diff --git a/roles/kata-setup/tasks/main.yaml b/roles/kata-setup/tasks/main.yaml
index b4ff984e..834c3413 100644
--- a/roles/kata-setup/tasks/main.yaml
+++ b/roles/kata-setup/tasks/main.yaml
@@ -6,6 +6,18 @@
     - "setup/{{ ansible_os_family }}.yaml"
     - "setup/default.yaml"
 
+- name: Allow k8s cluster range to talk to k8s api
+  iptables:
+    state: present
+    action: insert
+    chain: INPUT
+    ip_version: ipv4
+    protocol: tcp
+    source: "10.244.0.0/16"
+    destination_port: 6443
+    jump: ACCEPT
+  become: yes
+
 - name: Run kata setup.sh
   args:
     executable: /bin/bash
diff --git a/roles/kata-setup/tasks/setup/Fedora.yaml b/roles/kata-setup/tasks/setup/Fedora.yaml
index 6d967039..3759b1fc 100644
--- a/roles/kata-setup/tasks/setup/Fedora.yaml
+++ b/roles/kata-setup/tasks/setup/Fedora.yaml
@@ -45,3 +45,12 @@
     name: docker-ce
     state: present
   become: yes
+
+  # TODO why isn't this necessary on Ubuntu?
+- name: Ensure vhost and vhost_net modules are present as kata checks for these
+  args:
+    executable: /bin/bash
+  shell: |
+    set -x
+    modprobe vhost_net
+  become: yes