Differences

This shows you the differences between two versions of the page.

Link to this comparison view

--- projects:k8s:k8s_setup_with_k0s_k0sctl [2026/05/27 06:23] – garfield
+++ projects:k8s:k8s_setup_with_k0s_k0sctl [2026/06/09 07:02] (current) – external edit 127.0.0.1
@@ Line 11: / Line 11: @@
   - Required prep - Ensure unique system ID. K0s cluster deployment will fail if aren't.<code>
 sudo systemd-machine-id-setup
+</code>
+  - Disable SELinux because k0sctl doesn't seem to like it<code>
+sudo setenforce 0
 </code>
   - System prep ( RPM-based distros )
@@ Line 85: / Line 88: @@
 firewall-cmd --permanent --add-port=179/tcp
 firewall-cmd --permanent --add-port=4789/udp
+# Tell Fedora to trust all traffic on the container network bridges
+firewall-cmd --permanent --zone=trusted --add-interface=cni0
+firewall-cmd --permanent --zone=trusted --add-interface=kube-router
+# Allow pods to masquerade/NAT out to the local network
+firewall-cmd --permanent --zone=trusted --add-masquerade
+firewall-cmd --permanent --zone=trusted --add-source=10.244.0.0/16
+firewall-cmd --permanent --zone=trusted --add-source=10.96.0.0/12
 # Reload firewall to apply changes
 firewall-cmd --reload
 </code>
-  - Open the firewall ports on the worker node(s)<code>
+  - Disable the firewall completely **on the worker nodes** since k8s doesn't like it - Ref: [[https://docs.k0sproject.io/head/networking/#firewalld-k0s|k0s networking - firewalld-k0s]]<code>
-# Open Kubelet API port and networking tunnels
+sudo systemctl stop firewalld && sudo disable firewalld
-firewall-cmd --permanent --add-port=10250/tcp
-firewall-cmd --permanent --add-port=179/tcp
-firewall-cmd --permanent --add-port=4789/udp
-# Reload firewall to apply changes
-firewall-cmd --reload
 </code>
   - Create the cluster<code>