CentOS firewalld and selinux?

[reenberg]

Hey,

Awesome work.

I have been looking at the tasks, however it doesn't seem that there is anything handling firewalld or installing the k3s-selinux packages?

I know that there are multiple long lasting open issues in the k3s repo, about firewalld, however k3s-io/k3s#1556 (comment) suggests a fairly simple "fix".

It seems that installing docker is specially handled for the various OS distributions, so making sure that the k3s-selinux package is installed for the EL variants seems like should also be done in this role?

Is it assumed that the user should fix the firewall stuff outside of this role?

[xanmanning]

Hi.

Cheers 🍻

I'll look into the k3s-selinux policy package. I am going to be removing the tasks to install Docker in time and these will need to be done using another Ansible role, for example geerlingguy.docker, to separate the concerns of the role. k3s-selinux will eventually be handled by this role.

Firewalld configuration is a tough one to make a call on, because that "fix" is going to make assumptions about networking policy - for the casual hobbyist Rancher's suggestion to disable firewalld is easier to swallow, enterprise users would likely have a more stringent policy where traffic is restricted to specific subnets. It would need to be a carefully considered approach that ultimately has the user of the role in control, and since k3s doesn't have a recommendation beyond "disable it", this is why I haven't wanted to handle it to date.

[reenberg]

Sounds like a nice approach. I didn't try it yet, but since EL 8 pushes heavily on Podman (as a more or less 1:1 replacement), it would be nice not to be enforced to install docker, if podman could actually do the job as well.

I agree with the firewall parts. At least not being forced into a regime that won't fit for an enterprise setup. In this case it is probably best to have that as a separate thing that is custom for the individual setup.