diff --git a/roles/kubernetes/tasks/Rocky.yml b/roles/kubernetes/tasks/Rocky.yml
index 28b1e78..91d3075 100644
--- a/roles/kubernetes/tasks/Rocky.yml
+++ b/roles/kubernetes/tasks/Rocky.yml
@@ -272,34 +272,28 @@
 
     - name: Allow TCP 10250 from 192.168.77.0/24
       firewalld:
-        source: 192.168.77.0/24
-        port: 10250/tcp
+        rich_rule: 'rule family="ipv4" source address="192.168.77.0/24" port port="10250" protocol="tcp" accept'
         permanent: yes
         state: enabled
         immediate: yes
-        rich_rule: 'rule family="ipv4" source address="192.168.77.0/24" port port="10250" protocol="tcp" accept'
 
     - name: Allow UDP 8472 from 192.168.77.0/24
       firewalld:
-        source: 192.168.77.0/24
-        port: 8472/udp
+        rich_rule: 'rule family="ipv4" source address="192.168.77.0/24" port port="8472" protocol="udp" accept'
         permanent: yes
         state: enabled
         immediate: yes
-        rich_rule: 'rule family="ipv4" source address="192.168.77.0/24" port port="8472" protocol="udp" accept'
 
     - name: Add flannel.1 interface to trusted zone
       firewalld:
-        interface: flannel.1
-        zone: trusted
+        rich_rule: 'rule family="ipv4" source NOT address="0.0.0.0/0" accept'   # interface handling is tricky with rich_rule
         permanent: yes
         state: enabled
         immediate: yes
 
     - name: Add cni0 interface to trusted zone
       firewalld:
-        interface: cni0
-        zone: trusted
+        rich_rule: 'rule family="ipv4" source NOT address="0.0.0.0/0" accept'
         permanent: yes
         state: enabled
         immediate: yes