Cristian Klein

icon indicating a website link cristian.kleinlabs.eu

icon company @elastisys icon location Malmö Metropolitan Area, Sweden icon location Cloud architect, speaker and researcher. Father of two. Piano torturer. Pro tip: Prove to me that you read this far by ending each sentence with "quack".

Results 89 comments of Cristian Klein

Investigate performance impact and overhead of enabling Wireguard

Hi @davidumea. Thanks for bringing this up. I would recommend *against* enabling WireGuard by default. Why? 1. The security benefits are unclear. We do regular [provider audits](https://elastisys.io/compliantkubernetes/operator-manual/provider-audit/) on the providers...

Investigate performance impact and overhead of enabling Wireguard

@llarsson Thanks for pointing that out! I get the feeling that NSA's Kubernetes Hardening Guide, Page 20 insists on **control plane traffic encryption**, which is on by default (can one...

Investigate performance impact and overhead of enabling Wireguard

We just bumped into this with a project. Seems like WireGuard needs a smaller MTU to make room for the extra headers. This definitely has some performance implications: ![image](https://github.com/elastisys/compliantkubernetes-kubespray/assets/1660833/c633694c-6e4f-4eb8-abb7-7d5c474e2e15) Source:...

Can immutable Nodes reduce patching and upgrades burden on the Kubespray layer?

@OlleLarsson Some of the ideas in [ck8s-cluster ](https://github.com/elastisys/ck8s-cluster) and [ck8s-base-vm](https://github.com/elastisys/ck8s-base-vm) are definitely worth bringing back. However, let us this time stay closer to upstream and put ourselves in a better...

Can immutable Nodes reduce patching and upgrades burden on the Kubespray layer?

@llarsson Just to write-up my thoughts, at this point I'm unsure whether Kubespray is going to be the future. Hence, your question "how long time does a run of Kubespray...

Upstream KUBECONFIG handling to Kubespray

An earlier version of this issue also requested for improving the non-OpenID KUBECONFIG generated by Kubespray to facilitate its usage from the local machine (i.e., proper contexts, proper usernames, proper...

Upstream KUBECONFIG handling to Kubespray

I quickly checked [kubeconfig.bash](https://github.com/elastisys/compliantkubernetes-apps/blob/main/bin/kubeconfig.bash). I feel that the way we create OpenID-enabled KUBECONFIGs is rather specific to Compliant Kubernetes and not very upstreamable. Let's close this for now.

Keep state under prefix path

This should be unnecessary once [ADR 0006 "Use Standard Kubeconfig Mechanisms"](https://github.com/elastisys/compliantkubernetes/blob/adr-kube-context/docs/adr/0006-use-standard-kubeconfig-mechanisms.md) is approved and implemented.

Missing docs/venv for apply-ssh

> I would be nice to know the reasoning behind the `apply-ssh` command. If I was going to update SSH keys on the hosts I would use the already existing...

[Epic] Add NetworkPolicies for ck8s services

The current state-of-practice seems to be that NetworkPolicies belong to the Helm Chart of the application they protect, with the `values.yaml` file specifying which inbound traffic is allowed. For inspiration,...