►
A
Yay
we're
live,
and
today
in
our
23rd
cafe,
everyone
can
contribute
cafe
with
again
kubernetes
and
automating
things
and
also
trying
out
the
fire
war
feature
which
was
announced
this
week.
I
think,
and
I'm
happy
that
max
prepared
something
for
today
or
we
are
like
taking
over
from
nicholas
last
week
to
marx
this
week
and
continuing
to
learn
something
new
and
I
would
say
with
that
I
would
just
hand
over
to
max
and
say
wrap
it
up.
Let's
go
yep,
I.
A
Yeah,
please,
please
stop
go
ahead
and
we'll
wrap
it
up
later.
B
All
right
yeah,
we
do
this,
okay,
so
yeah.
It's
have
been
a
few
weeks
since
my
last
session
in
between
and
niklas
did
a
few
talks,
and
I
think
philip
as
well
about
security
of
kubernetes
and
authentication
and
everything,
and
now
we
go
a
little
bit
back
to
the
basics.
When
we
set
up
our
initial
cluster
and
back
then
in
february,
I
think
we
left
a
few
things
open
or
by
now
we
realized
that
there
are
a
few
things
missing
or
not
perfect
yet,
and
we
want
to
improve
this
a
little
bit.
B
The
screen
sharing
is
a
little
bit
odd
today
because
in
my
normal
browser
the
sound
doesn't
work
with
zoom
today,
so
it's
only
one
window
and
you
can't
see
any
browser.
So
if
I
need
to
switch
to
the
browser
later
on,
then
it
will
be
a
little
bit.
It
will
take
me
a
second
to
switch
all
right.
Then,
let's
see
I
will
make
this
a
little
bit
bigger.
B
B
And
one
thing
we
notice
here
is
that
it
gets
kind
of
stuck
in
a
few
seconds.
There
will
be
a
message
that
it's
still
trying
to
delete
the
subnet
of
our
cluster
and
then
it
will
just
continue
with
this
error
message
until
it's
running
in
some
timeout
and
that's
a
bit
sad
because
it
feels
like
managing
infrastructure
into
2005
and
not
2021.
B
We
want
to
have
this
reproducible
in
a
better
way.
We
want
to
apply
and
destroy,
as
often
as
we
want
to
without
any
stuff,
not
working,
because
it
will
not
recover
from
this.
This
will
just
stay
this
way
and
I'm
not
100
sure
why?
Well,
I
have
some
kind
of
idea
why?
But
now,
if
you
run
it
again,
it
will
work.
B
B
So
let's
go
back
into
our
terraform
code
to
yeah,
get
back
to
it
a
little
bit
from
last
time.
We
are
of
the
last
time,
but
the
last
time
we
looked
at
terraform,
we
have
some
yeah
basic
stuff.
Like
our
ssh
keys
at
the
top,
and
then
we
have
a
definition
of
our
server
and
our
agents-
and
one
thing
we
can
notice
here
is
that
we
define
the
network
of
our
servers
right
here
inside
of
the
server
resource,
and
then
we
tell
terraform
that
this
resource
depends
on
the
subnet
resource.
B
So
when
we
do
terraform
plan
or
terraform
apply,
it
will
use
this
dependency
to
know
that
the
subnet
needs
to
exist
before
it
attempts
to
create
the
server
and
then
here
at
the
bottom.
We
have
the
subnet
itself
and
for
some
reason
this
works
during
the
creation,
because
we
have
this
dependency
here.
B
It
just
tries
to
delete
everything
and
I
think
it
tries
in
the
wrong
order
and
then
the
api
denies
to
delete
the
subnet
in
the
network,
because
there
are
still
servers
attached
or
something
and
then
when
we
run
it
a
second
time.
Those
servers
are
not
attached
anymore
and
that's
why
we
can
delete
the
network.
Then.
B
So
that's
a
bit
sad
and
back
in
february,
when
we
did
this
there
was.
It
was
a
new
feature
that
we
could
even
define
the
network
right
here
in
the
cluster.
So
what
we
can
try
now
is
to
upgrade
to
the
terraform
provider.
B
Maybe
it
got
fixed
in
the
meantime
and
if
it
didn't
got,
if
it
isn't
fixed,
then
we
can
use
another
way
to
assign
a
network
to
a
server
where
I
know
that
it
works,
because
I
used
it
in
another
project
in
another
way.
So
at
first,
let's
try
to
update
our
terraform
provider,
so
the
latest
release
is
not
124
but
126
with
a
bunch
of
nice
new
features
and
maybe
there's
a
bug
fix
in
there.
B
B
B
Each
time
I
do
terraform
apply
or
terraform
destroy,
I'm
so
glad
we
did
this
in
terraform
that
we
did
this
in
code
because
it's
so
much
easier
than
clicking
everything
in
the
web
interface.
Okay,
interesting!
So
it's
a
different
error.
Now
it's
not
just
trying
again
and
again
without
success.
It
straight
away
tells
us
that
it
can't
remove
the
subnet,
because
servers
are
still
attached.
B
B
Maybe
it's
even
a
buck
in
the
terraform
provider
from
hetzner
I
don't
know
so
maybe
it
would
be
worth
to
look
into
it
a
bit
deeper
and
open
a
bug
report.
Maybe
or
maybe
there
is
an
open
buck
report-
I
don't
know
I
haven't
checked
for.
B
B
The
y
background
yeah,
but
luckily
I
can
just
open
the
back
report
and
then
I
will
say
it's
not
my
department,
because
it's
the
terraform.
B
As
far
as
I
know,
it's
managed
by
a
different
team,
but
it's
yeah.
We
will
see.
I
really
report
back.
If
I
learn
anything
about
this
and
yeah,
it
will
be
interesting.
So
if
anyone
is
watching
the
stream
and
has
no
context
tomorrow
is
my
first
day
at
head
snack
cloud,
so
it's
yeah
it's
a
interesting
day
for
me
tomorrow,
all
right,
so
we
will
solve
this
in
a
little
bit
different
way
here
and
I
will
share
a
different
window
for
this.
B
Sources
all
right,
so
what
we
want
to
look
is
the
terraform.
B
And
so,
if
you
were
wondering
why
I
knew
that
the
newest
version
is
126.,
it's
at
the
top.
Here
we
can
see
the
latest
version
and
then
we
can
check
what
resources
exist
and
what
we
are
using
is
the
hcloud
server
resource
and
we
are
defining
the
network
down
here
right
now
and
then
we
add
this
dependency.
B
So
anyway,
we
will
just
act
like
this
network
assignment
in
the
server
resource
does
not
not
exist
like
it
was
earlier.
I
think
in
123
of
the
provider,
something
this
was
not
there
yet
and
instead
we
will
use
the
hcloud
server
network
resource,
which
is
just
an
additional
resource
to
where
we
add
an
h
cloud
server.
We
had
an
h
cloud
network
and
a
subnet.
B
We
have
all
this
already
and
then
we
add
a
h
cloud
server
network
resource
where
we
tell
teraform
here.
Please
assign
this
server
to
this
network
and
if
we
want
to,
we
can
even
assign
an
ip
and
for
some
reason
this
is
handled
better
in
the
provider
or
by
terraform.
I
don't
know,
but
if
we
do
this,
then
the
creation
and
the
destruction
will
work
without
any
issues.
A
You
can
no
worries,
we
can
think
out
loud
or
share
share
other
things.
I
will
link
the
the
bug
report,
which
was
shared
in
this
in
the
chat
in
the
blog
post,
which
I'm
writing
in
parallel
and
yeah.
Then
we
should
be
good
to
go.
B
Yeah
correct
all
right,
so
we
are
back
in
our
terraform
code.
My
camera
is
disabled
right.
Why
is
my
each
time
I
disable
and
enable
screen
sharing?
My
camera
gets
disabled.
So
that's
that's
helpful.
B
Can,
let's
just
do
it
here
below
of
our
subnet?
We
create
a
resource,
hcloud
server
network
and
we
call
it
well.
How
did
what
did
we
call
our
server?
We
just
called
it
server.
Okay,
let's
just
call
this
server
then
as
well
and
we
use
account.
I
mean
it's
not
strictly
necessary
because
we
have
only
one
server
but
in
case
that
at
some
point
in
the
future
we
decide
we
need
a
highly
available
control
plane
for
a
cluster.
Then
we
could
have
two
or
three
servers.
A
B
B
B
B
C
B
Yeah
after
philip
did
this
match
request
to
format
all
this
in
the
right
way.
I
actually
configured
my
visual
code
to
just
do
it
on
every
safe
of
terraform
code,
but
a
few
days
ago
I
changed
a
few
things
on
my
computer
because
I
had
a
few
days
off
and
now
all
my
tariff
raw
all
my
visual
code
settings
are
done,
which
was
intentional,
but
I
haven't
like
reconfigured
everything
yet
so
that's
why
there's
nothing
fancier
here
anymore,
all
right!
So.
A
B
Yeah,
I
have
have
seen
it
in
one
of
the
earlier.
Everyone
can
contribute
sessions,
it
looked
definitely
very
nice
and
like
a
handy
tool,
I
agree
especially
for
programming
stuff.
A
Just
just
just
advertisement,
there
will
be
a
git
board
community
day
by
the
end
of
april.
I
think
on
the
27th
and
I'm
probably
speaking
there,
and
it
could
be
a
good
idea
to
have
something
around
terraform
as
well.
So
please
continue
just
taking.
A
B
B
So
this
is
the
nice
thing
about
this
count,
parameter
and
terraform,
because
we
write
this
once
and
we
get
two
resources
out
of
it
and
if
we
would
create
200
agents,
then
we
would
get
200
of
those
resources.
So
that's
nice,
all
right,
then,
let's
apply
this
should
be
as
fast
as
before,
but
hopefully
the
terraform
destroy
will
work
now.
D
But
the
thing
on
the
count
is,
I
don't
know
if
anybody
everybody
knows
terraform,
the
thing
is
with
count
it's
little
pre.
I
think
0.12
syntax
right
because
with
count
you
will
later
have
the
issue.
If
you
want
to
replace
something
inside
the
count,
then
it's
really
hard.
So
that's
why
they
introduced
this
for
each
now,
with
one
or
twelve.
D
B
B
D
D
It
is,
for
example,
comes
to
mind
when
you
want
to
change
a
cx
to
another
version
of
the
server
from.
B
B
Yeah
yeah,
I
was
also
thinking.
We
need
a
better
better
way,
also
if
we
yeah
it's
it's
very
similar
to
when
we
want
to
replace
some
parts
of
it
or
want
to
delete
some
of
it.
We
kind
of
need
a
way
to
also
delete
the
nodes
from
kubernetes,
then,
because,
right
now
the
units
are
always
registered
but
never
deleted.
So
it
would
be
nice
if
we
add
some
hook
to
terraform
to
unregister
those
if
we
delete
them
with
terraform.
B
D
B
D
B
No,
it's
not
really
from
this.
It's
more
like
from
before
the
h
cloud
existed,
the
headset
cloud.
I
used
a
headset
root
server
and
then
that's
always
something
between
the
30
and
50
euro
per
month
and
then
a
while.
I
used
two
while
I
was
migrating
from
one
to
the
next
one
and
that's
just
like.
If
you
pay
50
euros
each
month
or
a
few
years,
then
it's
I
don't
know
it's
but
yeah.
It.
D
C
B
A
Running
and
I
get
lots
of
notifications
in
my
head,
snack
cloud
account
that
resources
are
being
created
and
now
no,
I
I
don't
I
don't
care
it
was.
I
was
just
curious
checking
on
since
philip
mentioned,
the
the
the
count
is
going
up.
Last
week
I
checked
we
were
at
like
19
euros
for
the
month,
so
nothing
to
worry
about.
C
It's
it's
amazing
in
the
head,
snack
console.
If
you
watch
closely,
if
you
have
it
open
in
like
one
window
and
do
your
terraform
apply
in
the
other
window
and
take
a
look
at
how
fast
the
notifications
come,
it's
like
half
a
second
or
something
of
delay.
I
I
was
quite
amazed
when
I,
when
I
saw
that
the
last
time
I
I
created
some
service
or
even
in
the
dns
console
or
something
that's,
that's
really
well
done
by
them.
A
And
I
think
the
the
api
and
everything
else
is
really
stable,
so
you
don't
recognize
any
delays.
Yes,
yes,
I've
seen
I've
seen
it
with
with
openstack
and
other
setups,
where
the
api
is
totally
overloaded
with
automation
and
the
user
interface
doesn't
work
because
it
also
consumes
the
rest
api.
D
C
That's
doing
really
way
relevant
in
regards
to
that,
too,
definitely
I
mean
I'm
running
my
my
personal
setup.
It
looks
quite
similar
to
what
max
is
showing
here.
I
have
no
idea
where
that's
coming
from
I'm
running
at
daton,
hetzner
2,
and
I
mean
it's
not
not
like
the
cheapest
one.
You
could
do
it
a
bit
cheaper
somewhere
else.
If
you
just
like,
take
some
some
root
vms
or
something
like
that.
But
it's
I
mean
the
performance
and
the
the
stability
speaks
for
itself.
A
Yeah,
so
my
I
need
to
like
rebuild
my
blog,
which
is
running
in
a
docker
container
in
a
in
a
virtual
machine
currently,
but
I've
kind
of
started.
It
last
february,
never
touched
it
again,
except
for
updates
sometimes,
and
for
the
evolving
contribute
group.
We
are
at
the
hot
number
of
27.51
euros
for
one
month,
which
is
totally
okay
for
playing
around
and
learning
kubernetes
and
stuff.
So
max
back
to
you.
B
Great
yeah
we
now
have
like
we
have
nothing
really
new,
but
it's
better
now,
because
it's
it
makes
testing
more
comfortable.
If
we,
if
we
delete
stuff
and
it's
really
deleted
and
there's
no,
this
weird
feeling
of
oh,
I
have
to
retry
the
deletion,
and
now
it
works.
Maybe
now
it
just
works
reliable,
that's
nice!
So
now
it's
we
switch
over
to
a
completely
different
topic.
It's
yeah
completely
unrelated
to
what
we
did
until
now,
but
it's
still
in
terraform.
So
I
will
just
continue
down
here.
B
B
So
if
you
use
a
firewall
in
the
cloud,
you
could
have
one
on
your
node
right
here.
We
could
apply
some
firewall
in
this
machine
on
this
server
on
this
linux
server
that
we
would
do
this
with
ip
tables,
for
example,
and
record
configure
to,
I
don't
know,
only
allow
access
to
h
access,
but
nothing
nothing
else
to
the
vm
or
something
and
that's
like
the
more
traditional
way
of
firewalling
a
linux
server,
and
then
you,
the
yeah
in
a
traditional
setup.
You
have
some
different
firewall
before
your
normal
servers.
B
B
Where
you
tell
the
cloud
provider,
please
only
allow
yeah,
tcp
traffic
on
port
22
to
my
server
and
block
everything
else
and
yeah.
That's
nice
for
us,
because
it's
an
additional
layer
of
security,
because
now,
even
if
we
accidentally
expose
some
port
on
our
machine,
it's
still
not
exposed
to
the
internet,
because
this
cloud
provider
firewall
is
before
that
and
already
drops
all
unwanted
traffic
and
yeah.
That
makes
it
a
bit
safer.
It's
definitely
something
for
the
peace
of
mind
to
just
know
this,
this
different
firewall.
B
You
should
still
think
about
what
you
expose
and
what
you
run
in
your
cluster
right.
It's
not
like
you're,
safe
from
everything
now,
because
if
you
could
still
expose
something
and
the
firewall
for
this
part
is
open
and
the
traffic
goes
in
there,
but
it's
it's
definitely
one
tool
to
improve
the
security
of
our
cluster,
and
I
don't
know
one
two
or
three
weeks
ago:
I'm
not
really
sure
that's
hetzner
released
their
own
firewall
as
a
service
feature
for
the
head,
snack
cloud,
which
I
think
was
one
of
the
most
wanted
features
of
the
community.
B
At
least
for
me,
it
was
like
the
most
wanted
feature
because,
especially
with
kubernetes,
it's
sometimes
easy
if
or
it's
easy
to
accidentally
open
a
network
port,
or
it's
often
desirable-
to
allow
all
network
traffic
between
your
nodes,
but
not
from
the
outside,
and
then
it
yeah.
It's
very
helpful
if
we
have
this
additional
layer
for
to
the
outside
and
yeah,
so
we
are
going
to
implement
this
now
we
are
like
we
are
going
to
add
some
head
snare,
firewalls
to
our
servers
and
yeah.
B
B
Now
the
new
resource
type
is
hcloud
firewall.
Let's
call
it,
for
example,
base.
So
it's
as
always
just
a
name
we
choose
and
then
we
want
to
name
it
base.
So
it's
a
little
bit
duplicate,
but
this
one
is
the
resource
name
for
terraform.
That's
the
name
in
the
h
cloud
api.
So
it's
a
different
thing.
Then
we
define
a
firewall
rule.
B
We
only
use
it
for
incoming
traffic,
it's
also
possible
to
create
some
routes
for
outgoing
traffic.
But
if
you
yeah,
I,
I
wouldn't
recommend
outgoing
firewalling
as
long
as
nobody
forces
you
to
do
this
because,
from
an
operational
perspective,
this
is
hell,
even
though
there
might
be
some
security
considerations
there
which
make
it
necessary,
but
for,
for
example,
for
our
kubernetes
cluster.
B
Our
nodes
need
to
be
able
to
communicate
to
the
outside,
because
if
we
want
to
run
some
docker
container,
it's
going
to
open
a
network
connection
to
the
outside
and
pull
this
docker
image
and
then
run
it
and
for
all
this
kind
of
stuff.
So
if
you
wanted
a
cluster
where
the
nodes
have
no
internet
access,
then
we
would
need
to
proxy
everything
or
provide
all
docker
images
locally
and
so
on,
and
so
on
so
yeah
it
would
I'm.
C
B
And
now
we
use
a
different
protocol.
The
first
rule
is
just
to
allow
icmp,
so
we
can
ping
our
server
and
that's
not
necessary
to
make
it
work,
but
it's
a
good
practice
to
allow
icmp
traffic
to
your
server.
So
if
people
are
trying
to
debug
why
they
can't
reach
you,
they
should
be
able
to
rely
on
icmp.
B
So
we
are
not
going
to
block
this.
Also,
we
are
allowing
a
tcp
traffic
on
port
22,
that's
ssh,
so
we
can
connect
to
our
servers
via,
let's
just
copy
this
for
a
second,
so
I
don't
have
to
type
at
all
and
yeah
those
two
we
want
to
allow
from
everywhere.
So
that's
why
we
define
zero
zero,
zero,
zero,
slash,
zero.
I
think
that
was
a
zero
too
much,
but
four
zeros
slash
zero,
which
is
yeah
notation
for
all
ip4
ip
file,
four
addresses,
and
then
we
have
the
same
for
ip46
okay.
B
B
Where
do
we
put
it?
Maybe
at
the
bottom?
Oh,
I
did
not
remove
this.
This
is
I
removed
it
from
the
agent,
but
not
from
the
server
right.
We
can
remove
this
here
as
well,
interesting
that
it
still
worked,
but
probably
because
it's
the
same
the
same
content.
So
there
was
no
conflict
anyways
we
can
define
some
firewall
ids,
and
so
we
are
going
to
reference
our
firewall,
which
we
call
base
with
the.
B
Right
so
here
it's
the
same
here:
firewall
is
both
roots.
Then
at
the
bottom
we
have,
you
can
see
here.
The
yellow
means
that
we
are
not
going
to
delete
it,
but
we
will
update
it
in
place,
which
is
nice,
because
we
can
just
keep
our
server
running
and
we're
going
to
remove
this
network
definition
here.
So
hopefully
this
won't
break
anything,
but
I
think
it
won't
all
right.
Let's
apply
this.
A
Yeah,
maybe
maybe
he
blocked
icmp,
and
now
the
monitoring
is
red.
C
Wow
yeah
I
I
was-
I
was
thinking
as
he
was
just
showing
the
network
definition
in
the
server
block
and
that
maybe
the
server
had
two
attachments
to
the
internal
network
at
that
point
in
time,
so
one
was
defined
by
the
explicit
server
network
resource
and
one
was
defined
by
the
server
block
itself.
E
A
Yeah,
maybe
maybe
I'll
just
like
bridge
bridge
the
building
or
bridge
the
time
of
the
comment
I
wrote
in
the
in
the
chat
around
like.
A
Should
I
block
icmp
and
I've
seen
that
windows
at
least
until
what's
the
current
windows
version
10.,
it
blocks
icmp
by
default,
and
if
you
need
to
like
monitor
and
a
windows
host
or
as
with
an
agent,
you
either
have
some
automation
in
place
which
enables
icmp
in
the
firewall
or
you
do
that
manually,
which
is
total
fun
for
10
000
agents,
and
I
think
I
I
documented
it
somewhere
how
to
do
it
like
with
a
powershell
script.
A
But
there
are
always
opinions
that
this
is
totally
insecure
and
you
shouldn't
do
that
so
yeah,
I'm
a
big
fan
of
having
icmp
avoidland,
still
like
checking
if
dns
is
working
and
doing
a
ping
instead
is
not
the
right
tools.
Probably
this
is
why
it's
blocked.
C
Yeah,
I
I'm
doing
I'm
doing
stuff
related
to
hosting
for,
like
eight
eight
years
now,
professionally
and
like
10
or
12
in
total,
and
I've
never
seen
any
instance
where
blocking
icmp
has
helped
anyone
and
I've
seen
a
lot
of
instances
where
blocking
icmp
has
led
to
hours
and
hours
of
debugging
until
somebody
just
found
out.
Oh,
yes,
it
didn't
work
because
we
blocked
our
icmp,
and
that
makes
me
kind
of
happy
about
the
fact
that
ipv6
does
not
really
work.
If
you
block
icmp,
you
need
it
for
the
path
mtu
discovery.
C
A
Yep,
probably
it's
hard
to
change,
so
customers
expect
that
it's
blocked
out
in
their
setups
and
if
microsoft
would
would
be
going
ahead
and
say
where
we're
enabling
this
now
not
blocking
it
anymore,
it
probably
has
some
unexpected.
A
C
It's
it's
definitely
a
thing,
a
thing
of
don't
break
expectations
of
your
users.
So
I
I
mean
that's
that's
a
good
thing
about
the
growing
ipv6
adoption,
so
we
can
just
continue
to
do
it
in
ipv4
until
ipv4
is
no
more
so
in,
like
120.
E
C
The
draft
is
about
as
old
as
I
am
so
it's
from
1990
1996
it's
a
year
younger
than
I
am
so
it
has
existed
for
25
years
now,
but
it's
officially
become
a
standard
only
as
late
as
2018
and
that's
just
three
years
ago.
So
I
can
kind
of
understand
that
some
people
who
heavily
rely
on
stuff
being
a
standard
haven't
implemented.
It.
E
Yeah,
mostly,
there
are
a
lot
of
more
problems
in
terms
of
when
you're
looking
in
providers
also
table
asps,
mostly
they're,
doing
not
a
real
dual
stack,
so
you
get
only
dual
state
light,
so
you
get
by
the
end.
You
get
an
ipv6
but
you're
getting
also
an
ipv4,
but
this
is
not
it
on
a
grand
carrier.
Not
so
it's
like
really
shitty.
When
you
want
to
do
networking
on
your
own.
So
mostly,
then
you
are
forced
to
do
ipv6
mostly,
but
then
sometimes
not
all
websites
support
ipv6,
that's
right.
E
A
A
I
was
just
thinking
about
the
german
telecom,
which
I
use
at
home.
Sometimes
dns
resolution
with
rubygems.org
doesn't
work,
and
this
is
like
then
I
like
reboot
the
router
rather
or
do
something
else.
Sometimes
it's
a
pv4
related,
sometimes
ipv6
related.
I
don't
know
so
it's
still
not
as
stable
as
as
as
I
would
want
it
still.
If,
if
you
don't
do
it
now
and
the
telecom
does
it
since
2012,
when
I
moved
to
nuremberg,
if
you
don't
do
it
and
use
it
in
production,
you
will
never
learn
it.
E
Yeah,
mostly
also
some
shout
outs
to
the
telegram
guys
because
also
the
they
enable
you
ipv6
on
the
mobile.
So
you
can
get
a
real
dual
stack
ip
address
on
mobile.
Also,
it
seems
they
are
the
only
carrier
currently
more
criteria
that
allow
that,
so
that
you
have
an
ipv6
on
mobile
network.
B
B
My
home
network
is
tunneled
through
the
everyone
can
contribute
cluster
right.
I
don't
know
I
I
everyone
was
everything
was
stuck
and
I
needed
to
reboot,
which
is
weird
anyway.
The
last
thing
we
did
before
this
happened
was:
we
executed
terror
from
apply
with
our
new
file
for
firewall
resource,
and
then
I
tried
to
switch
over
to
the
browser
to
show
you
in
the
web
interface
and
that's
where
it
stopped
working.
B
B
B
B
If
we
wouldn't
have
our
beautiful
terraform
code,
then
we
could
click
here
and
just
add
other
servers
to
it
so
by
the
by
default,
all
traffic
to
each
server
is
allowed.
But
as
soon
as
we
apply
a
single
firewall
rule,
all
traffic
will
be
blocked
except
the
traffic
we
allow
in
our
firewall
rule.
So
if
we
click
here,
then
it
will
block
all
traffic
to
the
stocker
host
except
icmp
and
ssh.
E
E
Yeah,
it
doesn't
break
with
change,
it
would
only
break
it
would
break
and
change
if
you
delete
the
resource
without
terraform,
but
then
you
can
take
the
terraform
resource,
so
the
ter
form
knows
that
it's
going
to
be
deleted.
E
C
B
B
Yeah
only
if
we,
if
we
already
deleted
it,
then
it
would
be
okay.
E
Yeah,
therefore,
obtained
means
that
it
allows
you
to
duplicate
your
own
resource,
probably.
E
C
E
Yeah
it
it
will
do
a
recreation
yeah,
because
the
resource
still
exists
in
your
terraform
files
and
yeah.
That's
the
reason
why
it
would
recreate
it
yeah,
that's
true.
I.
D
A
Yeah,
definitely
so
can
I
prevent
prevent
a
specific
resource
from
being
created
or
recreated
like
blacklisting.
It.
E
Yeah,
you
can
do
some
stuff
about
that.
What
you
can
do
is
terraform.
Has
the
lifecycle,
so
each
or
each
resource
has
certain
own
lifecycle,
so
you
can
do
lifecycle
resource
changes,
so
the
typical
way
of
tear
form.
What
is
currently
is
doing
is
that
by
default
form
deletes
for
resource
first
and
then
recreates
it,
but
you
can
also
do
the
opposite,
so
the
telephone
will
create
first,
the
new
resource
and
afterwards
it
will
delete
the
resource.
E
E
There,
probably
one
mix
is:
I
can
look
for
the
lifecycle
stuff
because
also
what's
important.
You
can
also
ignore
changes
on
the
terraform
object
so
or
an
attack
from
resource
all
right.
E
E
Okay
yeah,
so
you
have.
These
are
the
meta
arguments,
so
in
every
resource
you
can
define
a
lifecycle
configuration
and
you
have
different
types
of
lifecycle
elements.
So,
first
of
all,
it's
obvious
that
I
explained
before
the
create
before
destroy
so
that
you
are
creating
a
resource
before
it
will
be
destroyed.
You
can
also
set
the
prevent
destroy
so
that
terraform
won't
would
reject
automatically
when
you
try
to
restore
to
destroy
this
restore
and
says
no,
it's
not
working,
and
another
important
option
is
also
ignore
changes.
E
So
this
attribute
allows
you
to
don't
recreate
a
resource
or
don't
update
in
resource.
For
example,
when
you
changing
only
the
tags
or
something
like
that
or
you
do
want,
don't
want
to
see
that-
or
sometimes
I
use
this
also
when
I
need
to
have
a
word
around
on
broaden
providers
or
telephone
providers,
because
sometimes
you're
coming
in
the
states
that
the
terraform
says
hey.
I
want
to
update
the
resource
because
I
have
a
different
state
on
the
api
instead
of
my
current
state,
but
the
provider
doesn't
support
that
right
now.
E
So,
for
example,
it
means
like
hey.
We
have
a
new
field,
for
example,
that
the
server
instance
has
a
logging
option
so
that
I
can
directly
enable
already
number
server
but
on
the
api
level,
but
terraform
doesn't
support
that
right
now,
but
telephone
would
show
you
every
time.
The
change
that's
currently
happening,
hey,
you
need
to
add
these
lock
enabled
field
to
the
to
your
state,
but
because
the
provider
doesn't
support
that,
you
can
say,
ignore
these
changes
and
it
won't
ask
you
anymore
for
that.
E
B
Yeah,
that's
that's
very
nice
because,
for
example,
for
the
server
instances
on
hetzner,
when
we
change
the
ssh
keys
for
the
server,
then
the
server
will
be
recreated
to
assign
the
new
keys
or
to
remove
others,
and
for
for
our
setup,
for
example,
it
would
be
nice
if
we
can
change
it
in
terraform,
but
the
keys
are
also
updated
by
ansible
anyway.
So
for
existing
instances,
we
could
leave
it
managed
by
ansible,
but
for
future
for
future
instances,
it
would
be
managed
by
terraform.
Then.
B
All
right,
yeah,
it's
nice
terraform,
has
many
many
options
I
have
never
heard
of,
and
this
is
definitely.
B
D
E
Yeah,
mostly
tone
can
be
used
for
using
feature
flex
also,
so
that
you
enable,
when
you
do,
for
example,
yes,
that
you
do
in
condition
and
say:
okay,
when
agent
c
is
enabled
you
can
put
a
0
or
2,
for
example,
so
that
you
have
a
feature
flag
on
the
resource
so
that
you
don't
need
to
create,
don't
need
to
remove
a
resource
from
your
state
that
you
can
say
hey.
E
I
want
this
feature,
this
resource
enabled
or
not,
so
that
helps
you
later
in
infrastructure
scope
managing
in
the
life
cycle
that
you
don't
need
to
remove
resources.
You
set
up
only
values
to
update
your
stuff.
D
A
B
But
maybe
let's
try
to
wrap
up
the
firewall
stuff
so
yeah.
If
we
do
another
five
minutes,
then
we
can
finish
this
topic
and
then
we
don't
need
to
like
pick
the
same
up
next
week
and
then
we
can
can
do
something
else.
Next
week
we
created
this
space
flyer
and
now
we
we
need
to
allow
traffic
to
our
k3s
or
to
our
kubernetes
api.
B
B
C
B
B
You
mean
why
it
removes
this
one
and
yeah.
I
think
I
think
I
talked
to
them
about
it.
It's
because
of
the
implementation
of
in
the
terraform
provider.
He
mentioned.
Something
like
this
is
the
the
list
of
firewall.
Rules
is
a
set
in
terraform
and
there
is
no
way
for
the
provider
to
like
to
expose
a
more
beautiful
div.
In
this
case,
it's
always
like
replacing
the
full
content.
B
B
On
the
specific
ones,
when
we
already
know
they
exist,
you
mean
yeah,
because
yeah
that
we
could
do
yeah.
But
let's
no-
let's
not
do
this
for
now,
because
it
it
it
won't,
really
remove
it.
I
think,
but,
and
then
this
change
I
think,
is
because
earlier
removed,
we
removed
this
inline
network
assignment,
which
we
forgot
earlier
to
remove.
So
that's
why
this
change
comes
now.
D
B
I
because
I
expected
it
to
break
in
this
case.
Yes,
but
interestingly,
at
least
in
my
private
cluster,
it
did
not
break
okay,
let's
see
so
I'm
not
really
sure
what
this
implies.
Routing
wise
like
because
the
the
firewalls
allow
all
traffic
about
the
internal
network,
and
so
my
interpretation
was
that
in
some
way,
this
traffic,
even
though
it's
sent
over
the
public
eyepiece,
appeared
to
be
still
rooted
internally
enough
to
not
reach
the
firewall.
B
It's
it's
it's.
I
wanted
to
dig
into
this
a
bit
more
because
it's
for
me,
it's
important
to
know
which
traffic
is
allowed
and
which
is
not
and
like
will
it
be
blocked
if
we
remove
the
private
network
or
will
it
still
because
if
it
only
works
as
long
as
the
private
network,
is
there
I'm
fine
with
it,
but
if
it
still
works
after
remove
the
internal
network,
that
would
be
bad,
so
yeah.
B
That's
definitely
something
we
could
look
into
or
maybe
we
should
I'm
not
sure
if
we
should
do
it
live
or
separately
and
then
talk
about
it.
But
yes,
I,
when
I
found
out
that
the
traffic
is
still
rooted
via
the
external
eyepiece.
I
was
very
surprised
that
the
firewalls
did
not
break
it.
B
And
yeah,
one
thing
we
can
do
next
time
is
to
change
the
traffic
anyway
to
to
work
over
the
internal
ip
addresses
it's
in
the
end,
it's
one
one
configuration
parameter
for
flannel
for
the
grenades
back
end,
all
right,
so.
A
A
Yeah,
maybe
maybe
combine
it,
I'm
I'm
not
sure
if
we
would
like
take
one
hour
for
writing
a
bit
of
yammer
for
the
deployment,
so
I
think
or
like
probably
it
takes
that
long,
because
we
make
mistakes
or
try
things
out,
but
I
think
we
we
have
reached
a
level
where
we
can
combine
the
lego
building
blocks
and
just
build
on
top
of
that.
So
now
we
automated
it
made
it
eat
important,
I
think
in
the
important.
A
So
basically
we
get
the
same
state
every
time
we
run
it
and
if
we
destroy
it,
we
can
still
recreate
it
to
resources.
Again,
I
think
a
good
way
of
battle
testing
would
be
to
say.
Well,
I'm
I'm
on
vacation.
Next
week,
I'm
gonna
try
it
myself
with
a
fresh,
it's
not
had
snow
count
or
my
private
headset
account
and
see
how
things
are
going
and
maybe
we
need
to
like
fix
something
or
generalize
something
so
that
everyone
can
just
say:
hey
click
and
and
provision
a
kubernetes
cluster
and
hit
snack
cloud
with
within.
A
I
don't
know
five
minutes
yep
and
later
on,
and
this
is
something
I
cannot
wait
to
try
out
is
the
premises
operator
and
like
put
everything
on
top,
but
I
can't
wait.
We
still
have
yeah.
We
have
this
year
probably,
but
we
can
just
play
around
the
only
exception
yeah
lock
down
in
germany,
not
knowing
what
to
do
no
on
in
two
weeks
time.
A
Sebastian
from
upstream
will
join
us
and
do
a
demo
about
obstrace.
I
think
it
touches
base
with
kubernetes
and
cloud
native
and
everything
around
it.
So
it's,
I
think
it's
a
good
topic
change
like
having
someone,
someone
external
presenting
something
else,
but
we
can
like
hop
back
in
the
week
after
and
say:
hey
upstairs
and
kubernetes.
How
does
this
work
or
doing
something
different?
A
I'm
trying
to
organize?
Maybe
someone
from
snoop
where
I'm
in
touch-
and
I
think
I
don't
know
I
have
some
other
contacts
in
the
pipeline
or
maybe
maybe
anna's
wants
to
do
something
or
we
do
a
coding
session
or
we
learn
something
new.
I'm
I'm
totally
open
for
everything.
Anything
else.
B
D
D
That
it
not
break
so,
is
it
not?
Did
they
get
notes,
keep
control
yeah.
E
Yeah
but
case
because
it
says
it's
running
on
your
system
that
they
are
all
using
the
api
server
port,
so
the
6443
and
also
the
way
that
tunnel
uses
no
wait,
probably
the
difference.
Why
that
uses:
udp
no
tcp
and
your
firewall
rules
using
all
the
tcp
ruling.
B
B
B
Maybe
I
could
imagine
that
niklas
is
right,
that
it
I
created
only
a
tcp
rule
and
now
only
all
other
tcp
traffic
is
blocked.
B
E
I
can,
and
by
default
all
outbound
traffic
is
allowed,
because,
probably
I
think
it
works
because
the
connection
was
established
before
so.
I
think
you
can't
open
new
connections
to
the
ports
to
also
not
to
udp,
because
it
would
be
blocked,
but
the
firewall
doesn't
cap,
establish
connections.
B
Yeah,
but
I
I'm
not
sure
about
you-
are
right,
yes,
but
in
my
my
private
setup
I
rebooted
machines.
Okay,
after
I
created
the
firewall
and
the
wire
guard
continued
to
work.
B
That's
interesting.
Let's.
E
E
B
C
B
C
D
B
D
B
D
D
D
A
I
I'm
used
to
like
so
reading,
linux,
firewalls
and
ip
tables,
and
I
know
that
I
need
to
reject
everything
and
then
I'll
do
a
like,
remove
everything
and
then
allow
what
I
want
specifically.
D
A
Yes,
deny
is
is
visible
in
there,
so
you
need
to
add
it,
and
if,
if
you
removed
it
tonight,
it
doesn't
make
sense,
but
still
it's
a
valid
firewall.
If.
A
B
The
documentation
I
posted
sounds
a
lot
like
the
udp
traffic
should
be
dropped
since
we
created
the
tcp
right
yeah,
so
it
would
if
it,
if
it
doesn't
work
like
this,
then
I
could
definitely
work
towards
updating
this
documentation.
E
A
Yeah,
I
think
it's
in
beta
right
now,
at
least
if
I
interpret
the
tweet
correctly.
So
yes,
it
could
still
be
something.
It
doesn't
look
like
beta
to
me,
but
it
could
be
like
a
bit
which
is
wrong
or
off
by
one
error
or
something
else.
So.
E
B
That's,
let's
look
into
this
a
little
bit
outside
of
the
call.
I
think
this
we
need
a
bit
more
time.
B
A
Probably-
and
you
could
also
reduce
the
amount
of
involved,
components
and
say
hey:
this
is
my
virtual
machine,
nothing
on
it
and
then
debug
the
firewall.
Yes,
definitely.
B
C
B
No,
no,
no,
let's
do
two:
let's
do
four
sessions
of
network
debugging
with
completely
go
nuts
all
right.
I
think
that's
it
for
today.
So
we
have
now
firewalls
in
front
of
our
servers.
We
will
find
out
what's
going
on
with
udp
traffic
and
then
go
back
to
this
in
the
future.
Then
next
week
we
can
do
the
gitlab
pipeline.
B
We
can
build
this
on
top
of
what
I
have
preferred
prepared
in
my
private
cluster,
so
we
should
be
going
to
go
to
startup
top
of
this.
If
you
are
fine
with
it
and
then
I
think
the
week
afterwards,
we
have
the
guest
with
from
ops
trace,
which
micah
mentioned
right,
yep
all
right
and
then
afterwards,
then,
let's
see
what
we
do
afterwards
right.
A
Yeah,
maybe
adding
monitoring,
maybe
breaking
things
as
said:
it's
it's
a
good
way
of
learning,
and
I
really
appreciate
that
you
prepared
for
today
and
we
can
continue
learning,
humanities
and
automation
and
at
some
point
maybe
philip
wants
to
jump
in
and
do
the
cube
one
thing
or
like
the
the
automation
which
doesn't
involve
terraform
and
ansible.
A
So
everyone
is,
everyone
can
contribute.
That's
that's
the
thing
yeah
and
with
that
I
would
say:
let's
leave
it
with
that.
We
will
publish
the
blog
post
later
on,
covering
all
the
girls
and
the
things
were
discussed.