Merge pull request #271628 from scvalex/kubernetes-flannel-dont-open-ports

kubernetes: don't always open flannel fw ports
author: Pol Dellaiera <pol.dellaiera@protonmail.com> 2023-12-05 12:29:21 +0100
committer: GitHub <noreply@github.com> 2023-12-05 12:29:21 +0100
commit: d79be732952d6b7b18d67eef81500cd69b984fde (patch)
tree: 40611adea367e370cee8c4b7c04ca215741074de /nixos
parent: 9675917c89a585f11bf0dee1cf20ca75874729b4 (diff)
parent: f9123510dbe9a2168d8140697ae7e931498dfd6e (diff)
1 files changed, 8 insertions, 1 deletions
diff --git a/nixos/modules/services/cluster/kubernetes/flannel.nix b/nixos/modules/services/cluster/kubernetes/flannel.nix
index 11c5adc6a8859..dca8996df0831 100644
--- a/nixos/modules/services/cluster/kubernetes/flannel.nix
+++ b/nixos/modules/services/cluster/kubernetes/flannel.nix
@@ -13,6 +13,13 @@ in
   ###### interface
   options.services.kubernetes.flannel = {
     enable = mkEnableOption (lib.mdDoc "flannel networking");
+
+    openFirewallPorts = mkOption {
+      description = lib.mdDoc ''
+        Whether to open the Flannel UDP ports in the firewall on all interfaces.'';
+      type = types.bool;
+      default = true;
+    };
   };
 
   ###### implementation
@@ -38,7 +45,7 @@ in
     };
 
     networking = {
-      firewall.allowedUDPPorts = [
+      firewall.allowedUDPPorts = mkIf cfg.openFirewallPorts [
         8285  # flannel udp
         8472  # flannel vxlan
       ];
author	Pol Dellaiera <pol.dellaiera@protonmail.com>	2023-12-05 12:29:21 +0100
committer	GitHub <noreply@github.com>	2023-12-05 12:29:21 +0100
commit	d79be732952d6b7b18d67eef81500cd69b984fde (patch)
tree	40611adea367e370cee8c4b7c04ca215741074de /nixos
parent	9675917c89a585f11bf0dee1cf20ca75874729b4 (diff)
parent	f9123510dbe9a2168d8140697ae7e931498dfd6e (diff)