mirrors/k3s-ansible
1
0
Fork 1
mirror of https://github.com/k3s-io/k3s-ansible.git synced 2026-06-24 12:07:21 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add nftables configuration for K3s on Arch Linux (#511)

Browse Source 
* Do not enable nftables by default
* If nftables is enables, configure exceptions for k3s service

Signed-off-by: Ionut Ciocoiu <ionutnciocoiu@gmail.com>
Co-authored-by: Derek Nola <derek.nola@suse.com>
This commit is contained in:
Ionut Ciocoiu
2026-03-11 19:09:14 +02:00
committed by GitHub
parent e9e0978a47
commit 1f1228f3e8
2 changed files with 63 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
roles/prereq/tasks/main.yml
+31 -6
View File
@@ -32,7 +32,7 @@
reload: true reload: true
when: ansible_facts['all_ipv6_addresses'] | length > 0 when: ansible_facts['all_ipv6_addresses'] | length > 0
- name: Handle modern nftables/iptables-nft stack (Arch Linux ARM 6.18+) - name: Handle modern nftables/iptables-nft stack (Arch Linux 6.18+)
when: when:
- ansible_facts['distribution'] == 'Archlinux' - ansible_facts['distribution'] == 'Archlinux'
- ansible_facts['kernel'] is version('6.18', '>=') - ansible_facts['kernel'] is version('6.18', '>=')
@@ -48,7 +48,6 @@
force: true force: true
when: when:
- "'iptables' in ansible_facts.packages" - "'iptables' in ansible_facts.packages"
- "'iptables-nft' not in ansible_facts.packages"
- name: Install iptables-nft and nftables - name: Install iptables-nft and nftables
community.general.pacman: community.general.pacman:
@@ -57,11 +56,37 @@
- nftables - nftables
state: present state: present
- name: Ensure nftables is enabled and started - name: Check nftables service
ansible.builtin.systemd: ansible.builtin.service_facts:
- name: Configure nftables include and K3s rules fragment
when:
- ansible_facts.services['nftables.service'] is defined
- ansible_facts.services['nftables.service'].status == 'enabled'
block:
- name: Ensure nftables include directory exists
ansible.builtin.file:
path: /etc/nftables.d
state: directory
mode: "0755"
- name: Ensure nftables loads /etc/nftables.d rules
ansible.builtin.lineinfile:
path: /etc/nftables.conf
regexp: '^include "/etc/nftables\\.d/\\*\\.nft"$'
line: 'include "/etc/nftables.d/*.nft"'
insertafter: EOF
- name: Install K3s nftables rules fragment
ansible.builtin.template:
src: k3s.nft.j2
dest: /etc/nftables.d/k3s.nft
mode: "0644"
- name: Reload nftables
ansible.builtin.service:
name: nftables name: nftables
state: started state: reloaded
enabled: true
- name: Populate service facts - name: Populate service facts
ansible.builtin.service_facts: ansible.builtin.service_facts:
roles/prereq/templates/k3s.nft.j2
+31
View File
@@ -0,0 +1,31 @@
# K3s rules managed by ansible-k3s; loaded via /etc/nftables.conf include
# Allow inter-node communication (server + agent nodes)
{% for host in (groups[server_group] | default([]) + groups[agent_group] | default([])) | unique %}
{% if hostvars[host].ansible_default_ipv4 is defined %}
insert rule inet filter input ip saddr {{ hostvars[host].ansible_default_ipv4.address }} accept
{% endif %}
{% endfor %}
# K3s core ports
insert rule inet filter input tcp dport {{ api_port | default(6443) }} accept
{% if groups[server_group] | length > 1 %}
insert rule inet filter input tcp dport 2379-2381 accept
{% endif %}
# Inter-node overlay ports
insert rule inet filter input tcp dport { 5001, 10250 } accept
insert rule inet filter input udp dport { 8472, 51820, 51821 } accept
# Cluster and service CIDRs
{% for cidr in (cluster_cidr + ',' + service_cidr) | split(',') %}
insert rule inet filter input ip saddr {{ cidr }} accept
{% endfor %}
# NodePort range
insert rule inet filter input tcp dport 30000-32767 accept
insert rule inet filter input udp dport 30000-32767 accept
# Keep forward traffic open for CNI/pod networking
insert rule inet filter forward ct state established,related accept
insert rule inet filter forward accept