banner
LightNews
netops2devops.net
Kapil Agrawal
@netops2devops.net
180 followers 870 following 92 posts
Kubernetes platform Security Engineer by profession. Also a recovering network engineer. Open source exuberant. Fan of open standards. Spends way too much time in homelab
Posts Media Videos Starter Packs
netops2devops.net
Kapil Agrawal @netops2devops.net · 10h
I enjoyed reading the first few chapters in antonz.org/go-concurren... so much that I ended up purchasing the eBook 😁 It's just $10 which is a small token of appreciation for all that @antonz.org gives to the #go community for free! Plus now I get to solve all the exercises in the book. 😋
Gist of Go: Concurrency
Interactive book on concurrent programming with many exercises.
antonz.org
1 1
netops2devops.net
Kapil Agrawal @netops2devops.net · 2d
So far we have been getting away with the problem by putting our IPv6 only GW api service behind an external LoadBalancer (with a dual stacked VIP) I wonder if there is a way to translate nat46 directly on the node instead of relying on the external LB. Thoughts?
1 1
netops2devops.net
Kapil Agrawal @netops2devops.net · 2d
Hi @kindnet.es thanks for developing and sharing this. I am curious how one would solve nat46 though (with or without your agent)? I am running Kubernetes in IPv6 only environment and often run into cases where end user is coming from IPv4 address and they want to access my gateway api v6 address
1
netops2devops.net
Kapil Agrawal @netops2devops.net · 10d
A couple of awesome resources which I came across as I was learning concurrency patterns in #go

1. Gist of Go by @antonz.org
antonz.org/go-concurren...

2. Interactive guide to concurrency patterns by Richard Chukwu
concurrency.rocks
Gist of Go: Concurrency
Interactive book on concurrent programming with many exercises.
antonz.org
3
netops2devops.net
Kapil Agrawal @netops2devops.net · 11d
Say what you may but as far as readability goes I don't find #rust to be nearly as intuitive or readable as #go .. It's so easy to be productive with go after spending just a week dabbling with basics. I don't think I can say the same for rust but I suspect it's just a matter of practice 😅
1 1
netops2devops.net
Kapil Agrawal @netops2devops.net · 12d
I have never been a professional C/C++ programmer by trade and maybe that's why I don't understand this but after doing some beginner level exercises with #rust I don't get all the fuss around how borrower/checker rules make it complicated. Sure, it feels lot more verbose. Even more than #go
1
netops2devops.net
Kapil Agrawal @netops2devops.net · 14d
you can set this helm value `nat46x64Gateway.enabled=true` along with kube-proxy-replacement.
netops2devops.net
Kapil Agrawal @netops2devops.net · 19d
Critical thinking, curiosity and the drive to go deeper into the stack to learn something in & out appears to be diminishing as engineers become more dependent on AI generated content.
People who were once "engineers" are now becoming "operators"
1
netops2devops.net
Kapil Agrawal @netops2devops.net · 22d
NAT64 is only applicable when you are running an IPv6 only network but then you need a mechanism to connect to IPv4 only networks. The way you are describing it with Docker is not NAT64
netops2devops.net
Kapil Agrawal @netops2devops.net · 25d
For anyone using or interested in running @cilium.io as standalone NAT46x64Gateway I have updated my blog post for the latest cilium v1.18.x releases.

netops2devops.net/posts/cilium...
Using Cilium as a standalone NAT46x64Gateway
netops2devops.net
2 1 4
netops2devops.net
Kapil Agrawal @netops2devops.net · 25d
I dig the new updates in #iTerm2 3.6.x with the in-terminal browser, new icons. Feels more modern.
netops2devops.net
Kapil Agrawal @netops2devops.net · 29d
So to route traffic from the VIP to an actual endpoint (Pod) there is NAT/masquerading involved. No way around that AFAIK. Even if you use ECMP based LB for service types Ingress/Gateway at one point or another your node has to masquerade to send traffic from user -> service vip -> endpoint
1
netops2devops.net
Kapil Agrawal @netops2devops.net · 29d
NAT-less IPv6 all the way to the Pod. So you can hit the Pod IP over v6 GUA just fine. K8s requires a ServiceCIDR which uses non-local binding addresses to assign VIPs for ClusterIP service.
1
netops2devops.net
Kapil Agrawal @netops2devops.net · 29d
Yes. Cilium with BGP in native routing mode is how I run IPv6 only K8s clusters in prod 🙃
1
netops2devops.net
Kapil Agrawal @netops2devops.net · 29d
I am all for routing. But then I presume you'd need to run a BGP control plane daemon on your host (where the docker container is running), right?
1
netops2devops.net
Kapil Agrawal @netops2devops.net · 29d
So for example - if you are already routing 2001:db8::/64 you can configure your Docker daemon to pick an IPv6 address in the same subnet
1
netops2devops.net
Kapil Agrawal @netops2devops.net · 29d
IIRC it simply makes your container appear like just another host on the network.
2
netops2devops.net
Kapil Agrawal @netops2devops.net · 29d
Hi @daryllswer.com big fan of your blog 🙌 and thanks for the heads up. I no longer use Docker desktop or dockerd so I believe you got it right. But then what you’re describing as “routed” in your blog post .. isn’t that exactly what docker’s IPvlan driver does? 🤔
1
netops2devops.net
Kapil Agrawal @netops2devops.net · Sep 14
📣 New Blog Post

Apparently, there are a few gotcha's when trying to checkpoint a running pod in #k3s which I learnt the hard way. I documented my findings in the blog post. #criu #kubernetes #forensics
netops2devops.net/posts/checkp...
Container Checkpointing in K3s for Forensics
netops2devops.net
1
netops2devops.net
Kapil Agrawal @netops2devops.net · Sep 14
1. What network driver are you using with Docker? Bridge, host, macvlan, ipvlan etc..?

2. What does your docker daemon config look like? Did you add anything in particular with IPv6 config bits?
1
netops2devops.net
Kapil Agrawal @netops2devops.net · Sep 12
Love it! Thanks for sharing (and creating)
1
netops2devops.net
Kapil Agrawal @netops2devops.net · Sep 4
You may be able to slap some band aid and find your way around it if you’re really gungho on using Zed.
1
netops2devops.net
Kapil Agrawal @netops2devops.net · Sep 4
LOL I never moved away from VSCode for that reason. If you rely on your editor to provide you with Kubernetes autocomplete or manifest snippets or automatically detecting object schema you’re going to have a hard time doing that in Zed as it’s not possible out of the box.
1 1
netops2devops.net
Kapil Agrawal @netops2devops.net · Sep 4
Yes Zed works out of the box with go! What doesn’t work (out of the box) is Kubernetes which has been a stickler for me.
1 2
netops2devops.net
Kapil Agrawal @netops2devops.net · Aug 29
Whoever created #hubble for @cilium.io @isovalent.bsky.social should be given a gold medal. You have my utmost respect 🫡 Debugging Kubernetes networking issues has never been this easy.
1