klal

2026-03-12 21:32:48 +01:00 · 2026-03-04 19:25:57 +01:00
parent f7085281fc
commit 57308ba371
1 changed files with 4 additions and 10 deletions
--- a/roles/kubernetes/tasks/Rocky.yml
+++ b/roles/kubernetes/tasks/Rocky.yml
@@ -272,34 +272,28 @@

    - name: Allow TCP 10250 from 192.168.77.0/24
      firewalld:
-        source: 192.168.77.0/24
-        port: 10250/tcp
+        rich_rule: 'rule family="ipv4" source address="192.168.77.0/24" port port="10250" protocol="tcp" accept'
        permanent: yes
        state: enabled
        immediate: yes
-        rich_rule: 'rule family="ipv4" source address="192.168.77.0/24" port port="10250" protocol="tcp" accept'

    - name: Allow UDP 8472 from 192.168.77.0/24
      firewalld:
-        source: 192.168.77.0/24
-        port: 8472/udp
+        rich_rule: 'rule family="ipv4" source address="192.168.77.0/24" port port="8472" protocol="udp" accept'
        permanent: yes
        state: enabled
        immediate: yes
-        rich_rule: 'rule family="ipv4" source address="192.168.77.0/24" port port="8472" protocol="udp" accept'

    - name: Add flannel.1 interface to trusted zone
      firewalld:
-        interface: flannel.1
-        zone: trusted
+        rich_rule: 'rule family="ipv4" source NOT address="0.0.0.0/0" accept'   # interface handling is tricky with rich_rule
        permanent: yes
        state: enabled
        immediate: yes

    - name: Add cni0 interface to trusted zone
      firewalld:
-        interface: cni0
-        zone: trusted
+        rich_rule: 'rule family="ipv4" source NOT address="0.0.0.0/0" accept'
        permanent: yes
        state: enabled
        immediate: yes