From 8120b7c0d184c409815ae1f9ac815ad2a6d2993c Mon Sep 17 00:00:00 2001 From: laszlojau <49835454+laszlojau@users.noreply.github.com> Date: Fri, 31 May 2024 02:35:43 +0930 Subject: [PATCH] Update firewall rules (#329) Signed-off-by: laszlojau <49835454+laszlojau@users.noreply.github.com> --- roles/prereq/tasks/main.yml | 35 +++++++++++++++++++++++++++++++++-- 1 file changed, 33 insertions(+), 2 deletions(-) diff --git a/roles/prereq/tasks/main.yml b/roles/prereq/tasks/main.yml index ddb8637..2dc4b85 100644 --- a/roles/prereq/tasks/main.yml +++ b/roles/prereq/tasks/main.yml @@ -73,7 +73,7 @@ - name: If firewalld enabled, open api port ansible.posix.firewalld: port: "{{ api_port }}/tcp" - zone: trusted + zone: internal state: enabled permanent: true immediate: true @@ -82,11 +82,42 @@ when: groups['server'] | length > 1 ansible.posix.firewalld: port: "2379-2381/tcp" - zone: trusted + zone: internal state: enabled permanent: true immediate: true + - name: If firewalld enabled, open inter-node ports + ansible.posix.firewalld: + port: "{{ item }}" + zone: internal + state: enabled + permanent: true + immediate: true + with_items: + - 5001/tcp # Spegel (Embedded distributed registry) + - 8472/udp # Flannel VXLAN + - 10250/tcp # Kubelet metrics + - 51820/udp # Flannel Wireguard (IPv4) + - 51821/udp # Flannel Wireguard (IPv6) + + - name: If firewalld enabled, allow node CIDRs + ansible.posix.firewalld: + source: "{{ item }}" + zone: internal + state: enabled + permanent: true + immediate: true + loop: >- + {{ + ( + groups['server'] | default([]) + + groups['agent'] | default([]) + ) + | map('extract', hostvars, ['ansible_default_ipv4', 'address']) + | flatten | unique | list + }} + - name: If firewalld enabled, allow default CIDRs ansible.posix.firewalld: source: "{{ item }}"