ansible-role-k8s/files/firewalld-exmaple-k3s.yml
2024-04-27 01:33:23 +00:00

69 lines
1.7 KiB
YAML

---
firewalld_add:
- name: internal
masquerade: false
forward: true
interfaces:
- eth0
services:
- dhcpv6-client
- ssh
- http
- https
ports:
- 9100/tcp # node exporter
- 6443/tcp # kubernetes API
- 9345/tcp # supervisor API
- 10250/tcp # kubelet metrics
- 2379/tcp # etcd client
- 2380/tcp # etcd peer
- 30000-32767/tcp # NodePort range
# Spegel
- 5001/tcp # embedded distributed registry
# Flannel CNI
- 8472/udp # flannel vxlan
- 51820/udp # wireguard ipv4
- 51821/udp # wireguard ipv6
# Canal CNI
# - 8472/udp # canal vxlan
# - 9099/tcp # canal health checks
# - 51820/udp # canal WireGuard IPv4
# - 51821/udp # canal WireGuard IPv6/dual-stack
# Cilium CNI
#- 8472/udp # cilium vxlan
#- 4240/tcp # cilium health checks
#- 8/0/icmp # cilium health checks
#- 51871/udp # cilium wireguard
#- 4244/tcp # hubble relay
#- 4245/tcp # hubble relay
#- 9962/tcp # cilium agent prometheus
#- 9963/tcp # cilium operator prometheus
#- 9964/tcp # cilium proxy prometheus
#- 2379-2380/tcp # etcd access
# Calico CNI
# - 179/tcp # calico bgp
# - 4789/udp # calico vxlan
# - 5473/tcp # calico typha
# - 9098/tcp # calico typha health checks
# - 9099/tcp # calico health checks
# - 51820/udp # calico WireGuard IPv4
# - 51821/udp # calico WireGuard IPv6/dual-stack
- name: trusted
sources:
- 10.42.0.0/16
- 10.43.0.0/16
- 10.0.0.0/16
firewalld_remove:
- name: public
services:
- dhcpv6-client
- ssh