From 8b2a5834ee4b4e76c80558eae1cafc08f9912579 Mon Sep 17 00:00:00 2001 From: Ionut Date: Fri, 6 Mar 2026 17:07:24 +0200 Subject: [PATCH 1/5] Do not enable nftables by default Signed-off-by: Ionut --- roles/prereq/handlers/main.yml | 5 +++++ roles/prereq/tasks/main.yml | 35 ++++++++++++++++++++++++------- roles/prereq/templates/k3s.nft.j2 | 31 +++++++++++++++++++++++++++ 3 files changed, 64 insertions(+), 7 deletions(-) create mode 100644 roles/prereq/handlers/main.yml create mode 100644 roles/prereq/templates/k3s.nft.j2 diff --git a/roles/prereq/handlers/main.yml b/roles/prereq/handlers/main.yml new file mode 100644 index 00000000..69e8f722 --- /dev/null +++ b/roles/prereq/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: Reload nftables + ansible.builtin.systemd: + name: nftables + state: reloaded diff --git a/roles/prereq/tasks/main.yml b/roles/prereq/tasks/main.yml index cf167172..f5828411 100644 --- a/roles/prereq/tasks/main.yml +++ b/roles/prereq/tasks/main.yml @@ -32,7 +32,7 @@ reload: true when: ansible_facts['all_ipv6_addresses'] | length > 0 -- name: Handle modern nftables/iptables-nft stack (Arch Linux ARM 6.18+) +- name: Handle modern nftables/iptables-nft stack (Arch Linux 6.18+) when: - ansible_facts['distribution'] == 'Archlinux' - ansible_facts['kernel'] is version('6.18', '>=') @@ -48,7 +48,6 @@ force: true when: - "'iptables' in ansible_facts.packages" - - "'iptables-nft' not in ansible_facts.packages" - name: Install iptables-nft and nftables community.general.pacman: @@ -57,11 +56,33 @@ - nftables state: present - - name: Ensure nftables is enabled and started - ansible.builtin.systemd: - name: nftables - state: started - enabled: true + - name: Check nftables service + ansible.builtin.service_facts: + + - name: Configure nftables include and K3s rules fragment + when: + - ansible_facts.services['nftables.service'] is defined + - ansible_facts.services['nftables.service'].status == 'enabled' + block: + - name: Ensure nftables include directory exists + ansible.builtin.file: + path: /etc/nftables.d + state: directory + mode: "0755" + + - name: Ensure nftables loads /etc/nftables.d rules + ansible.builtin.lineinfile: + path: /etc/nftables.conf + regexp: '^include "/etc/nftables\\.d/\\*\\.nft"$' + line: 'include "/etc/nftables.d/*.nft"' + insertafter: EOF + + - name: Install K3s nftables rules fragment + ansible.builtin.template: + src: k3s.nft.j2 + dest: /etc/nftables.d/k3s.nft + mode: "0644" + notify: Reload nftables - name: Populate service facts ansible.builtin.service_facts: diff --git a/roles/prereq/templates/k3s.nft.j2 b/roles/prereq/templates/k3s.nft.j2 new file mode 100644 index 00000000..45794bb2 --- /dev/null +++ b/roles/prereq/templates/k3s.nft.j2 @@ -0,0 +1,31 @@ +# K3s rules managed by ansible-k3s; loaded via /etc/nftables.conf include + +# Allow inter-node communication (server + agent nodes) +{% for host in (groups[server_group] | default([]) + groups[agent_group] | default([])) | unique %} +{% if hostvars[host].ansible_default_ipv4 is defined %} +insert rule inet filter input ip saddr {{ hostvars[host].ansible_default_ipv4.address }} accept +{% endif %} +{% endfor %} + +# K3s core ports +insert rule inet filter input tcp dport {{ api_port | default(6443) }} accept +{% if groups[server_group] | length > 1 %} +insert rule inet filter input tcp dport 2379-2381 accept +{% endif %} + +# Inter-node overlay ports +insert rule inet filter input tcp dport { 5001, 10250 } accept +insert rule inet filter input udp dport { 8472, 51820, 51821 } accept + +# Cluster and service CIDRs +{% for cidr in (cluster_cidr + ',' + service_cidr) | split(',') %} +insert rule inet filter input ip saddr {{ cidr }} accept +{% endfor %} + +# NodePort range +insert rule inet filter input tcp dport 30000-32767 accept +insert rule inet filter input udp dport 30000-32767 accept + +# Keep forward traffic open for CNI/pod networking +insert rule inet filter forward ct state established,related accept +insert rule inet filter forward accept \ No newline at end of file From 3eddf9e2371a299f20d6e835a06ae62c7408d784 Mon Sep 17 00:00:00 2001 From: Ionut Ciocoiu Date: Mon, 9 Mar 2026 14:56:47 +0200 Subject: [PATCH 2/5] Update roles/prereq/tasks/main.yml Co-authored-by: Derek Nola Signed-off-by: Ionut Ciocoiu --- roles/prereq/tasks/main.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/roles/prereq/tasks/main.yml b/roles/prereq/tasks/main.yml index f5828411..bbe87185 100644 --- a/roles/prereq/tasks/main.yml +++ b/roles/prereq/tasks/main.yml @@ -82,7 +82,11 @@ src: k3s.nft.j2 dest: /etc/nftables.d/k3s.nft mode: "0644" - notify: Reload nftables + + - name: Reload nftables + ansible.builtin.service: + name: nftables + state: reloaded - name: Populate service facts ansible.builtin.service_facts: From d9e27ed3c8c229b405e224530b494afca2f69bf5 Mon Sep 17 00:00:00 2001 From: Ionut Date: Mon, 9 Mar 2026 15:11:49 +0200 Subject: [PATCH 3/5] Reload nftables and enable it temporary for testing Signed-off-by: Ionut --- roles/prereq/handlers/main.yml | 5 ----- roles/prereq/tasks/main.yml | 16 +++++++++++----- 2 files changed, 11 insertions(+), 10 deletions(-) delete mode 100644 roles/prereq/handlers/main.yml diff --git a/roles/prereq/handlers/main.yml b/roles/prereq/handlers/main.yml deleted file mode 100644 index 69e8f722..00000000 --- a/roles/prereq/handlers/main.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- name: Reload nftables - ansible.builtin.systemd: - name: nftables - state: reloaded diff --git a/roles/prereq/tasks/main.yml b/roles/prereq/tasks/main.yml index bbe87185..cc1b291c 100644 --- a/roles/prereq/tasks/main.yml +++ b/roles/prereq/tasks/main.yml @@ -56,6 +56,12 @@ - nftables state: present + - name: TEMPORARY FOR TESTING - Ensure nftables is enabled and started + ansible.builtin.service: + name: nftables + state: started + enabled: true + - name: Check nftables service ansible.builtin.service_facts: @@ -82,11 +88,11 @@ src: k3s.nft.j2 dest: /etc/nftables.d/k3s.nft mode: "0644" - - - name: Reload nftables - ansible.builtin.service: - name: nftables - state: reloaded + + - name: Reload nftables + ansible.builtin.service: + name: nftables + state: reloaded - name: Populate service facts ansible.builtin.service_facts: From ff884892f3386a1be015ebbb3dd6b9f4d9ff45ef Mon Sep 17 00:00:00 2001 From: Ionut Date: Mon, 9 Mar 2026 15:53:22 +0200 Subject: [PATCH 4/5] Remove temporary task Signed-off-by: Ionut --- roles/prereq/tasks/main.yml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/roles/prereq/tasks/main.yml b/roles/prereq/tasks/main.yml index cc1b291c..78ed0efe 100644 --- a/roles/prereq/tasks/main.yml +++ b/roles/prereq/tasks/main.yml @@ -55,12 +55,6 @@ - iptables-nft - nftables state: present - - - name: TEMPORARY FOR TESTING - Ensure nftables is enabled and started - ansible.builtin.service: - name: nftables - state: started - enabled: true - name: Check nftables service ansible.builtin.service_facts: From 639368ec6f62a31a3b2ab9aba936a6b0ff0af585 Mon Sep 17 00:00:00 2001 From: Ionut Date: Wed, 11 Mar 2026 00:20:07 +0200 Subject: [PATCH 5/5] Fix lint errors Signed-off-by: Ionut --- roles/prereq/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/prereq/tasks/main.yml b/roles/prereq/tasks/main.yml index 78ed0efe..57c9e8e9 100644 --- a/roles/prereq/tasks/main.yml +++ b/roles/prereq/tasks/main.yml @@ -55,7 +55,7 @@ - iptables-nft - nftables state: present - + - name: Check nftables service ansible.builtin.service_facts: