►
A
Yay
we're
live,
and
today
in
our
23rd
cafe,
everyone
can
contribute
cafe
with
again
kubernetes
and
automating
things
and
also
trying
out
the
fire
war
feature
which
was
announced
this
week.
I
think,
and
I'm
happy
that
max
prepared
something
for
today
or
we
are
like
taking
over
from
nicholas
last
week
to
marx
this
week
and
continuing
to
learn
something
new
and
I
would
say
with
that
I
would
just
hand
over
to
max
and
say
wrap
it
up.
Let's
go
yep,
I.
B
All
right
yeah,
we
do
this,
okay,
so
yeah.
It's
have
been
a
few
weeks
since
my
last
session
in
between
and
niklas
did
a
few
talks,
and
I
think
philip
as
well
about
security
of
kubernetes
and
authentication
and
everything,
and
now
we
go
a
little
bit
back
to
the
basics.
When
we
set
up
our
initial
cluster
and
back
then
in
february,
I
think
we
left
a
few
things
open
or
by
now
we
realized
that
there
are
a
few
things
missing
or
not
perfect
yet,
and
we
want
to
improve
this
a
little
bit.
B
The
screen
sharing
is
a
little
bit
odd
today
because
in
my
normal
browser
the
sound
doesn't
work
with
zoom
today,
so
it's
only
one
window
and
you
can't
see
any
browser.
So
if
I
need
to
switch
to
the
browser
later
on,
then
it
will
be
a
little
bit.
It
will
take
me
a
second
to
switch
all
right.
Then,
let's
see
I
will
make
this
a
little
bit
bigger.
B
B
And
one
thing
we
notice
here
is
that
it
gets
kind
of
stuck
in
a
few
seconds.
There
will
be
a
message
that
it's
still
trying
to
delete
the
subnet
of
our
cluster
and
then
it
will
just
continue
with
this
error
message
until
it's
running
in
some
timeout
and
that's
a
bit
sad
because
it
feels
like
managing
infrastructure
into
2005
and
not
2021.
B
We
want
to
have
this
reproducible
in
a
better
way.
We
want
to
apply
and
destroy,
as
often
as
we
want
to
without
any
stuff,
not
working,
because
it
will
not
recover
from
this.
This
will
just
stay
this
way
and
I'm
not
100
sure
why?
Well,
I
have
some
kind
of
idea
why?
But
now,
if
you
run
it
again,
it
will
work.
B
B
So
let's
go
back
into
our
terraform
code
to
yeah,
get
back
to
it
a
little
bit
from
last
time.
We
are
of
the
last
time,
but
the
last
time
we
looked
at
terraform,
we
have
some
yeah
basic
stuff.
Like
our
ssh
keys
at
the
top,
and
then
we
have
a
definition
of
our
server
and
our
agents-
and
one
thing
we
can
notice
here
is
that
we
define
the
network
of
our
servers
right
here
inside
of
the
server
resource,
and
then
we
tell
terraform
that
this
resource
depends
on
the
subnet
resource.
B
So
when
we
do
terraform
plan
or
terraform
apply,
it
will
use
this
dependency
to
know
that
the
subnet
needs
to
exist
before
it
attempts
to
create
the
server
and
then
here
at
the
bottom.
We
have
the
subnet
itself
and
for
some
reason
this
works
during
the
creation,
because
we
have
this
dependency
here.
B
It
just
tries
to
delete
everything
and
I
think
it
tries
in
the
wrong
order
and
then
the
api
denies
to
delete
the
subnet
in
the
network,
because
there
are
still
servers
attached
or
something
and
then
when
we
run
it
a
second
time.
Those
servers
are
not
attached
anymore
and
that's
why
we
can
delete
the
network.
Then.
B
B
Maybe
it
got
fixed
in
the
meantime
and
if
it
didn't
got,
if
it
isn't
fixed,
then
we
can
use
another
way
to
assign
a
network
to
a
server
where
I
know
that
it
works,
because
I
used
it
in
another
project
in
another
way.
So
at
first,
let's
try
to
update
our
terraform
provider,
so
the
latest
release
is
not
124
but
126
with
a
bunch
of
nice
new
features
and
maybe
there's
a
bug
fix
in
there.
B
B
B
Each
time
I
do
terraform
apply
or
terraform
destroy,
I'm
so
glad
we
did
this
in
terraform
that
we
did
this
in
code
because
it's
so
much
easier
than
clicking
everything
in
the
web
interface.
Okay,
interesting!
So
it's
a
different
error.
Now
it's
not
just
trying
again
and
again
without
success.
It
straight
away
tells
us
that
it
can't
remove
the
subnet,
because
servers
are
still
attached.
B
B
B
B
As
far
as
I
know,
it's
managed
by
a
different
team,
but
it's
yeah.
We
will
see.
I
really
report
back.
If
I
learn
anything
about
this
and
yeah,
it
will
be
interesting.
So
if
anyone
is
watching
the
stream
and
has
no
context
tomorrow
is
my
first
day
at
head
snack
cloud,
so
it's
yeah
it's
a
interesting
day
for
me
tomorrow,
all
right,
so
we
will
solve
this
in
a
little
bit
different
way
here
and
I
will
share
a
different
window
for
this.
B
And
so,
if
you
were
wondering
why
I
knew
that
the
newest
version
is
126.,
it's
at
the
top.
Here
we
can
see
the
latest
version
and
then
we
can
check
what
resources
exist
and
what
we
are
using
is
the
hcloud
server
resource
and
we
are
defining
the
network
down
here
right
now
and
then
we
add
this
dependency.
B
So
anyway,
we
will
just
act
like
this
network
assignment
in
the
server
resource
does
not
not
exist
like
it
was
earlier.
I
think
in
123
of
the
provider,
something
this
was
not
there
yet
and
instead
we
will
use
the
hcloud
server
network
resource,
which
is
just
an
additional
resource
to
where
we
add
an
h
cloud
server.
We
had
an
h
cloud
network
and
a
subnet.
B
We
have
all
this
already
and
then
we
add
a
h
cloud
server
network
resource
where
we
tell
teraform
here.
Please
assign
this
server
to
this
network
and
if
we
want
to,
we
can
even
assign
an
ip
and
for
some
reason
this
is
handled
better
in
the
provider
or
by
terraform.
I
don't
know,
but
if
we
do
this,
then
the
creation
and
the
destruction
will
work
without
any
issues.
A
B
B
Can,
let's
just
do
it
here
below
of
our
subnet?
We
create
a
resource,
hcloud
server
network
and
we
call
it
well.
How
did
what
did
we
call
our
server?
We
just
called
it
server.
Okay,
let's
just
call
this
server
then
as
well
and
we
use
account.
I
mean
it's
not
strictly
necessary
because
we
have
only
one
server
but
in
case
that
at
some
point
in
the
future
we
decide
we
need
a
highly
available
control
plane
for
a
cluster.
Then
we
could
have
two
or
three
servers.
A
B
B
B
B
C
B
Yeah
after
philip
did
this
match
request
to
format
all
this
in
the
right
way.
I
actually
configured
my
visual
code
to
just
do
it
on
every
safe
of
terraform
code,
but
a
few
days
ago
I
changed
a
few
things
on
my
computer
because
I
had
a
few
days
off
and
now
all
my
tariff
raw
all
my
visual
code
settings
are
done,
which
was
intentional,
but
I
haven't
like
reconfigured
everything
yet
so
that's
why
there's
nothing
fancier
here
anymore,
all
right!
So.
A
B
A
A
B
B
So
this
is
the
nice
thing
about
this
count,
parameter
and
terraform,
because
we
write
this
once
and
we
get
two
resources
out
of
it
and
if
we
would
create
200
agents,
then
we
would
get
200
of
those
resources.
So
that's
nice,
all
right,
then,
let's
apply
this
should
be
as
fast
as
before,
but
hopefully
the
terraform
destroy
will
work
now.
D
But
the
thing
on
the
count
is,
I
don't
know
if
anybody
everybody
knows
terraform,
the
thing
is
with
count
it's
little
pre.
I
think
0.12
syntax
right
because
with
count
you
will
later
have
the
issue.
If
you
want
to
replace
something
inside
the
count,
then
it's
really
hard.
So
that's
why
they
introduced
this
for
each
now,
with
one
or
twelve.
D
B
B
D
B
B
Yeah
yeah,
I
was
also
thinking.
We
need
a
better
better
way,
also
if
we
yeah
it's
it's
very
similar
to
when
we
want
to
replace
some
parts
of
it
or
want
to
delete
some
of
it.
We
kind
of
need
a
way
to
also
delete
the
nodes
from
kubernetes,
then,
because,
right
now
the
units
are
always
registered
but
never
deleted.
So
it
would
be
nice
if
we
add
some
hook
to
terraform
to
unregister
those
if
we
delete
them
with
terraform.
B
D
B
D
B
No,
it's
not
really
from
this.
It's
more
like
from
before
the
h
cloud
existed,
the
headset
cloud.
I
used
a
headset
root
server
and
then
that's
always
something
between
the
30
and
50
euro
per
month
and
then
a
while.
I
used
two
while
I
was
migrating
from
one
to
the
next
one
and
that's
just
like.
If
you
pay
50
euros
each
month
or
a
few
years,
then
it's
I
don't
know
it's
but
yeah.
It.
D
C
B
A
Running
and
I
get
lots
of
notifications
in
my
head,
snack
cloud
account
that
resources
are
being
created
and
now
no,
I
I
don't
I
don't
care
it
was.
I
was
just
curious
checking
on
since
philip
mentioned,
the
the
the
count
is
going
up.
Last
week
I
checked
we
were
at
like
19
euros
for
the
month,
so
nothing
to
worry
about.
C
It's
it's
amazing
in
the
head,
snack
console.
If
you
watch
closely,
if
you
have
it
open
in
like
one
window
and
do
your
terraform
apply
in
the
other
window
and
take
a
look
at
how
fast
the
notifications
come,
it's
like
half
a
second
or
something
of
delay.
I
I
was
quite
amazed
when
I,
when
I
saw
that
the
last
time
I
I
created
some
service
or
even
in
the
dns
console
or
something
that's,
that's
really
well
done
by
them.
A
D
C
That's
doing
really
way
relevant
in
regards
to
that,
too,
definitely
I
mean
I'm
running
my
my
personal
setup.
It
looks
quite
similar
to
what
max
is
showing
here.
I
have
no
idea
where
that's
coming
from
I'm
running
at
daton,
hetzner
2,
and
I
mean
it's
not
not
like
the
cheapest
one.
You
could
do
it
a
bit
cheaper
somewhere
else.
If
you
just
like,
take
some
some
root
vms
or
something
like
that.
But
it's
I
mean
the
performance
and
the
the
stability
speaks
for
itself.
A
Yeah,
so
my
I
need
to
like
rebuild
my
blog,
which
is
running
in
a
docker
container
in
a
in
a
virtual
machine
currently,
but
I've
kind
of
started.
It
last
february,
never
touched
it
again,
except
for
updates
sometimes,
and
for
the
evolving
contribute
group.
We
are
at
the
hot
number
of
27.51
euros
for
one
month,
which
is
totally
okay
for
playing
around
and
learning
kubernetes
and
stuff.
So
max
back
to
you.
B
Great
yeah
we
now
have
like
we
have
nothing
really
new,
but
it's
better
now,
because
it's
it
makes
testing
more
comfortable.
If
we,
if
we
delete
stuff
and
it's
really
deleted
and
there's
no,
this
weird
feeling
of
oh,
I
have
to
retry
the
deletion,
and
now
it
works.
Maybe
now
it
just
works
reliable,
that's
nice!
So
now
it's
we
switch
over
to
a
completely
different
topic.
It's
yeah
completely
unrelated
to
what
we
did
until
now,
but
it's
still
in
terraform.
So
I
will
just
continue
down
here.
B
B
So
if
you
use
a
firewall
in
the
cloud,
you
could
have
one
on
your
node
right
here.
We
could
apply
some
firewall
in
this
machine
on
this
server
on
this
linux
server
that
we
would
do
this
with
ip
tables,
for
example,
and
record
configure
to,
I
don't
know,
only
allow
access
to
h
access,
but
nothing
nothing
else
to
the
vm
or
something
and
that's
like
the
more
traditional
way
of
firewalling
a
linux
server,
and
then
you,
the
yeah
in
a
traditional
setup.
You
have
some
different
firewall
before
your
normal
servers.
B
B
Where
you
tell
the
cloud
provider,
please
only
allow
yeah,
tcp
traffic
on
port
22
to
my
server
and
block
everything
else
and
yeah.
That's
nice
for
us,
because
it's
an
additional
layer
of
security,
because
now,
even
if
we
accidentally
expose
some
port
on
our
machine,
it's
still
not
exposed
to
the
internet,
because
this
cloud
provider
firewall
is
before
that
and
already
drops
all
unwanted
traffic
and
yeah.
That
makes
it
a
bit
safer.
It's
definitely
something
for
the
peace
of
mind
to
just
know
this,
this
different
firewall.
B
You
should
still
think
about
what
you
expose
and
what
you
run
in
your
cluster
right.
It's
not
like
you're,
safe
from
everything
now,
because
if
you
could
still
expose
something
and
the
firewall
for
this
part
is
open
and
the
traffic
goes
in
there,
but
it's
it's
definitely
one
tool
to
improve
the
security
of
our
cluster,
and
I
don't
know
one
two
or
three
weeks
ago:
I'm
not
really
sure
that's
hetzner
released
their
own
firewall
as
a
service
feature
for
the
head,
snack
cloud,
which
I
think
was
one
of
the
most
wanted
features
of
the
community.
B
At
least
for
me,
it
was
like
the
most
wanted
feature
because,
especially
with
kubernetes,
it's
sometimes
easy
if
or
it's
easy
to
accidentally
open
a
network
port,
or
it's
often
desirable-
to
allow
all
network
traffic
between
your
nodes,
but
not
from
the
outside,
and
then
it
yeah.
It's
very
helpful
if
we
have
this
additional
layer
for
to
the
outside
and
yeah,
so
we
are
going
to
implement
this
now
we
are
like
we
are
going
to
add
some
head
snare,
firewalls
to
our
servers
and
yeah.
B
B
Now
the
new
resource
type
is
hcloud
firewall.
Let's
call
it,
for
example,
base.
So
it's
as
always
just
a
name
we
choose
and
then
we
want
to
name
it
base.
So
it's
a
little
bit
duplicate,
but
this
one
is
the
resource
name
for
terraform.
That's
the
name
in
the
h
cloud
api.
So
it's
a
different
thing.
Then
we
define
a
firewall
rule.
B
We
only
use
it
for
incoming
traffic,
it's
also
possible
to
create
some
routes
for
outgoing
traffic.
But
if
you
yeah,
I,
I
wouldn't
recommend
outgoing
firewalling
as
long
as
nobody
forces
you
to
do
this
because,
from
an
operational
perspective,
this
is
hell,
even
though
there
might
be
some
security
considerations
there
which
make
it
necessary,
but
for,
for
example,
for
our
kubernetes
cluster.
B
Our
nodes
need
to
be
able
to
communicate
to
the
outside,
because
if
we
want
to
run
some
docker
container,
it's
going
to
open
a
network
connection
to
the
outside
and
pull
this
docker
image
and
then
run
it
and
for
all
this
kind
of
stuff.
So
if
you
wanted
a
cluster
where
the
nodes
have
no
internet
access,
then
we
would
need
to
proxy
everything
or
provide
all
docker
images
locally
and
so
on,
and
so
on
so
yeah
it
would
I'm.
C
B
And
now
we
use
a
different
protocol.
The
first
rule
is
just
to
allow
icmp,
so
we
can
ping
our
server
and
that's
not
necessary
to
make
it
work,
but
it's
a
good
practice
to
allow
icmp
traffic
to
your
server.
So
if
people
are
trying
to
debug
why
they
can't
reach
you,
they
should
be
able
to
rely
on
icmp.
B
So
we
are
not
going
to
block
this.
Also,
we
are
allowing
a
tcp
traffic
on
port
22,
that's
ssh,
so
we
can
connect
to
our
servers
via,
let's
just
copy
this
for
a
second,
so
I
don't
have
to
type
at
all
and
yeah
those
two
we
want
to
allow
from
everywhere.
So
that's
why
we
define
zero
zero,
zero,
zero,
slash,
zero.
I
think
that
was
a
zero
too
much,
but
four
zeros
slash
zero,
which
is
yeah
notation
for
all
ip4
ip
file,
four
addresses,
and
then
we
have
the
same
for
ip46
okay.
B
B
Where
do
we
put
it?
Maybe
at
the
bottom?
Oh,
I
did
not
remove
this.
This
is
I
removed
it
from
the
agent,
but
not
from
the
server
right.
We
can
remove
this
here
as
well,
interesting
that
it
still
worked,
but
probably
because
it's
the
same
the
same
content.
So
there
was
no
conflict
anyways
we
can
define
some
firewall
ids,
and
so
we
are
going
to
reference
our
firewall,
which
we
call
base
with
the.
B
Right
so
here
it's
the
same
here:
firewall
is
both
roots.
Then
at
the
bottom
we
have,
you
can
see
here.
The
yellow
means
that
we
are
not
going
to
delete
it,
but
we
will
update
it
in
place,
which
is
nice,
because
we
can
just
keep
our
server
running
and
we're
going
to
remove
this
network
definition
here.
So
hopefully
this
won't
break
anything,
but
I
think
it
won't
all
right.
Let's
apply
this.
E
A
C
Yeah,
I
I'm
doing
I'm
doing
stuff
related
to
hosting
for,
like
eight
eight
years
now,
professionally
and
like
10
or
12
in
total,
and
I've
never
seen
any
instance
where
blocking
icmp
has
helped
anyone
and
I've
seen
a
lot
of
instances
where
blocking
icmp
has
led
to
hours
and
hours
of
debugging
until
somebody
just
found
out.
Oh,
yes,
it
didn't
work
because
we
blocked
our
icmp,
and
that
makes
me
kind
of
happy
about
the
fact
that
ipv6
does
not
really
work.
If
you
block
icmp,
you
need
it
for
the
path
mtu
discovery.
C
A
C
E
C
The
draft
is
about
as
old
as
I
am
so
it's
from
1990
1996
it's
a
year
younger
than
I
am
so
it
has
existed
for
25
years
now,
but
it's
officially
become
a
standard
only
as
late
as
2018
and
that's
just
three
years
ago.
So
I
can
kind
of
understand
that
some
people
who
heavily
rely
on
stuff
being
a
standard
haven't
implemented.
It.
E
Yeah,
mostly,
there
are
a
lot
of
more
problems
in
terms
of
when
you're
looking
in
providers
also
table
asps,
mostly
they're,
doing
not
a
real
dual
stack,
so
you
get
only
dual
state
light,
so
you
get
by
the
end.
You
get
an
ipv6
but
you're
getting
also
an
ipv4,
but
this
is
not
it
on
a
grand
carrier.
Not
so
it's
like
really
shitty.
When
you
want
to
do
networking
on
your
own.
So
mostly,
then
you
are
forced
to
do
ipv6
mostly,
but
then
sometimes
not
all
websites
support
ipv6,
that's
right.
E
A
A
I
was
just
thinking
about
the
german
telecom,
which
I
use
at
home.
Sometimes
dns
resolution
with
rubygems.org
doesn't
work,
and
this
is
like
then
I
like
reboot
the
router
rather
or
do
something
else.
Sometimes
it's
a
pv4
related,
sometimes
ipv6
related.
I
don't
know
so
it's
still
not
as
stable
as
as
as
I
would
want
it
still.
If,
if
you
don't
do
it
now
and
the
telecom
does
it
since
2012,
when
I
moved
to
nuremberg,
if
you
don't
do
it
and
use
it
in
production,
you
will
never
learn
it.
E
B
B
My
home
network
is
tunneled
through
the
everyone
can
contribute
cluster
right.
I
don't
know
I
I
everyone
was
everything
was
stuck
and
I
needed
to
reboot,
which
is
weird
anyway.
The
last
thing
we
did
before
this
happened
was:
we
executed
terror
from
apply
with
our
new
file
for
firewall
resource,
and
then
I
tried
to
switch
over
to
the
browser
to
show
you
in
the
web
interface
and
that's
where
it
stopped
working.
B
B
B
B
If
we
wouldn't
have
our
beautiful
terraform
code,
then
we
could
click
here
and
just
add
other
servers
to
it
so
by
the
by
default,
all
traffic
to
each
server
is
allowed.
But
as
soon
as
we
apply
a
single
firewall
rule,
all
traffic
will
be
blocked
except
the
traffic
we
allow
in
our
firewall
rule.
So
if
we
click
here,
then
it
will
block
all
traffic
to
the
stocker
host
except
icmp
and
ssh.
E
E
C
B
C
E
D
A
E
Yeah,
you
can
do
some
stuff
about
that.
What
you
can
do
is
terraform.
Has
the
lifecycle,
so
each
or
each
resource
has
certain
own
lifecycle,
so
you
can
do
lifecycle
resource
changes,
so
the
typical
way
of
tear
form.
What
is
currently
is
doing
is
that
by
default
form
deletes
for
resource
first
and
then
recreates
it,
but
you
can
also
do
the
opposite,
so
the
telephone
will
create
first,
the
new
resource
and
afterwards
it
will
delete
the
resource.
E
E
E
E
Okay
yeah,
so
you
have.
These
are
the
meta
arguments,
so
in
every
resource
you
can
define
a
lifecycle
configuration
and
you
have
different
types
of
lifecycle
elements.
So,
first
of
all,
it's
obvious
that
I
explained
before
the
create
before
destroy
so
that
you
are
creating
a
resource
before
it
will
be
destroyed.
You
can
also
set
the
prevent
destroy
so
that
terraform
won't
would
reject
automatically
when
you
try
to
restore
to
destroy
this
restore
and
says
no,
it's
not
working,
and
another
important
option
is
also
ignore
changes.
E
So
this
attribute
allows
you
to
don't
recreate
a
resource
or
don't
update
in
resource.
For
example,
when
you
changing
only
the
tags
or
something
like
that
or
you
do
want,
don't
want
to
see
that-
or
sometimes
I
use
this
also
when
I
need
to
have
a
word
around
on
broaden
providers
or
telephone
providers,
because
sometimes
you're
coming
in
the
states
that
the
terraform
says
hey.
I
want
to
update
the
resource
because
I
have
a
different
state
on
the
api
instead
of
my
current
state,
but
the
provider
doesn't
support
that
right
now.
E
So,
for
example,
it
means
like
hey.
We
have
a
new
field,
for
example,
that
the
server
instance
has
a
logging
option
so
that
I
can
directly
enable
already
number
server
but
on
the
api
level,
but
terraform
doesn't
support
that
right
now,
but
telephone
would
show
you
every
time.
The
change
that's
currently
happening,
hey,
you
need
to
add
these
lock
enabled
field
to
the
to
your
state,
but
because
the
provider
doesn't
support
that,
you
can
say,
ignore
these
changes
and
it
won't
ask
you
anymore
for
that.
E
B
Yeah,
that's
that's
very
nice
because,
for
example,
for
the
server
instances
on
hetzner,
when
we
change
the
ssh
keys
for
the
server,
then
the
server
will
be
recreated
to
assign
the
new
keys
or
to
remove
others,
and
for
for
our
setup,
for
example,
it
would
be
nice
if
we
can
change
it
in
terraform,
but
the
keys
are
also
updated
by
ansible
anyway.
So
for
existing
instances,
we
could
leave
it
managed
by
ansible,
but
for
future
for
future
instances,
it
would
be
managed
by
terraform.
Then.
B
D
E
D
A
B
But
maybe
let's
try
to
wrap
up
the
firewall
stuff
so
yeah.
If
we
do
another
five
minutes,
then
we
can
finish
this
topic
and
then
we
don't
need
to
like
pick
the
same
up
next
week
and
then
we
can
can
do
something
else.
Next
week
we
created
this
space
flyer
and
now
we
we
need
to
allow
traffic
to
our
k3s
or
to
our
kubernetes
api.
B
B
C
B
B
You
mean
why
it
removes
this
one
and
yeah.
I
think
I
think
I
talked
to
them
about
it.
It's
because
of
the
implementation
of
in
the
terraform
provider.
He
mentioned.
Something
like
this
is
the
the
list
of
firewall.
Rules
is
a
set
in
terraform
and
there
is
no
way
for
the
provider
to
like
to
expose
a
more
beautiful
div.
In
this
case,
it's
always
like
replacing
the
full
content.
B
B
On
the
specific
ones,
when
we
already
know
they
exist,
you
mean
yeah,
because
yeah
that
we
could
do
yeah.
But
let's
no-
let's
not
do
this
for
now,
because
it
it
it
won't,
really
remove
it.
I
think,
but,
and
then
this
change
I
think,
is
because
earlier
removed,
we
removed
this
inline
network
assignment,
which
we
forgot
earlier
to
remove.
So
that's
why
this
change
comes
now.
D
B
I
because
I
expected
it
to
break
in
this
case.
Yes,
but
interestingly,
at
least
in
my
private
cluster,
it
did
not
break
okay,
let's
see
so
I'm
not
really
sure
what
this
implies.
Routing
wise
like
because
the
the
firewalls
allow
all
traffic
about
the
internal
network,
and
so
my
interpretation
was
that
in
some
way,
this
traffic,
even
though
it's
sent
over
the
public
eyepiece,
appeared
to
be
still
rooted
internally
enough
to
not
reach
the
firewall.
B
It's
it's
it's.
I
wanted
to
dig
into
this
a
bit
more
because
it's
for
me,
it's
important
to
know
which
traffic
is
allowed
and
which
is
not
and
like
will
it
be
blocked
if
we
remove
the
private
network
or
will
it
still
because
if
it
only
works
as
long
as
the
private
network,
is
there
I'm
fine
with
it,
but
if
it
still
works
after
remove
the
internal
network,
that
would
be
bad,
so
yeah.
B
A
A
Yeah,
maybe
maybe
combine
it,
I'm
I'm
not
sure
if
we
would
like
take
one
hour
for
writing
a
bit
of
yammer
for
the
deployment,
so
I
think
or
like
probably
it
takes
that
long,
because
we
make
mistakes
or
try
things
out,
but
I
think
we
we
have
reached
a
level
where
we
can
combine
the
lego
building
blocks
and
just
build
on
top
of
that.
So
now
we
automated
it
made
it
eat
important,
I
think
in
the
important.
A
So
basically
we
get
the
same
state
every
time
we
run
it
and
if
we
destroy
it,
we
can
still
recreate
it
to
resources.
Again,
I
think
a
good
way
of
battle
testing
would
be
to
say.
Well,
I'm
I'm
on
vacation.
Next
week,
I'm
gonna
try
it
myself
with
a
fresh,
it's
not
had
snow
count
or
my
private
headset
account
and
see
how
things
are
going
and
maybe
we
need
to
like
fix
something
or
generalize
something
so
that
everyone
can
just
say:
hey
click
and
and
provision
a
kubernetes
cluster
and
hit
snack
cloud
with
within.
A
I
don't
know
five
minutes
yep
and
later
on,
and
this
is
something
I
cannot
wait
to
try
out
is
the
premises
operator
and
like
put
everything
on
top,
but
I
can't
wait.
We
still
have
yeah.
We
have
this
year
probably,
but
we
can
just
play
around
the
only
exception
yeah
lock
down
in
germany,
not
knowing
what
to
do
no
on
in
two
weeks
time.
A
Sebastian
from
upstream
will
join
us
and
do
a
demo
about
obstrace.
I
think
it
touches
base
with
kubernetes
and
cloud
native
and
everything
around
it.
So
it's,
I
think
it's
a
good
topic
change
like
having
someone,
someone
external
presenting
something
else,
but
we
can
like
hop
back
in
the
week
after
and
say:
hey
upstairs
and
kubernetes.
How
does
this
work
or
doing
something
different?
A
B
D
E
B
B
B
E
B
E
E
B
C
C
D
B
D
B
D
D
D
D
A
A
E
A
E
B
B
A
B
C
B
No,
no,
no,
let's
do
two:
let's
do
four
sessions
of
network
debugging
with
completely
go
nuts
all
right.
I
think
that's
it
for
today.
So
we
have
now
firewalls
in
front
of
our
servers.
We
will
find
out
what's
going
on
with
udp
traffic
and
then
go
back
to
this
in
the
future.
Then
next
week
we
can
do
the
gitlab
pipeline.
B
We
can
build
this
on
top
of
what
I
have
preferred
prepared
in
my
private
cluster,
so
we
should
be
going
to
go
to
startup
top
of
this.
If
you
are
fine
with
it
and
then
I
think
the
week
afterwards,
we
have
the
guest
with
from
ops
trace,
which
micah
mentioned
right,
yep
all
right
and
then
afterwards,
then,
let's
see
what
we
do
afterwards
right.