johntash
What’s up with the $4.55 “$1 drink”?
Network Policies are a good idea, thanks.
I was more worried about escaping the container, but maybe I shouldn’t be. I’m using Talos now as the OS and there isn’t much on the OS as it is. I can probably also enforce all of my public services to run as non-root users and not allow privileged containers/etc.
Thanks for recommending crowdsec/falco too. I’ll look into those
It’s mostly working fine for me.
An alternative I tried before was just whitelisting which IPs are allowed to access specific ingresses, but having the ingress listen on both public/private networks. I like having a separate ingress controller better because I know the ingress isn’t accessible at all from a public ip. It keeps the logs separated as well.
Another alternative would be an external load balancer or reverse proxy that can access your cluster. It’d act as the “public” ingress, but would need to be configured to allow specific hostnames/services through.
I did actually consider a 3rd cluster for infra stuff like dns/monitoring/etc, but at the moment I have those things in separate vms so that they don’t depend on me not breaking kubernetes.
Do you have your actual public services running in the public cluster, or only the load balancer/ingress for those public resources?
Also how are you liking garage so far? I was looking at it (instead of minio) to set up backups for a few things.
Unraid has this with their cache pools. ZFS can also be configured to have a cache drive for writes.
You can also DIY with something like mergerfs and separate file systems.
What you read online may have been referring to how cloudflare itself can always see the unencrypted traffic?
Cloudflare tunnels are encrypted, but inside of that encrypted tunnel could be a regular http stream.
I have not had any issues with Kopia so far, but I have also only used it for maybe a year? My main reason for trying it was that I wanted to be able to give something to family members to use as a backup client with a reasonable ui. I can also control the default exclude list and default policies for compression/etc pretty easily.
I don’t know how many years of restic backups I have, but I still rely on it for my most important data. Anything really important on my desktop/laptop gets backed up via kopia, but also gets copied (usually via nextcloud) to a server that has hourly zfs snapshots and daily restic snapshots. Both the restic and kopia snapshots get stored on a local nas and then synced to rsync.net.