do_not_redeem 3 days ago

Worse than yaml generated by string interpolation?

1
PittleyDunkin 3 days ago

You'd have to give me an example. YAML is certainly better at representing tables of data than a shell script is.

1 reply
do_not_redeem 3 days ago

Not entirely a fair comparison, but here. Can you honestly tell me you'd take the yaml over the shell script?

(If you've never had to use Helm, I envy you. And if you have, I genuinely look forward to you showing me an easier way to do this, since it would make my life easier.)

-------------------------------------

Shell script:

  iptables -A INPUT -p tcp --dport 8080 -j ACCEPT
Multiple ports:

  for port in 80 443 8080; do
    iptables -A INPUT -p tcp --dport "$port" -j ACCEPT
  done
Easy and concise.

-------------------------------------

Kubernetes (disclaimer: untested, obviously)

  apiVersion: networking.k8s.io/v1
  kind: NetworkPolicy
  spec:
    trafficPolicy:
      firewall:
        rules:
        - name: allow-port-8080
          ports:
          - port: 8080
            protocol: TCP
    podSelector:
      matchLabels:
        app.kubernetes.io/name: my-app
Multiple ports:

  firewall:
    rules:
      - name: allow-port-80
        ports:
          - port: 80
            protocol: TCP
      - name: allow-port-443
        ports:
          - port: 443
            protocol: TCP
      - name: allow-port-8080
        ports:
          - port: 8080
            protocol: TCP

  apiVersion: networking.k8s.io/v1
  kind: NetworkPolicy
  metadata:
    name: firewall
  spec:
    trafficPolicy:
      firewall:
        rules:
          {{- range .Values.firewall.rules }}
          - name: {{ .name }}
            ports:
            {{- range .ports }}
            - port: {{ .port }}
              protocol: {{ .protocol }}
            {{- end }}
          {{- end }}
    podSelector:
      matchLabels:
        app.kubernetes.io/name: my-app

2 replies
PittleyDunkin 3 days ago

I don't know why on earth you'd use mustache with yaml, but the unmustached yaml is much more readable. The reviewer doesn't even need to know iptables. (Which is good; i've only ever worked with nftables (which has the same issue of leaning in to serializing tables as commands) and pf.) Concision is not working in your favor here.

threeseed 3 days ago

I would take the YAML any day.

Because if one of those iptables fails above you're in an inconsistent state.

Also if I want to swap from iptables to something like Istio then it's basically the same YAML.

2 replies
dmm 3 days ago

> Because if one of those iptables fails above you're in an inconsistent state.

These days iptables is a legacy interface implemented on top of nftables. And nftables does provide atomic rule replacement: https://wiki.nftables.org/wiki-nftables/index.php/Atomic_rul...

So you would have a file with something like:

    table inet filter {
       chain input {
           tcp dport 8080 accept
       }

    }
The you would atomic apply it with:

    $ nft -f input_file

rnewme 3 days ago

You obviously didn't use k8s (or k3s or anything other implementation) a lot, because it also messed us iptables randomly sometimes due to bugs, version miss match etc.

1 reply
threeseed 3 days ago

Have been Kubernetes for the last decade across multiple implementations.

Never had an iptable issue and these days eBPF is the standard.