From 57308ba3710424ea7e569c860ad59406839dd4ae Mon Sep 17 00:00:00 2001
From: jaydee <jaydee@sectorq.eu>
Date: Wed, 4 Mar 2026 19:25:57 +0100
Subject: [PATCH] klal

---
 roles/kubernetes/tasks/Rocky.yml | 14 ++++----------
 1 file changed, 4 insertions(+), 10 deletions(-)

diff --git a/roles/kubernetes/tasks/Rocky.yml b/roles/kubernetes/tasks/Rocky.yml
index 28b1e78..91d3075 100644
--- a/roles/kubernetes/tasks/Rocky.yml
+++ b/roles/kubernetes/tasks/Rocky.yml
@@ -272,34 +272,28 @@
 
     - name: Allow TCP 10250 from 192.168.77.0/24
       firewalld:
-        source: 192.168.77.0/24
-        port: 10250/tcp
+        rich_rule: 'rule family="ipv4" source address="192.168.77.0/24" port port="10250" protocol="tcp" accept'
         permanent: yes
         state: enabled
         immediate: yes
-        rich_rule: 'rule family="ipv4" source address="192.168.77.0/24" port port="10250" protocol="tcp" accept'
 
     - name: Allow UDP 8472 from 192.168.77.0/24
       firewalld:
-        source: 192.168.77.0/24
-        port: 8472/udp
+        rich_rule: 'rule family="ipv4" source address="192.168.77.0/24" port port="8472" protocol="udp" accept'
         permanent: yes
         state: enabled
         immediate: yes
-        rich_rule: 'rule family="ipv4" source address="192.168.77.0/24" port port="8472" protocol="udp" accept'
 
     - name: Add flannel.1 interface to trusted zone
       firewalld:
-        interface: flannel.1
-        zone: trusted
+        rich_rule: 'rule family="ipv4" source NOT address="0.0.0.0/0" accept'   # interface handling is tricky with rich_rule
         permanent: yes
         state: enabled
         immediate: yes
 
     - name: Add cni0 interface to trusted zone
       firewalld:
-        interface: cni0
-        zone: trusted
+        rich_rule: 'rule family="ipv4" source NOT address="0.0.0.0/0" accept'
         permanent: yes
         state: enabled
         immediate: yes