This message was deleted.

https://docs.k3s.io/known-issues#iptables mentions a known issue with nftables mode, though not firewalld like RKE2 ( https://docs.rke2.io/known_issues#firewalld-conflicts-with-default-networking ).

Thanks, I have tried adding those suggestions, unfortunately, didn't help

I've heard people say they got ufw working. I haven't used SUSE personally, but is switching from firewalld to ufw an option?

I'd prefer to not tbh but if I don't get anywhere with 'stock' SUSE I might give that a go

Good luck. I had the same issue with RKE2 on CentOS 7, but with it documented I just disabled firewalld. My plan was to use Calico as my firewall, though I left that position before I got around to doing/documenting it ( I no longer have that bookmark, but I think https://docs.tigera.io/calico/latest/network-policy/hosts/ was the base for doing that ).

Yeah, we had no issues on C7 with iptables, this is the first SUSE I've used and kind of expected it to 'just work' with stock SUSE so I suspect something we've done to firewalld rules has broken it.

have you looked at this? https://docs.k3s.io/advanced?_highlight=firewalld#red-hat-enterprise-linux--centos more specifically under: "If you wish to keep firewalld enabled, by default, the following rules are required:"

I have thanks, I've tried them even though the guide indicates they're only needed on RHEL.

Host based firewalls tend to break k8s you should avoid using them on kubernetes nodes altogether. It's a completely unsupported pattern as firewalld/ufw are both frontends for nftables/firewalld but so is your CNI. So you essentially end up with two programs unaware of each other writing rules over each other

Ok, this makes sense, I'm seeing the same issue on Fedora 38 with k3s. https://rancher-users.slack.com/archives/CGGQEHPPW/p1693846856025609 I my case I'm only running

firewalld

because it's used by fusionAuth (aka keycloak for humans)

I rolled firewalld back to using

iptables

as a backend and that seems to have resolved that issue. Now I'm trying to find a way of controlling access to ports without breaking the cluster again.