https://marktaguiad.dev/tags/networking/ Recent content in Networking on marktaguiad.dev Hugo en-us marktaguiad@marktaguiad.dev (Mark Taguiad) marktaguiad@marktaguiad.dev (Mark Taguiad) marktaguiad.dev Tue, 28 Apr 2026 00:00:00 +0000 https://marktaguiad.dev/post/k8s-cilium-policy-dos/ Tue, 28 Apr 2026 00:00:00 +0000marktaguiad@marktaguiad.dev (Mark Taguiad) https://marktaguiad.dev/post/k8s-cilium-policy-dos/ <p><code>CiliumNetworkPolicy</code> (CNP) is the most commonly used policy type in Cilium.</p> <p>It is namespace-scoped, meaning the policy applies only within the namespace where it is created.</p> <p>This is the policy most teams use for real-world application security because it enables zero-trust controls at Layer 3, Layer 4, and Layer 7.</p> <p>If Kubernetes NetworkPolicy is a basic firewall, CiliumNetworkPolicy is the full application-aware policy engine.</p> <p>What discussed and showed here is similar with <code>CiliumClusterwideNetworkPolicy</code>, the only difference it the policy is cluster wide. Read more on that topic and how to combine these policies.</p> https://marktaguiad.dev/post/k8s-cilium-policy-uno/ Sun, 26 Apr 2026 00:00:00 +0000marktaguiad@marktaguiad.dev (Mark Taguiad) https://marktaguiad.dev/post/k8s-cilium-policy-uno/ <p>When people first start working with Cilium policies, the easiest way to understand them is to group them into two simple ideas:</p> <ol> <li>Who can talk to what?</li> <li>What they’re allowed to do once connected?</li> </ol> <p>That mental model maps directly to how Cilium builds policy enforcement—from basic workload isolation all the way up to application-aware HTTP filtering.</p> <p>If you already think in terms of namespace rules and Layer 7 rules like HTTP GET/POST like we did in <a href="https://marktaguiad.dev/post/k8s-istio-uno/">Istio</a>, you’re already on the right track. Cilium simply expands that model into something much more powerful and much more granular.</p> https://marktaguiad.dev/post/k8s-cilium-gateway/ Sat, 25 Apr 2026 00:00:00 +0000marktaguiad@marktaguiad.dev (Mark Taguiad) https://marktaguiad.dev/post/k8s-cilium-gateway/ <p>Cilium Gateway API support is a modern replacement for traditional Kubernetes Ingress controllers.</p> <p>Instead of relying on standalone ingress proxies, Cilium integrates Gateway API directly into the networking stack using <strong>eBPF</strong> and <strong>Envoy</strong>, enabling:</p> <ul> <li>HTTP / HTTPS routing</li> <li>TLS passthrough</li> <li>TLS termination</li> <li>Traffic splitting</li> <li>Header manipulation</li> <li>Standards-based ingress with Kubernetes Gateway API</li> </ul> <p>Cilium’s operator acts as the Gateway API controller and manages:</p> <ul> <li><code>GatewayClass</code></li> <li><code>Gateway</code></li> <li><code>HTTPRoute</code></li> <li>LoadBalancer Services</li> <li>eBPF traffic routing</li> </ul> <p>This is similar with Istio Gateway, for our example let&rsquo;s use the same deployments/apps.</p> https://marktaguiad.dev/post/k8s-cilium-clustermesh/ Fri, 24 Apr 2026 00:00:00 +0000marktaguiad@marktaguiad.dev (Mark Taguiad) https://marktaguiad.dev/post/k8s-cilium-clustermesh/ <p>Cilium is a Kubernetes CNI built on eBPF, replacing the traditional iptables-heavy networking model with kernel-level packet processing. Instead of relying on large iptables chains for routing, filtering, and service load balancing, Cilium injects eBPF programs directly into the Linux kernel datapath for lower latency and better scalability.</p> <p>This would require a whole book in explaining eBPF, so we will not dwell in that. Let&rsquo;s focus first on connecting two Kubernetes Cluster.</p> https://marktaguiad.dev/post/k8s-istio-tres/ Sat, 28 Mar 2026 00:00:00 +0000marktaguiad@marktaguiad.dev (Mark Taguiad) https://marktaguiad.dev/post/k8s-istio-tres/ <p>Continuation of Kubernetes Istio.</p> <h1 id="table-of-contents">Table of Contents</h1> <nav id="TableOfContents"> <ol> <li><a href="#ingress-gateway">Ingress Gateway</a></li> <li><a href="#gateway">Gateway</a></li> <li><a href="#fault-injection">Fault Injection</a> <ol> <li><a href="#verify">Verify</a></li> </ol> </li> <li><a href="#retries">Retries</a></li> <li><a href="#circuit-breaker">Circuit Breaker</a></li> </ol> </nav> <p>I&rsquo;ve mentioned in this <a href="https://marktaguiad.dev/post/k8s-istio-uno.md">post</a> that will sticking with <code>HTTPRoute</code>, but feature discussed here only support (for now) Istio API.</p> <h3 id="ingress-gateway">Ingress Gateway</h3> <p>Istio deploys a default resource for this, and for this example we are using the default ingress gateway <code>ingressgateway</code>.</p> <p>If you want to create a custom ingress gateway.</p> <p><em>istio-gateway.yaml</em></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="ln"> 1</span><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">install.istio.io/v1alpha1</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 2</span><span class="cl"><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">IstioOperator</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 3</span><span class="cl"><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 4</span><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">istio-control-plane</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 5</span><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">istio-system</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 6</span><span class="cl"><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 7</span><span class="cl"><span class="w"> </span><span class="nt">components</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 8</span><span class="cl"><span class="w"> </span><span class="nt">ingressGateways</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln"> 9</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">istio-ingressgateway-prod</span><span class="w"> </span></span></span><span class="line"><span class="ln">10</span><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">istio-system</span><span class="w"> </span></span></span><span class="line"><span class="ln">11</span><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">12</span><span class="cl"><span class="w"> </span><span class="nt">label</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">13</span><span class="cl"><span class="w"> </span><span class="nt">istio</span><span class="p">:</span><span class="w"> </span><span class="l">ingressgateway-prod</span><span class="w"> </span></span></span><span class="line"><span class="ln">14</span><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="ln">15</span><span class="cl"><span class="w"> </span>- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">istio-ingressgateway-dev</span><span class="w"> </span></span></span><span class="line"><span class="ln">16</span><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">istio-system</span><span class="w"> </span></span></span><span class="line"><span class="ln">17</span><span class="cl"><span class="w"> </span><span class="nt">enabled</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="w"> </span><span class="nt">label</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="w"> </span><span class="nt">istio</span><span class="p">:</span><span class="w"> </span><span class="l">ingressgateway-dev</span><span class="w"> </span></span></span></code></pre></div><p>This will create two ingress gateway.</p> https://marktaguiad.dev/post/k8s-istio-dos/ Tue, 24 Mar 2026 00:00:00 +0000marktaguiad@marktaguiad.dev (Mark Taguiad) https://marktaguiad.dev/post/k8s-istio-dos/ <p>Continuation of Kubernetes Istio, this time we&rsquo;ll focus on Security.</p> <h1 id="table-of-contents">Table of Contents</h1> <nav id="TableOfContents"> <ol> <li><a href="#security">Security</a> <ol> <li><a href="#mtls-mutual-tls">mTLS (Mutual TLS)</a></li> <li><a href="#authorizationpolicy-rbac">AuthorizationPolicy (RBAC)</a></li> </ol> </li> </ol> </nav> <h3 id="security">Security</h3> <h4 id="mtls-mutual-tls">mTLS (Mutual TLS)</h4> <p>This will ensure that service-to-service traffic is encrypted and authenticated.</p> <p>Istio allows you to configure three main modes per namespace, workload, or globally:</p> <table> <thead> <tr> <th>Mode</th> <th>Behavior</th> <th>When to Use</th> </tr> </thead> <tbody> <tr> <td><strong>STRICT</strong></td> <td>Only allows <strong>mTLS-encrypted traffic</strong>. Plain HTTP connections are rejected.</td> <td>Best for production when you want <strong>full security</strong> between services.</td> </tr> <tr> <td><strong>PERMISSIVE</strong></td> <td>Accepts both mTLS-encrypted and plain HTTP traffic.</td> <td>Useful during <strong>gradual migration</strong> to mTLS. Old workloads can still communicate without encryption.</td> </tr> <tr> <td><strong>DISABLE</strong></td> <td>Does not use mTLS at all.</td> <td>For testing, legacy workloads, or non-critical traffic.</td> </tr> </tbody> </table> <p>You might get confused with the HTTPS traffic, it just mean that all traffic are converted by istio envoy to mTLS. So as long as the request is going through first the sidecar then it is valid.</p> https://marktaguiad.dev/post/k8s-istio-uno/ Mon, 23 Mar 2026 00:00:00 +0000marktaguiad@marktaguiad.dev (Mark Taguiad) https://marktaguiad.dev/post/k8s-istio-uno/ <p>Modern applications are no longer built as single, monolithic systems—they’re composed of many small, interconnected services. Managing how these services communicate can quickly become complex, especially as systems scale. This is where Istio comes in.</p> <p>Istio acts as a powerful service mesh that sits between your services and handles three critical concerns: traffic management, security, and observability.</p> <p>With Istio, you gain fine-grained control over how traffic flows between services—enabling advanced deployment strategies like A/B testing and canary releases with ease. At the same time, it strengthens service-to-service security and provides deep visibility into your system through metrics, logs, and tracing.</p> https://marktaguiad.dev/post/k8s-metallb/ Tue, 10 Mar 2026 15:08:20 +0800marktaguiad@marktaguiad.dev (Mark Taguiad) https://marktaguiad.dev/post/k8s-metallb/ <p><img class="theme-image" src="https://marktaguiad.dev/images/devops/k8s-notes/k8s-metallb-001.png" data-light="/images/devops/k8s-notes/k8s-metallb-001.png" data-dark="/images/devops/k8s-notes/k8s-metallb-dark-001.png" alt="Architecture Diagram" > In cloud environments, Kubernetes provides external load balancing easily using Service type LoadBalancer, which integrates with cloud provider load balancers.</p> <p>However, in bare-metal Kubernetes clusters, there is no built-in implementation for external load balancers. As a result, creating a LoadBalancer service would remain in a pending state.</p> <p>MetalLB solves this problem by providing a network load balancer implementation for bare-metal Kubernetes clusters, allowing services to expose external IP addresses just like in cloud environments.</p> https://marktaguiad.dev/post/k8s-notes-part3/ Thu, 05 Mar 2026 23:54:49 +0800marktaguiad@marktaguiad.dev (Mark Taguiad) https://marktaguiad.dev/post/k8s-notes-part3/ <p>For applications running inside Kubernetes to function correctly, they must be able to communicate with each other and with external systems. Kubernetes provides a networking model that enables communication between Pods, Services, and external clients.</p> <h1 id="table-of-contents">Table of Contents</h1> <nav id="TableOfContents"> <ol> <li><a href="#pod-internal">Pod Internal</a></li> <li><a href="#services">Services</a> <ol> <li><a href="#create-using-yaml">Create Using YAML</a></li> <li><a href="#create-using-kubectl">Create using kubectl</a></li> <li><a href="#verify">Verify</a></li> </ol> </li> <li><a href="#service-dns">Service DNS</a> <ol> <li><a href="#same-namespace">Same Namespace</a></li> <li><a href="#cluster-wide">Cluster Wide</a></li> </ol> </li> <li><a href="#service-types">Service Types</a> <ol> <li><a href="#clusterip-default">ClusterIP (Default)</a></li> <li><a href="#nodeport">NodePort</a></li> <li><a href="#loadbalancer">LoadBalancer</a></li> </ol> </li> <li><a href="#hostport-and-hostnetwork">hostPort and hostNetwork</a></li> <li><a href="#reverse-proxy">Reverse Proxy</a></li> <li><a href="#ingress-controllers">Ingress Controllers</a></li> <li><a href="#container-network-interface-cni">Container Network Interface (CNI)</a></li> </ol> </nav> <h3 id="pod-internal">Pod Internal</h3> <p>Each Pod receives its own internal IP address inside the Kubernetes cluster. This allows Pods to communicate directly with each other using that IP.</p> https://marktaguiad.dev/post/linux-network/ Wed, 11 Jun 2025 00:00:00 +0000marktaguiad@marktaguiad.dev (Mark Taguiad) https://marktaguiad.dev/post/linux-network/ <h1 id="table-of-contents">Table of Contents</h1> <nav id="TableOfContents"> <ol> <li><a href="#show-network">Show network</a></li> <li><a href="#setting-your-network">Setting your network</a> <ol> <li><a href="#native">Native</a></li> <li><a href="#network-manager">Network Manager</a></li> <li><a href="#networkd">Networkd</a></li> <li><a href="#netplan">Netplan</a></li> <li><a href="#other-wireless-solutions">Other Wireless Solutions</a></li> <li><a href="#connman">Connman</a></li> </ol> </li> <li><a href="#dns-resolution">DNS Resolution</a> <ol> <li><a href="#etchosts">/etc/hosts</a></li> <li><a href="#etchostname">/etc/hostname</a></li> <li><a href="#etcresolvconf">/etc/resolv.conf</a></li> </ol> </li> <li><a href="#bridges">Bridges</a> <ol> <li><a href="#using-ip-command-temporary--runtime">Using ip command (temporary / runtime)</a></li> <li><a href="#using-systemd-networkd">Using systemd-networkd</a></li> <li><a href="#using-network-manager">Using Network Manager</a></li> <li><a href="#using-netplan">Using Netplan</a></li> </ol> </li> <li><a href="#bonding">Bonding</a> <ol> <li><a href="#setup">Setup</a></li> </ol> </li> <li><a href="#routing">Routing</a> <ol> <li><a href="#adding-and-removing-routes">Adding and Removing Routes</a></li> <li><a href="#using-gateways-and-metric">Using Gateways and Metric</a></li> <li><a href="#traffic-flow-and-packet-control">Traffic Flow and Packet Control</a></li> <li><a href="#view-current-iptables-config">View current iptables config</a></li> <li><a href="#setting-basic-firewall-rules">Setting basic firewall rules.</a></li> <li><a href="#deleting-iptable-rules">Deleting iptable rules</a></li> <li><a href="#saving-changes">Saving changes</a></li> <li><a href="#other-commands">Other commands</a></li> </ol> </li> <li><a href="#firewall">Firewall</a> <ol> <li><a href="#ufw---uncomplicated-firewall">UFW - Uncomplicated Firewall</a> <ol> <li><a href="#default-config">Default Config</a></li> <li><a href="#allow-ssh-connection">Allow SSH Connection</a></li> <li><a href="#enable-ufw">Enable UFW</a></li> <li><a href="#allowing-other-connections">Allowing Other Connections</a></li> <li><a href="#denying-connections">Denying Connections</a></li> <li><a href="#deleting-rules">Deleting Rules</a></li> <li><a href="#ufw-status-and-rules">UFW Status and Rules</a></li> </ol> </li> <li><a href="#firewalld">Firewalld</a> <ol> <li><a href="#managing-firewalld">Managing Firewalld</a></li> <li><a href="#configuring-firewalld">Configuring Firewalld</a></li> <li><a href="#zones">Zones</a></li> <li><a href="#rich-rules">Rich Rules</a></li> </ol> </li> </ol> </li> <li><a href="#vlan">VLAN</a> <ol> <li><a href="#enable-vlan">Enable VLAN</a></li> <li><a href="#install-vlan">Install VLAN</a></li> <li><a href="#create-vlan-interface">Create VLAN Interface</a></li> </ol> </li> </ol> </nav> <h3 id="show-network">Show network</h3> <p>To view your current network interface.</p>