IP Forwarding Security Issues in K8S

On any of the K8S nodes, you can see a routing table similar to the following. 1 2 3 4 5 6 > ip route show default via dev ens18 proto static ... via dev flannel.1 onlink via dev flannel.1 onlink ... The and subnets in this table happen to be part of the K8S Overlay network. And this routing table gives you a clue that you can access the Pod from any node via Cluster IP.

Why does c++ need std::function, even though it already has function pointers

In C/C++ you can use a pointer to a piece of code, which is called a function pointer, suppose there is a piece of code like this. 1 2 3 4 5 6 7 8 9 10 #include <stdio.h> int func(int a) { return a + 1; } void main() { int (*f)(int) = func; printf("%p\n", f); } We define a function func, then use the pointer variable f to point to the function, then print out the address pointed to by the variable f.

Golang Context

Starting with Go 1.7, the context package was officially introduced into the official standard library. In fact, we often encounter “context” in Go programming, both in general server code and in complex concurrent programs. Today, we’re going to dive into its implementation and best practices. The official documentation explains the context package as follows. Package context defines the Context type, which carries deadlines, cancelation signals, and other request-scoped values across API boundaries and between processes.

Go Goroutine and Channel

When it comes to the Go language, it is important to mention concurrent programming in Go. Go adds good support for concurrent programming at the language level, unlike other languages such as Python and Java that use the Thread library to create new threads, and the thread-safe queue library to share data. Go’s support for concurrent programming relies on two fundamental concepts of the Go language: Goroutine and Channel. Concurrency is about dealing with lots of things at once.

Go Interface and Composition

Go Interfaces and Duck Types What is a “duck type”? If it looks like a duck, swims like a duck, and quacks like a duck, then it probably is a duck. Traditional static languages such as Java and C++ must show that the type implements an interface before it can be used anywhere that requires that interface, otherwise it won’t compile, which is why static languages are safer than dynamic languages.

Getting to know iptables from scratch

In the process of using Linux, many people like me often come across iptables, but they only know it as a tool to set up Linux firewall, but they don’t know how it works. Today, we will start from scratch to understand how iptables works on Linux. iptables is a part of the netfilter project, a common firewall software on Linux, so to talk about iptables, let’s first sort out what a firewall is.

Writing Robust Shell Scripts

Writing shell scripts should be a must-have skill for programmers. Because of its simplicity and ease of use, we often use it in our daily work to automate application testing and deployment, environment cleanup, and so on. In fact, when writing and running shell scripts, there are various pitfalls that can cause shell scripts to not execute properly for various reasons if you are not careful. In fact, there are many tricks to writing robust and reliable shell scripts, so let’s explore them today.

Installing the Go application as a system service

In the article “Getting reviewdog to support gitlab-push-commit”, gitlab-runner (a Go language developed application) installs itself as a system service via its own provided install command as a system service (as in the following steps). 1 2 3 4 5 6 # Create a GitLab CI user sudo useradd --comment 'GitLab Runner' --create-home gitlab-runner --shell /bin/bash # Install and run as service sudo gitlab-runner install --user=gitlab-runner --working-directory=/home/gitlab-runner sudo gitlab-runner start In the mainstream new version of linux (other os or linux on the old version of the daemon service manager such as sysvinit, upstart, etc.

Webpack Usage Summary

Divide and conquer is an important idea in the field of software engineering, and the same applies to the increasing complexity of the front-end. Generally, after choosing the right framework, front-end teams should start to consider the efficiency of development and maintenance. Modularization is a popular means to divide and conquer in the front-end field. There are already many specifications and tools for javascript modularity, such as CommonJS/AMD/requireJS/CMD/ES6 Module, which were described in detail in the previous article.

Javascript Modular Development

With the advent of the Internet era, front-end technologies are being updated at a faster and faster pace. Initially, a few lines of code embedded in script tags were enough to implement some basic user interaction, but now with the development of Ajax, jQuery, MVC and MVVM, the amount of Javascript code has become increasingly large and complex. Web pages are becoming more and more like desktop programs, requiring a team to divide and collaborate, progress management, unit testing, etc.

SRE to the left, DevOps to the right

1, the process out of responsibility is meaningless Software architecture and organizational structure to match, not only in the functional boundaries, but also in the division of responsibilities. Clear boundaries of responsibility, in order to build a good team collaboration and development. Each team and each person should understand their own goals, what things should be undertaken and what things should be avoided, and devote their time and energy to things that are gainful to the main goal, not to get stuck in trivialities.

How does the CPU interact with memory?

Explore the memory structure of a computer species and how the CPU reads and writes data in memory and how to maintain data consistency in the CPU cache. What is virtual memory and the need for it to exist. Overview Currently, SRAM is mainly integrated in CPUs, and each CPU core has its own L1 cache, which is usually divided into instruction cache and data cache to store instructions and data used by the CPU separately, while the L2 cache is also available in each CPU core, but it is often not inside the CPU core.

Using Python to generate pixel painting images

The family bought tiny blocks for the kids to play with, and since the instructions that came with them only had a few pictures, they were finished after a few spellings, so I planned to use Python to make a pixel painting picture tool. The overall logic is very simple. Read the image using the Pillow package Split the image into a square block of pixels Get the color that appears most in the pixel block and use it as the color of the pixel block.

Switch from netctl to systemd-networkd

I decided to switch the network manager from netctl to systemd-networkd on a whim during the night and the switch went smoothly. This article documents the switching process and briefly describes how the combination of systemd-networkd + iwd works. Introduction netctl netctl is archlinux’s own son, upstream at https://git.archlinux.org/netctl.git/, and is the only network management tool other than systemd-networkd to access the base group. netcl relies on dhcpcd or dhclient It relies on dhcpcd or dhclient to obtain dynamic IP addresses, wpa_supplicant to access encrypted WiFi, and wifi-menu to interactively select hotspots and enter passwords from the command line.

Istio's ambient mode

Ambient is a new data-plane model that Istio has just announced support for. In this post, we will try to install Istio’s ambient model and use the bookinfo demo to experience the L4 and L7 capabilities offered by ambient. Note: L4 refers to the four layers of the OSI standard network model, i.e., TCP layer processing. L7 refers to layer seven of the OSI standard network model, which is the application layer processing, generally referred to as HTTP protocol processing.

Resolving Dependency Injection with the Wire Tool from Google Team

I don’t know if you will encounter the interdependency of components when you write services in Go language, object A depends on object B, and object B depends on object C. So before initializing object A, you must first initialize B and C. This is a complicated relationship. Perhaps you will think of another approach, that is, to declare each object as a global variable, I personally do not recommend this way of use, although it is very convenient, but will make the overall structure becomes very complex.

Observing Kubernetes network connectivity with Kindling

I recently had a requirement to collect extranet access to Kubernetes. Therefore, we have investigated and tried out related projects, and this post focuses on how to install Kindling and configure Grafana to view Kubernetes network connection data. 1. What is Kindling There are currently two versions of Kindling, an open source version and a commercial version. The open source version, which collects data in insufficient detail and can only be observed through Grafana, and the commercial version, which has enhanced functionality, are described on the project’s Github home page and will not be repeated here.


On September 7, 2022, the Go security team published the article “Vulnerability Management for Go” on the official Go blog, officially introducing all Gophers to Go’s tools and solutions for security vulnerability management. In this article, the Go security team introduces a command line tool called govulncheck. This tool is essentially just a front-end to the Go vulnerability database, which scans the Go source code or compiled Go application executable binaries in your repository through the vulncheck package under the officially maintained vuln repository, forming a callgraph of the source code and callstack.

How to monitor Proxmox with Prometheus+Grafana

I have a small Dell machine (Optiplex 5050) running Openwrt virtualized with Proxmox, and I noticed a while ago that my home network was sometimes lagging, and then I looked at the monitoring on Proxmox and found that the openwrt virtual machine was running at 100% CPU during this time, so no wonder it was very laggy. I also have a small Dell machine (Optiplex 5080), which is also virtualized on Proxmox, and the two Dell’s add up to a total of 5 virtual machines, so it’s time to get on a monitor.

JSON Web Token

In recent years, front-end and back-end separation has become popular. In a typical front-end and back-end separated application architecture, the back-end mainly acts as a Model layer to provide the API for data access to the front-end, and the communication between the front-end and back-end needs to be carried out between heterogeneous networks that are not trusted (Zero Trust). In order to ensure the secure and reliable transmission of data between the client and server, it is important to implement client-side authentication.