Update docs to provide firewalling advice/guidance about rke2-docs HOT 4 CLOSED

I have come across many users who think RKE2 in general is incompatible with firewalld because of this section alone.

That is intended to be the key takeaway, yes. We recommend that it be disabled. Most CNI projects do not support use with firewalld or ufw enabled, and we inherit that position from them. If you chose to leave it running, and poke holes as the documentation describes, you are doing so at your own risk.

from rke2-docs.

What part of the docs are you referring to when you say: "If you chose to leave it running, and poke holes as the documentation describes"

from rke2-docs.

By opening up the ports listed at https://docs.rke2.io/install/requirements#inbound-network-rules in the firewalld or ufw config.

K3s provides some suggested firewall-cmd invocations to open things up at https://docs.k3s.io/installation/requirements#operating-systems, but we don't provide similar suggestions for RKE2.

from rke2-docs.

I have come across many users who think RKE2 in general is incompatible with firewalld because of this section alone.

That is intended to be the key takeaway, yes. We recommend that it be disabled. Most CNI projects do not support use with firewalld or ufw enabled, and we inherit that position from them. If you chose to leave it running, and poke holes as the documentation describes, you are doing so at your own risk.

Could you provide more information on the security implications of disabling firewalld on your RKE2 cluster? How do I protect my nodes from network ingress that I specifically do not want (e.g., inbound requests originating from the internet)? Or how do I prohibit any internal network traffic on those nodes outside of RKE2 (with the possible exception of something like SSH or config mgmt tools like Ansible)? This question is for an on-prem cluster, not cloud-based.

from rke2-docs.