Update firewall rules (k3s-io#329)

Signed-off-by: laszlojau <[email protected]>
steevi · Jul 2, 2024 · a7eb09a · a7eb09a
1 parent 72954d9
commit a7eb09a
Showing 1 changed file with 33 additions and 2 deletions.
diff --git a/roles/prereq/tasks/main.yml b/roles/prereq/tasks/main.yml
@@ -76,7 +76,7 @@
     - name: If firewalld enabled, open api port
       ansible.posix.firewalld:
         port: "{{ api_port }}/tcp"
-        zone: trusted
+        zone: internal
         state: enabled
         permanent: true
         immediate: true
@@ -85,10 +85,41 @@
       when: groups['server'] | length > 1
       ansible.posix.firewalld:
         port: "2379-2381/tcp"
-        zone: trusted
+        zone: internal
+        state: enabled
+        permanent: true
+        immediate: true
+
+    - name: If firewalld enabled, open inter-node ports
+      ansible.posix.firewalld:
+        port: "{{ item }}"
+        zone: internal
+        state: enabled
+        permanent: true
+        immediate: true
+      with_items:
+        - 5001/tcp   # Spegel (Embedded distributed registry)
+        - 8472/udp   # Flannel VXLAN
+        - 10250/tcp  # Kubelet metrics
+        - 51820/udp  # Flannel Wireguard (IPv4)
+        - 51821/udp  # Flannel Wireguard (IPv6)
+
+    - name: If firewalld enabled, allow node CIDRs
+      ansible.posix.firewalld:
+        source: "{{ item }}"
+        zone: internal
         state: enabled
         permanent: true
         immediate: true
+      loop: >-
+        {{
+          (
+            groups['server'] | default([])
+            + groups['agent'] | default([])
+          )
+          | map('extract', hostvars, ['ansible_default_ipv4', 'address'])
+          | flatten | unique | list
+        }}
 
     - name: If firewalld enabled, allow default CIDRs
       ansible.posix.firewalld: