7.3. Troubleshooting firewalld

If your system is running the firewalld firewall, it is necessary to add K3s' pod subnet (by default 10.42.0.0/16) and service subnet (by default 10.43.0.0/16) to firewalld's trusted zone for K3s to work properly 1. If configure-firewall (a script called by install-k3s) detects this situation, you will see a warning message and the following prompt 2:

Add 10.42.0.0/16 and 10.43.0.0/16 to firewalld's trusted zone?

Enter Y for "yes" and N for "no", or simply hit Enter to accept the proposed answer (displayed in square brackets).

Caution

If you opt out of the proposed remediation, K3s may malfunction.

The remediation attempted by configure-firewall is equivalent to 3:

firewall-cmd --permanent --zone=trusted --add-source=10.42.0.0/16

firewall-cmd --permanent --zone=trusted --add-source=10.43.0.0/16

firewall-cmd --reload

Tip

If your system did not initially use firewalld at the time K3s was installed, but later does (for example because firewalld becomes enabled), run this command in the lockss user's lockss-installer directory as a privileged user who can become root via sudo 4:

scripts/configure-firewall

Footnotes

1

For operating systems in the RHEL family (CentOS, Rocky Linux, AlmaLinux...), the action recommended by the K3s manual is to disable firewalld entirely (see https://rancher.com/docs/k3s/latest/en/advanced/#additional-preparation-for-red-hat-centos-enterprise-linux), but install-k3s takes a lighter approach commonly used in the K3s community.

References:

2

See Installing K3s.

3

By default, K3s' pod subnet is 10.42.0.0/16 and service subnet is 10.43.0.0/16.

4

See Running Commands as a Privileged User.