Update firewall rules (#329)

Signed-off-by: laszlojau <49835454+laszlojau@users.noreply.github.com>
This commit is contained in:
laszlojau 2024-05-31 02:35:43 +09:30 committed by GitHub
parent 64e38ee702
commit 8120b7c0d1
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194

View File

@ -73,7 +73,7 @@
- name: If firewalld enabled, open api port - name: If firewalld enabled, open api port
ansible.posix.firewalld: ansible.posix.firewalld:
port: "{{ api_port }}/tcp" port: "{{ api_port }}/tcp"
zone: trusted zone: internal
state: enabled state: enabled
permanent: true permanent: true
immediate: true immediate: true
@ -82,11 +82,42 @@
when: groups['server'] | length > 1 when: groups['server'] | length > 1
ansible.posix.firewalld: ansible.posix.firewalld:
port: "2379-2381/tcp" port: "2379-2381/tcp"
zone: trusted zone: internal
state: enabled state: enabled
permanent: true permanent: true
immediate: true immediate: true
- name: If firewalld enabled, open inter-node ports
ansible.posix.firewalld:
port: "{{ item }}"
zone: internal
state: enabled
permanent: true
immediate: true
with_items:
- 5001/tcp # Spegel (Embedded distributed registry)
- 8472/udp # Flannel VXLAN
- 10250/tcp # Kubelet metrics
- 51820/udp # Flannel Wireguard (IPv4)
- 51821/udp # Flannel Wireguard (IPv6)
- name: If firewalld enabled, allow node CIDRs
ansible.posix.firewalld:
source: "{{ item }}"
zone: internal
state: enabled
permanent: true
immediate: true
loop: >-
{{
(
groups['server'] | default([])
+ groups['agent'] | default([])
)
| map('extract', hostvars, ['ansible_default_ipv4', 'address'])
| flatten | unique | list
}}
- name: If firewalld enabled, allow default CIDRs - name: If firewalld enabled, allow default CIDRs
ansible.posix.firewalld: ansible.posix.firewalld:
source: "{{ item }}" source: "{{ item }}"