Enable hubble.

nix/kubernetes/roles/firewall/files/my-fw.nft

@@ -71,6 +71,15 @@ set node-to-node-ports {
     }
 }
 
+set pod-to-node-ports {
+    # Ports open for nodes sending packets to nodes
+    type inet_proto . inet_service
+    flags constant, interval
+    elements = {
+        tcp . 4244  # hubble ui
+    }
+}
+
 chain rpfilter {
     type filter hook prerouting priority mangle + 10; policy drop;
     meta nfproto ipv4 udp sport . udp dport { 68 . 67, 67 . 68 } accept comment "DHCPv4 client/server"
@@ -114,6 +123,10 @@ chain input-allow {
     # Allow node to node
     ip saddr @node-cidr-ipv4 ip daddr @node-cidr-ipv4 meta l4proto . th dport @node-to-node-ports accept
     ip6 saddr @node-cidr-ipv6 ip6 daddr @node-cidr-ipv6 meta l4proto . th dport @node-to-node-ports accept
+
+    # Allow pod to node
+    ip saddr @pod-cidr-ipv4 ip daddr @node-cidr-ipv4 meta l4proto . th dport @pod-to-node-ports accept
+    ip6 saddr @pod-cidr-ipv6 ip6 daddr @node-cidr-ipv6 meta l4proto . th dport @pod-to-node-ports accept
 }
 
 chain forward {

nix/kubernetes/roles/kubelet/files/resolv.conf

@@ -0,0 +1,4 @@
+search svc.cluster.local cluster.local
+nameserver 10.197.0.10
+nameserver fd00:3e42:e349::10
+options ndots:5