Ben Cressey

There are two aspects to this: 1. Whether `kube-proxy` is using its "nftables" mode 2. Whether the host OS has the right tools to inspect (and to avoid corrupting) network...

@adrianmace user namespaces should be working in Bottlerocket's `*-k8s-1.33` variants, which include a new enough kernel (6.12) and a kubelet that enables the user namespaces feature gate by default. User...

> I'm no selinux guru, but after reading through the policies in bottlerocket, it looks like the only way to allow a pod to create a user namespace is to...

There are raw image files provided for the `metal-*` variants - see [instructions to fetch](https://github.com/bottlerocket-os/bottlerocket/blob/develop/PROVISIONING-METAL.md#fetch-the-bottlerocket-image-for-bare-metal). The challenge (which the linked documentation makes painfully clear) is that bare metal takes a...

This is not currently planned, but should be possible to achieve with Twoliter and the out-of-tree builds framework.

@caiolombello minor correction to this: > The “metal-k8s-*” variant supports standalone mode + static pods but requires bare-metal instance types. Static pods and standalone mode are supported on all the...

@ytsssun for testing purposes the "lightweight oom-killer" might be OK, but it has some notable defects: 1. it will invoke the OOM killer every second if the system is below...

> I would intuitively expect this to be a net.toml setting - would this be an acceptable approach for everyone involved (to just add it to netdog directly and not...

I'll need to investigate the FIPS-related changes here; please don't merge without a deeper analysis.

> multi-user.target reached after 29.098s in userspace. This seems like a significant outlier for an `aws-dev` boot. At the other extreme, under KVM locally, I get numbers like this: ```...