Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
do_not_redeem 14 hours ago

Not entirely a fair comparison, but here. Can you honestly tell me you'd take the yaml over the shell script?

(If you've never had to use Helm, I envy you. And if you have, I genuinely look forward to you showing me an easier way to do this, since it would make my life easier.)

-------------------------------------

Shell script:

  iptables -A INPUT -p tcp --dport 8080 -j ACCEPT
Multiple ports:

  for port in 80 443 8080; do
    iptables -A INPUT -p tcp --dport "$port" -j ACCEPT
  done
Easy and concise.

-------------------------------------

Kubernetes (disclaimer: untested, obviously)

  apiVersion: networking.k8s.io/v1
  kind: NetworkPolicy
  spec:
    trafficPolicy:
      firewall:
        rules:
        - name: allow-port-8080
          ports:
          - port: 8080
            protocol: TCP
    podSelector:
      matchLabels:
        app.kubernetes.io/name: my-app
Multiple ports:

  firewall:
    rules:
      - name: allow-port-80
        ports:
          - port: 80
            protocol: TCP
      - name: allow-port-443
        ports:
          - port: 443
            protocol: TCP
      - name: allow-port-8080
        ports:
          - port: 8080
            protocol: TCP

  apiVersion: networking.k8s.io/v1
  kind: NetworkPolicy
  metadata:
    name: firewall
  spec:
    trafficPolicy:
      firewall:
        rules:
          {{- range .Values.firewall.rules }}
          - name: {{ .name }}
            ports:
            {{- range .ports }}
            - port: {{ .port }}
              protocol: {{ .protocol }}
            {{- end }}
          {{- end }}
    podSelector:
      matchLabels:
        app.kubernetes.io/name: my-app
PittleyDunkin 3 hours ago | parent | next [-]

I don't know why on earth you'd use mustache with yaml, but the unmustached yaml is much more readable. The reviewer doesn't even need to know iptables. (Which is good; i've only ever worked with nftables (which has the same issue of leaning in to serializing tables as commands) and pf.) Concision is not working in your favor here.

threeseed 11 hours ago | parent | prev [-]

I would take the YAML any day.

Because if one of those iptables fails above you're in an inconsistent state.

Also if I want to swap from iptables to something like Istio then it's basically the same YAML.

dmm 3 hours ago | parent | next [-]

> Because if one of those iptables fails above you're in an inconsistent state.

These days iptables is a legacy interface implemented on top of nftables. And nftables does provide atomic rule replacement: https://wiki.nftables.org/wiki-nftables/index.php/Atomic_rul...

So you would have a file with something like:

    table inet filter {
       chain input {
           tcp dport 8080 accept
       }

    }
The you would atomic apply it with:

    $ nft -f input_file
rnewme 7 hours ago | parent | prev [-]

You obviously didn't use k8s (or k3s or anything other implementation) a lot, because it also messed us iptables randomly sometimes due to bugs, version miss match etc.

threeseed 6 hours ago | parent [-]

Have been Kubernetes for the last decade across multiple implementations.

Never had an iptable issue and these days eBPF is the standard.