-
Kubernetes@Home – what do you do if your ISP changes your IP addresses?
In my last blog post I described external-DNS, which is a way to have Kubernetes create and update DNS entries for its services. But as I mentioned, it got me thinking a bit on ways to extend this concept to handle other external aspects of my Kubernetes environment. My ISP is in total control over…
-
Kubernetes tip of the day – external-dns
Having set up a number of services, and making sure everyone of them gets their own IPv6 address, there’s a whole lot of DNS records pointing to services running in Kubernetes. Today, I found a gem: external-dns. This service basically monitors my infrastructure for annotations that tells it to create a DNS record for it.…
-
Kubernetes Security 101
While getting stuff to just work is fun, I decided I couldn’t set up a cluster without at least giving some thought to security. Here’s my small attempt at a nominally useful security strategy. By default, anything is allowed in Kubernetes. No, noone is stopping you. If you are on the node or in the…
-
Kubernetes deep dive part 2 -not all ideas that seem good at the start end up being good….
After a week of playing around, tinkering with stuff, I decideded to let my traefik instance be highly available, so that I could restart it without my web services being down. That led to a lot of discoveries and a lot of reconcidering of concepts. Rather than jumping to the conclusions, I’ll let you follow…
-
Kubernetes at home for fun and absolutely no profit.
Disclaimer: Quite a bit of this is outdated. After a week or so, I decided to redo it all – mainly because I wanted ipv6 supported inside, and I thought that the fact that my multus macvlans supported ipv6 was a proof I was all good. Turns out that with multus and macvlans, you live…
-
Docker networking part four – hacking around docker limitations.
After part 3, my setup was pretty good, and I was pretty sure I had come to the end of the road. There was just one thing that was bugging me: I needed to do NAT (MASQUERADE) in my firewall to get around the fact that docker routing table management is pretty limited. And with…
-
Docker Networking Part 3 – removing the unintended escape routes.
At the end of the part two I showed that all the docker networks I had created were, in fact, bridge interfaces, which would bridge traffic out of docker. When the interface, that lives on the outside of docker, also has an ip address in that network, I can connect to services that listens to…
-
Docker Networking Part 2 – what happens in docker stays in docker.
After having created my docker DMZ in part 1, I realized that if I just connected the networks of the docker-containers I wanted to access from the internet to the firewall container, I could avoid exposing their ports to the underlying machine altogether, thereby reducing the number of open ports on the server itself. I…
-
A virtualized DMZ with docker
Being somewhat of a minimalist, having only one server at home, but still trying to make a good, secure and stable infrastructure, it bothered me to forward network traffic directly to my server. Granted, most of the services exposed was running in docker, but it still was forwarding it directly into my «red zone». A…
-
AI Image Analyzers – a duel between Google Bard and ChatGPT (GPT-4)
Having scanned some 1700 slides of various quality, various age (from 1964 up to the 90’s), and with sometimes dubious labelling and sorting, I decided to do some research into whether the current crop on publically available AIs can be of some help. Both Google Bard and OpenAIs ChatGPT now has image analyzing capabilities, so…