From e9a283b48ccd15c0386779dff0ba76ea756ad895 Mon Sep 17 00:00:00 2001 From: Derek Nola Date: Thu, 9 Nov 2023 19:21:46 -0800 Subject: [PATCH] Minimal Firewall Exceptions (#242) * Add rules to UFW firewall for basic K3s funtionality Signed-off-by: Derek Nola * Add firewalld exceptions Signed-off-by: Derek Nola --------- Signed-off-by: Derek Nola --- roles/prereq/tasks/main.yml | 74 +++++++++++++++++++++++++++++++++++++ 1 file changed, 74 insertions(+) diff --git a/roles/prereq/tasks/main.yml b/roles/prereq/tasks/main.yml index 374ffae..93a5f9e 100644 --- a/roles/prereq/tasks/main.yml +++ b/roles/prereq/tasks/main.yml @@ -20,6 +20,80 @@ reload: true when: ansible_all_ipv6_addresses +- name: Populate service facts + ansible.builtin.service_facts: + +- name: Allow UFW Exceptions + when: + - ansible_facts.services['ufw'] is defined + - ansible_facts.services['ufw'].state == 'running' + block: + - name: Get ufw status + ansible.builtin.command: + cmd: ufw status + changed_when: false + register: ufw_status + + - name: If ufw enabled, open api port + when: + - ufw_status['stdout'] == "Status':' active" + community.general.ufw: + rule: allow + port: "{{ api_port }}" + proto: tcp + + - name: If ufw enabled, open etcd ports + when: + - ufw_status['stdout'] == "Status':' active" + - groups['server'] | length > 1 + community.general.ufw: + rule: allow + port: "2379:2381" + proto: tcp + + - name: If ufw enabled, allow default CIDRs + when: + - ufw_status['stdout'] == "Status':' active" + community.general.ufw: + rule: allow + src: '{{ item }}' + loop: + - 10.42.0.0/16 # Pods + - 10.43.0.0/16 # Services + +- name: Allow Firewalld Exceptions + when: + - ansible_facts.services['firewalld.service'] is defined + - ansible_facts.services['firewalld.service'].state == 'running' + block: + - name: If firewalld enabled, open api port + ansible.posix.firewalld: + port: "{{ api_port }}/tcp" + zone: trusted + state: enabled + permanent: true + immediate: true + + - name: If firewalld enabled, open etcd ports + when: groups['server'] | length > 1 + ansible.posix.firewalld: + port: "2379-2381/tcp" + zone: trusted + state: enabled + permanent: true + immediate: true + + - name: If firewalld enabled, allow default CIDRs + ansible.posix.firewalld: + source: "{{ item }}" + zone: trusted + state: enabled + permanent: true + immediate: true + loop: + - 10.42.0.0/16 # Pods + - 10.43.0.0/16 # Services + - name: Add br_netfilter to /etc/modules-load.d/ ansible.builtin.copy: content: "br_netfilter"