On Wednesday 2025-03-26 16:56, Phil Sutter wrote: > >The suggested 'flush ruleset' stems from Fedora's nftables.service and >is also present in CentOS Stream and RHEL. So anyone running k8s there >either doesn't use nftables.service (likely, firewalld is default) or >doesn't restart the service. Maybe k8s should "officially" conflict with >nftables and iptables services? It definitely should. For example, in openSUSE we already added an extra constraint between firewalld <-> nftables, so k8s should likely get a similar treatment. fail2ban is also interesting, but a solved problem (equally added ordering constraints to the distro years ago).
