ansible: change k8s ufw proto + add 2 rules

- put any instead of tcp as protocol for k8s mono-port ufw rules
- add two rules, following https://docs.k3s.io/installation/requirements?os=debian

1 files changed, 23 insertions, 5 deletions

diff --git a/ansible/roles/k8s/tasks/ufw.yml b/ansible/roles/k8s/tasks/ufw.yml
index 2d8dec5..118f332 100644
--- a/ansible/roles/k8s/tasks/ufw.yml
+++ b/ansible/roles/k8s/tasks/ufw.yml
@@ -9,7 +9,7 @@
   community.general.ufw:
     rule: allow
     port: 6443
-    proto: tcp
+    proto: any
     comment: "Kubernetes API server"
   notify: Restart UFW
 
@@ -25,7 +25,7 @@
   community.general.ufw:
     rule: allow
     port: 10250
-    proto: tcp
+    proto: any
     comment: "Kubelet API"
   notify: Restart UFW
 
@@ -33,7 +33,7 @@
   community.general.ufw:
     rule: allow
     port: 10259
-    proto: tcp
+    proto: any
     comment: "kube-scheduler"
   notify: Restart UFW
 
@@ -41,7 +41,7 @@
   community.general.ufw:
     rule: allow
     port: 10257
-    proto: tcp
+    proto: any
     comment: "kube-controller-manager"
   notify: Restart UFW
 
@@ -49,7 +49,7 @@
   community.general.ufw:
     rule: allow
     port: 10256
-    proto: tcp
+    proto: any
     comment: "kube-proxy"
   notify: Restart UFW
 
@@ -61,6 +61,24 @@
     comment: "NodePort services"
   notify: Restart UFW
 
+- name: Allow from 10.42.0.0/16 to any
+  community.general.ufw:
+    rule: allow
+    from_ip: 10.42.0.0/16
+    to_ip: any
+    proto: any
+    comment: "pods"
+  notify: Restart UFW
+
+- name: Allow from 10.43.0.0/16 to any
+  community.general.ufw:
+    rule: allow
+    from_ip: 10.43.0.0/16
+    to_ip: any
+    proto: any
+    comment: "services"
+  notify: Restart UFW
+
 - name: Enable UFW
   community.general.ufw:
     state: enabled