# NiceOS Core Kubernetes firewall profile.
#
# Goal:
#   - Kubernetes internal traffic works automatically.
#   - Admin does not manually open kubelet/flannel/pod-forward ports.
#   - Published workloads stay closed until exposed via NiceOS CLI/API.
#
# Default policies expected:
#   INPUT   DROP
#   FORWARD DROP
#   OUTPUT  DROP or base NiceOS-managed.
#
# This profile does not flush existing firewall rules and does not change
# built-in chain policies.

NICEOS_K8S_ENABLED=yes

# auto:
#   control-plane if /etc/kubernetes/manifests/kube-apiserver.yaml exists
#   worker otherwise
NICEOS_K8S_NODE_ROLE=auto

# Detect primary IPv4 interface subnet automatically.
# Example result: 192.168.10.33/24
NICEOS_K8S_AUTO_DETECT_NODE_CIDRS=yes
NICEOS_K8S_NODE_CIDRS=""

# Cluster networks.
NICEOS_K8S_POD_CIDRS="10.244.0.0/16"
NICEOS_K8S_SERVICE_CIDRS="10.96.0.0/12"

# Control-plane/API.
NICEOS_K8S_LOCAL_API_PORTS="6443"
NICEOS_K8S_API_SOURCES=auto

# Kubelet is Kubernetes infrastructure, not user-published service.
NICEOS_K8S_ALLOW_POD_TO_KUBELET=yes
NICEOS_K8S_LOCAL_KUBELET_PORTS="10250"
NICEOS_K8S_KUBELET_SOURCES=auto

# Pod routing with FORWARD DROP.
NICEOS_K8S_ALLOW_POD_FORWARD=yes

# Flannel default for this NiceOS Kubernetes profile.
NICEOS_K8S_FLANNEL_ENABLED=yes
NICEOS_K8S_FLANNEL_BACKEND=vxlan
NICEOS_K8S_FLANNEL_VXLAN_PORT=8472
NICEOS_K8S_FLANNEL_NODE_CIDRS=auto

# OUTPUT compatibility for strict hosts.
NICEOS_K8S_MANAGE_OUTPUT=yes

# User-facing services are closed by default.
NICEOS_K8S_INGRESS_ENABLED=no

# NodePort is not cluster infrastructure publication.
# It must be opened by NiceOS CLI/API/deploy automation.
NICEOS_K8S_NODEPORT_MODE=closed
NICEOS_K8S_NODEPORT_ENFORCE=yes

# No custom host ports by default.
NICEOS_K8S_CUSTOM_PORTS=""

# Keep compatibility mode; do not terminal-drop generic traffic by default.
NICEOS_K8S_TERMINAL_DROP_INPUT=no
NICEOS_K8S_TERMINAL_DROP_FORWARD=no
NICEOS_K8S_TERMINAL_DROP_OUTPUT=no

# Keep Kubernetes chains first where needed.
NICEOS_K8S_JUMP_PLACEMENT=after-kubernetes

NICEOS_K8S_IPTABLES_BIN="/usr/sbin/iptables"
NICEOS_K8S_IPTABLES_WAIT="10"