Networking

When solving a killercoda challenge I ran into some confusion. Even though my solution worked, there was a difference which I wanted to get clear on. I wrote this: apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: np namespace: space1 spec: podSelector: {} policyTypes: - Egress egress: - to: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: space2 - to: ports: - protocol: TCP port: 53 - protocol: UDP port: 53 But the provided course solution was this: ...

There are two things which I’m dreading most for the CKS exam: writing Network Policies and configuring RBAC under heavy time pressure. I’ve heard from colleagues that the exam has many questions of this nature, so it will be a good way of scoring points. However, regardless of the exam, the fact that I’m dreading these topics also shows that I’m not familiar enough with them and therefore this is a point where I should improve. It’s not only about the exam, but also my growth of expertise as a Kubernetes Engineer. ...

This document is the result of my research into the Gateway API. It aims to briefly describe the Gateway API for Kubernetes, a typical implementation of ingress traffic using NGINX in AKS and how this setup could benefit from implementing the Gateway API. Introduction Gateway API is an official Kubernetes project focused on L4 and L7 routing in Kubernetes. This project represents the next generation of Kubernetes Ingress, Load Balancing, and Service Mesh APIs. From the outset, it has been designed to be generic, expressive, and role-oriented. ...

Today I learned about Cilium network policies. These are much easier to implement than normal network policies because there are some tools available when creating the cilium policies. Network policies were probably my weakest Kubernetes skill and I tended to avoid them. But now I’m exposing some apps to the internet in my homelab and I’m forced to think about security and what would happen if a hacker managed to get root privileges in a container even though I implemented strict security contests and enabled privilege escalation. ...

My ISP router only allowed me to assign 200 IP addresses and it didn’t have any possibility to create VLANS, so it was time for an upgrade to my setup. Now that I’m hosting several clusters in my homelab and exposing things to the internet I can justify to spend the money on this hardware and the complexity of dividing up my home network into VLANS. I bought a Unifi Express gateway and the Unifi Lite 8 PoE managed switch. ...

App Gateway It has App Gateway in the name, but it is an entirely new solution. The App Gateway is the only thing it has in common with Azure Application Gateway. Resources Two types of resources. Azure resources and k8s resources. The App Gateway for Container is an azure resource which listens to changes in k8s resources through the ALB controller. AGWFC is the control plane. ...

In this video I installed Prometheus and Grafana using helm and studied k3s networking. My goal was to make Grafana approachable via ingress using a fake domain and after a bit of tinkering it worked. installed prometheus and grafana with kube-prometheus-stack helm chart reflected on why I use k3s gained understanding of k3s loadbalancing solution configured /etc/hosts file to resolve to fake domain configured k3s ingress to use fake local domain struggled with ingress but figured it out in the end successfully made grafana UI available on fake local domain grafana.homelab.nl Links: 202312261012 ...

Before I went on holiday I formed the intention to begin studying again after I came back. During my current gig I’m configuring a fair bit of networking, VNets, peerings, firewall rules and set up a full hub-spoke network from scratch, so I’ve had a fair bit of practical experience. Now that the experience is still fresh in the mind I figured I’d go for this certification. Usually I only use Microsoft Learn and practice exams, but this time around I want to try out a video course. I purchased a year of A Cloud Guru access and so far it has been a good experience. ...

CNI? CNI stands for Container Network Interface. It allows communication between pods and services. Current Azure CNI limitations Let’s take a practical example. We have an enterprise environment where a large network is utilized, spanning multiple clouds and on-prem infrastructure hubs. To enable seamless communication across these sections, they must belong to the same network. As a result, specific IP address ranges are assigned to each section, with AWS, On-Prem A, and Azure each having their respective ranges. ...