Enable hubble.

2026-01-04 12:13:58 -05:00
parent 02dbdb79bc
commit 8020f804db
3 changed files with 26 additions and 0 deletions
--- a/nix/kubernetes/roles/firewall/files/my-fw.nft
+++ b/nix/kubernetes/roles/firewall/files/my-fw.nft
@@ -71,6 +71,15 @@ set node-to-node-ports {
    }
 }

+set pod-to-node-ports {
+    # Ports open for nodes sending packets to nodes
+    type inet_proto . inet_service
+    flags constant, interval
+    elements = {
+        tcp . 4244  # hubble ui
+    }
+}
+
 chain rpfilter {
    type filter hook prerouting priority mangle + 10; policy drop;
    meta nfproto ipv4 udp sport . udp dport { 68 . 67, 67 . 68 } accept comment "DHCPv4 client/server"
@@ -114,6 +123,10 @@ chain input-allow {
    # Allow node to node
    ip saddr @node-cidr-ipv4 ip daddr @node-cidr-ipv4 meta l4proto . th dport @node-to-node-ports accept
    ip6 saddr @node-cidr-ipv6 ip6 daddr @node-cidr-ipv6 meta l4proto . th dport @node-to-node-ports accept
+
+    # Allow pod to node
+    ip saddr @pod-cidr-ipv4 ip daddr @node-cidr-ipv4 meta l4proto . th dport @pod-to-node-ports accept
+    ip6 saddr @pod-cidr-ipv6 ip6 daddr @node-cidr-ipv6 meta l4proto . th dport @pod-to-node-ports accept
 }

 chain forward {