Henrik Gerdes

@hegerdes
18 Followers
9 Following
60 Posts
Software & System Engineer - Let's run some Code⚡
GitHubhttps://github.com/hegerdes
Websitehttps://henrikgerdes.me/
Henrik Gerdes6d ago

TIL: You can force the interface that is being used for IPv6 request by adding `%eth0` or whatever your interface is called to the address. It's called a zone index.

I wonder how many IP parsers will NOT handle this correctly. Like always, `curl` handles it just fine 😄

Henrik Gerdes6d ago

@hetzner

Is there a timeline for your IPv6 IMDS (metadata) service? The `fe80::a9fe:a9fe` address landed in cloud-init `v25.3` but the endpoint does not answer yet.

It sure would be a cleaner approach than the temporary `Attempting setup of ephemeral network on eth0 with 100.66.126.172/32 brd 100.66.126.172` approach in IPv6 only nodes

Show threadHenrik GerdesMay 26

We see it with npmjs, DockerHub and even GitHub. One comes too dependant on it and the larger it grows it becomes an increasingly interesting target for attacks - with the corresponding blast radius.

For krew it is also pretty easy to host your own plugin index and I think this will stay my recommend installation approach even though it is now in the default index.

Anyway if one wants to check it out: https://github.com/hegerdes/kubeclt-crd-sample

GitHub - hegerdes/kubeclt-crd-sample: A kubectl plugin that reads a crd and creates an example manifest from it

A kubectl plugin that reads a crd and creates an example manifest from it - hegerdes/kubeclt-crd-sample

GitHub
Henrik GerdesMay 26
I wrote a small kubectl plugin that generates example manifests based of CRDs.
Created a small PR to get it into the kubectl krew plugin index. A maintainer raised (total valid) concern that there is a similar plugin doing pretty much the same plus some extras. I was completely fine to close my PR - suddenly a change of mind and it was merged this morning 😅
I was thinking about this for some time and I'm more and more convinced having a central/default index might be not the best approach.
Henrik GerdesMay 5
manitu GmbHMay 5

+++ .de-Zone "kaputt" +++

Wer gerade SERVFAIL bei .de-Domains sieht – das liegt nicht an euch und nicht an uns.

Die .de-Zone ist wohl wegen DNSSEC gerade kaputt. Nach und nach werden wohl alle unsignierten Zonen nicht mehr "funktionieren", wenn die Resolver validieren.

Hmpf.

Henrik GerdesApr 29
DevConf.CZApr 28

#DevConf_CZ 2026 is less than 2 months away, and there’s so much to look forward to!

Two amazing days of #learning, exciting #opensource-themed talks, discussions, workshops, meetups, booths and endless networking opportunities.

➡️Don't miss out - register now: https://www.devconf.info/cz/#registration

Henrik GerdesApr 29
For my #Kubernetes tests I'm compiling my own version of crun.
I've been using #wasm Support for over a year. Now I found out about kvm support via libkrun. And while at it, I added criu support for checkpointing.
Let's see how the week will go and how it compares to something like kata-containers.
Show threadHenrik GerdesApr 20

I thought this would be a quick fix - just enable the envoy conf that would normally just be deployed in IPv6 and done.

But no. I now think it is some "smart" filtering that cilium/envoy does at the eBPF layer.

Issue is on GH: https://github.com/cilium/cilium/issues/42950

Cilium Gateway with Envoy rejects IPv6 PROXY headers from LB while IPv4 works · Issue #42950 · cilium/cilium

Is there an existing issue for this? I have searched the existing issues Version equal or higher than v1.18.4 and lower than v1.19.0 What happened? I am using Cilium Gateway API with Envoy for HTTP...

GitHub
Henrik GerdesApr 20
ruiJul 13, 2025

Simulating Network Latency in Kubernetes with Traffic Control (tc)

https://ruivieira.dev/blog/2025_07_11.html

#kubernetes #networking #DevOps

Simulating Network Latency in Kubernetes with tc – ruivieira.dev

Show threadHenrik GerdesApr 20
The datapath is totally fine, ist just a L7 filtering module in cilium's envoy.
Lets see if I can fix that