7.3. Troubleshooting firewalld

If your system is running the firewalld firewall, it is necessary to add K3s' pod subnet (by default and service subnet (by default to firewalld's trusted zone for K3s to work properly 1. If configure-firewall (a script called by install-k3s) detects this situation, you will see a warning message and the following prompt 2:

Add and to firewalld's trusted zone?

Enter Y for "yes" and N for "no", or simply hit Enter to accept the proposed answer (displayed in square brackets).


If you opt out of the proposed remediation, K3s may malfunction.

The remediation attempted by configure-firewall is equivalent to 3:

firewall-cmd --permanent --zone=trusted --add-source=

firewall-cmd --permanent --zone=trusted --add-source=

firewall-cmd --reload


If your system did not initially use firewalld at the time K3s was installed, but later does (for example because firewalld becomes enabled), run this command in the lockss user's lockss-installer directory as a privileged user who can become root via sudo 4:




For operating systems in the RHEL family (CentOS, Rocky Linux, AlmaLinux...), the action recommended by the K3s manual is to disable firewalld entirely (see https://rancher.com/docs/k3s/latest/en/advanced/#additional-preparation-for-red-hat-centos-enterprise-linux), but install-k3s takes a lighter approach commonly used in the K3s community.



See Installing K3s.


By default, K3s' pod subnet is and service subnet is


See Running Commands as a Privileged User.