diff --git a/ansible/roles/setup/tasks/main.yml b/ansible/roles/setup/tasks/main.yml
index f630839baf5eb6f7ab8250d9f3adebee43c62f74..198e758b52e9044de8293dfc0718fcf17c0e0055 100644
--- a/ansible/roles/setup/tasks/main.yml
+++ b/ansible/roles/setup/tasks/main.yml
@@ -3,5 +3,6 @@
 - import_tasks: rke.yml
 - import_tasks: tiller.yml
 - import_tasks: cert-manager.yml
+- import_tasks: prometheus.yml
 - import_tasks: helmfiles.yml
 - import_tasks: krew.yml
diff --git a/ansible/roles/setup/tasks/prometheus.yml b/ansible/roles/setup/tasks/prometheus.yml
new file mode 100644
index 0000000000000000000000000000000000000000..41a2ddee5008f5d39457c99bfc59864c717d15d0
--- /dev/null
+++ b/ansible/roles/setup/tasks/prometheus.yml
@@ -0,0 +1,28 @@
+---
+- name: Allow internal access to node-exporter metrics
+  tags:
+    - iptables
+  iptables:
+    chain: "INPUT"
+    protocol: "tcp"
+    # We'll allow the whole private IP space for 10.0.0.0/8 here
+    # because calico might use different IPs in this space to
+    # contact the node-exporter
+    source: "10.0.0.0/8"
+    destination_port: 9100
+    jump: "ACCEPT"
+  become: true
+
+- name: Allow internal access to kubelet metrics
+  tags:
+    - iptables
+  iptables:
+    chain: "INPUT"
+    protocol: "tcp"
+    # We'll allow the whole private IP space for 10.0.0.0/8 here
+    # because calico might use different IPs in this space to
+    # contact the node-exporter
+    source: "10.0.0.0/8"
+    destination_port: 10250
+    jump: "ACCEPT"
+  become: true