Hi everyone! I'm experimenting with k3s, Cilium, and Hetzner, and I'm looking to expose some services so I can access them using my domain directed at my server. From what I've gathered, if I'm not in a cloud setup, MetalLB is typically used, but Cilium can handle similar functions. I know Hetzner provides load balancers, but I'm aiming to keep things simple without using them for now.
I've managed to get a setup working with the following configuration:
gatewayAPI:
enabled: true
externalTrafficPolicy: Cluster
hostNetwork:
enabled: true
envoy:
enabled: true
securityContext:
capabilities:
keepCapNetBindService: true
envoy:
- NET_ADMIN
- SYS_ADMIN
- NET_BIND_SERVICE
I had to grant extra capabilities to envoy to allow it to listen on port 443 on the host, which makes me uneasy. Can anyone suggest a more secure approach? I attempted L2 announcement, but that didn't work out for me. I'd really appreciate any guidance or tips you might offer. Thanks in advance!
3 Answers
Have you set up a CiliumLoadBalancerIPPool? It might help you manage the IP allocations more effectively.
I'm a big fan of Cilium too! However, for exposing services, I prefer using Tailscale. You can create a free account, add the Tailscale operator to your cluster, and then play around with the DNS settings in your Tailscale account. This way, you can access your services from devices that also use Tailscale. It works like a VPN or mesh network, helping keep my lab services secure without exposing them directly to the public internet.
I know Tailscale and how it works, but I'm specifically trying to expose my services to the public internet for testing. I'm just exploring different options since I can manage it with a load balancer, but I'm curious if there's a feasible way without one.
Instead of using hostNetwork, have you considered switching to hostPort? It's generally regarded as more secure and can simplify communication between host and pod networks, especially for accessing things like metrics endpoints for hostNetwork pods!
I'll check into that, appreciate the tip!
Yes, I did that, but I ran into issues grabbing the IP since it conflicted with the host IP. It’s like the good old days with just one IP per machine!