diff --git a/nix/kubernetes/keys/scope.nix b/nix/kubernetes/keys/scope.nix
index 5c7382e0..350947f5 100644
--- a/nix/kubernetes/keys/scope.nix
+++ b/nix/kubernetes/keys/scope.nix
@@ -246,6 +246,15 @@ makeScope newScope (
             "ipv4NativeRoutingCIDR" = "10.200.0.0/16";
             "ipv6NativeRoutingCIDR" = "2620:11f:7001:7:ffff::/80";
 
+            "hubble" = {
+              "relay" = {
+                "enabled" = true;
+              };
+              "ui" = {
+                "enabled" = true;
+              };
+            };
+
             # TODO: Read and maybe apply https://docs.cilium.io/en/stable/operations/performance/tuning/
 
             # --set hostFirewall.enabled=true
diff --git a/nix/kubernetes/roles/firewall/files/my-fw.nft b/nix/kubernetes/roles/firewall/files/my-fw.nft
index c434f6f8..61609cda 100644
--- a/nix/kubernetes/roles/firewall/files/my-fw.nft
+++ b/nix/kubernetes/roles/firewall/files/my-fw.nft
@@ -71,6 +71,15 @@ set node-to-node-ports {
     }
 }
 
+set pod-to-node-ports {
+    # Ports open for nodes sending packets to nodes
+    type inet_proto . inet_service
+    flags constant, interval
+    elements = {
+        tcp . 4244  # hubble ui
+    }
+}
+
 chain rpfilter {
     type filter hook prerouting priority mangle + 10; policy drop;
     meta nfproto ipv4 udp sport . udp dport { 68 . 67, 67 . 68 } accept comment "DHCPv4 client/server"
@@ -114,6 +123,10 @@ chain input-allow {
     # Allow node to node
     ip saddr @node-cidr-ipv4 ip daddr @node-cidr-ipv4 meta l4proto . th dport @node-to-node-ports accept
     ip6 saddr @node-cidr-ipv6 ip6 daddr @node-cidr-ipv6 meta l4proto . th dport @node-to-node-ports accept
+
+    # Allow pod to node
+    ip saddr @pod-cidr-ipv4 ip daddr @node-cidr-ipv4 meta l4proto . th dport @pod-to-node-ports accept
+    ip6 saddr @pod-cidr-ipv6 ip6 daddr @node-cidr-ipv6 meta l4proto . th dport @pod-to-node-ports accept
 }
 
 chain forward {
diff --git a/nix/kubernetes/roles/kubelet/files/resolv.conf b/nix/kubernetes/roles/kubelet/files/resolv.conf
new file mode 100644
index 00000000..a91e07e1
--- /dev/null
+++ b/nix/kubernetes/roles/kubelet/files/resolv.conf
@@ -0,0 +1,4 @@
+search svc.cluster.local cluster.local
+nameserver 10.197.0.10
+nameserver fd00:3e42:e349::10
+options ndots:5