Remix clone Hacker News

new | show | ask | jobs Github

▲

threeseed 11 hours ago

I would take the YAML any day.

Because if one of those iptables fails above you're in an inconsistent state.

Also if I want to swap from iptables to something like Istio then it's basically the same YAML.

▲ dmm 3 hours ago | parent | next [-]

> Because if one of those iptables fails above you're in an inconsistent state.

These days iptables is a legacy interface implemented on top of nftables. And nftables does provide atomic rule replacement: https://wiki.nftables.org/wiki-nftables/index.php/Atomic_rul...

So you would have a file with something like:

    table inet filter {
       chain input {
           tcp dport 8080 accept
       }

    }

The you would atomic apply it with:

    $ nft -f input_file

▲ rnewme 7 hours ago | parent | prev [-]

You obviously didn't use k8s (or k3s or anything other implementation) a lot, because it also messed us iptables randomly sometimes due to bugs, version miss match etc.

	▲	threeseed 6 hours ago \| parent [-]
		Have been Kubernetes for the last decade across multiple implementations. Never had an iptable issue and these days eBPF is the standard.