Remix clone Hacker News

new | show | ask | jobs Github

▲

PittleyDunkin 17 hours ago

> You mean the list of calls right there in the shell script?

This is about the worst encoding for network rules I can think of.

▲ do_not_redeem 17 hours ago | parent [-]

Worse than yaml generated by string interpolation?

▲ PittleyDunkin 16 hours ago | parent [-]

You'd have to give me an example. YAML is certainly better at representing tables of data than a shell script is.

▲ do_not_redeem 14 hours ago | parent [-]

Not entirely a fair comparison, but here. Can you honestly tell me you'd take the yaml over the shell script?

(If you've never had to use Helm, I envy you. And if you have, I genuinely look forward to you showing me an easier way to do this, since it would make my life easier.)

-------------------------------------

Shell script:

  iptables -A INPUT -p tcp --dport 8080 -j ACCEPT

Multiple ports:

  for port in 80 443 8080; do
    iptables -A INPUT -p tcp --dport "$port" -j ACCEPT
  done

Easy and concise.

-------------------------------------

Kubernetes (disclaimer: untested, obviously)

  apiVersion: networking.k8s.io/v1
  kind: NetworkPolicy
  spec:
    trafficPolicy:
      firewall:
        rules:
        - name: allow-port-8080
          ports:
          - port: 8080
            protocol: TCP
    podSelector:
      matchLabels:
        app.kubernetes.io/name: my-app

Multiple ports:

  firewall:
    rules:
      - name: allow-port-80
        ports:
          - port: 80
            protocol: TCP
      - name: allow-port-443
        ports:
          - port: 443
            protocol: TCP
      - name: allow-port-8080
        ports:
          - port: 8080
            protocol: TCP

  apiVersion: networking.k8s.io/v1
  kind: NetworkPolicy
  metadata:
    name: firewall
  spec:
    trafficPolicy:
      firewall:
        rules:
          {{- range .Values.firewall.rules }}
          - name: {{ .name }}
            ports:
            {{- range .ports }}
            - port: {{ .port }}
              protocol: {{ .protocol }}
            {{- end }}
          {{- end }}
    podSelector:
      matchLabels:
        app.kubernetes.io/name: my-app

▲ PittleyDunkin 3 hours ago | parent | next [-]

I don't know why on earth you'd use mustache with yaml, but the unmustached yaml is much more readable. The reviewer doesn't even need to know iptables. (Which is good; i've only ever worked with nftables (which has the same issue of leaning in to serializing tables as commands) and pf.) Concision is not working in your favor here.

▲ threeseed 11 hours ago | parent | prev [-]

I would take the YAML any day.

Because if one of those iptables fails above you're in an inconsistent state.

Also if I want to swap from iptables to something like Istio then it's basically the same YAML.

▲ dmm 3 hours ago | parent | next [-]

> Because if one of those iptables fails above you're in an inconsistent state.

These days iptables is a legacy interface implemented on top of nftables. And nftables does provide atomic rule replacement: https://wiki.nftables.org/wiki-nftables/index.php/Atomic_rul...

So you would have a file with something like:

    table inet filter {
       chain input {
           tcp dport 8080 accept
       }

    }

The you would atomic apply it with:

    $ nft -f input_file

▲ rnewme 7 hours ago | parent | prev [-]

You obviously didn't use k8s (or k3s or anything other implementation) a lot, because it also messed us iptables randomly sometimes due to bugs, version miss match etc.

	▲	threeseed 6 hours ago \| parent [-]
		Have been Kubernetes for the last decade across multiple implementations. Never had an iptable issue and these days eBPF is the standard.