firewalld_public_ports:
+  - 80/tcp
+  - 443/tcp
+
 api_port: 6443

roles/prereq/tasks/main.yml

@@ -73,7 +73,7 @@
     - name: If firewalld enabled, open api port
       ansible.posix.firewalld:
         port: "{{ api_port }}/tcp"
-        zone: trusted
+        zone: "{{ k3s_firewalld_node_zone }}"
         state: enabled
         permanent: true
         immediate: true
@@ -82,10 +82,44 @@
       when: groups['server'] | length > 1
       ansible.posix.firewalld:
         port: "2379-2381/tcp"
-        zone: trusted
+        zone: "{{ k3s_firewalld_node_zone }}"
+        state: enabled
+        permanent: true
+        immediate: true
+
+    - name: If firewalld enabled, open inter-node ports
+      ansible.posix.firewalld:
+        port: "{{ item }}"
+        zone: "{{ k3s_firewalld_node_zone }}"
+        state: enabled
+        permanent: true
+        immediate: true
+      with_items:
+        - 8472/udp
+        - 10250/tcp
+        - 51820/udp
+        - 51821/udp
+        - 5001/tcp
+
+    - name: If firewalld enabled, allow node CIDRs
+      ansible.posix.firewalld:
+        source: "{{ item }}"
+        zone: "{{ k3s_firewalld_node_zone }}"
+        state: enabled
+        permanent: true
+        immediate: true
+      when: k3s_firewalld_node_cidrs is defined
+      loop: "{{ k3s_firewalld_node_cidrs }}"
+
+    - name: If firewalld enabled, open public ports
+      ansible.posix.firewalld:
+        port: "{{ item }}"
+        zone: "public"
         state: enabled
         permanent: true
         immediate: true
+      when: k3s_firewalld_public_ports is defined
+      loop: "{{ k3s_firewalld_public_ports }}"
 
     - name: If firewalld enabled, allow default CIDRs
       ansible.posix.firewalld:
@@ -184,7 +218,7 @@
     - name: Make rancher directory
       ansible.builtin.file:
         path: "/var/lib/rancher"
-        mode: 0755
+        mode: "0755"
         state: directory
     - name: Create symlink
       ansible.builtin.file:
@@ -199,13 +233,13 @@
     - name: Make manifests directory
       ansible.builtin.file:
         path: "/var/lib/rancher/k3s/server/manifests"
-        mode: 0700
+        mode: "0700"
         state: directory
     - name: Copy manifests
       ansible.builtin.copy:
         src: "{{ item }}"
         dest: "/var/lib/rancher/k3s/server/manifests"
-        mode: 0600
+        mode: "0600"
       loop: "{{ extra_manifests }}"
 
 - name: Setup optional private registry configuration
@@ -214,10 +248,10 @@
     - name: Make k3s config directory
       ansible.builtin.file:
         path: "/etc/rancher/k3s"
-        mode: 0755
+        mode: "0755"
         state: directory
     - name: Copy config values
       ansible.builtin.copy:
         content: "{{ registries_config_yaml }}"
         dest: "/etc/rancher/k3s/registries.yaml"
-        mode: 0644
+        mode: "0644"