undefined | Better HN

0 pointsvel0city2mo ago0 comments

I mean not just anyone, but its far less complicated than dealing with arcane iptables commands. And yet far more powerful, being able to just say "instances like this can talk to instances like this in these particular ways, reject everything else". Don't need subnet rules or whatever, its all about identity of the actual things.

Meanwhile lots of enterprise firewalls barely even have a concept of "zones". Its practically not even close to comparing for most deployments. Maybe with extremely fancy firewall stacks with $ $MAX_INT service contracts one can do something similar. But I guess with on-prem stuff things are often less ephemeral, so there's slightly less need.

0 comments

ahartmetz2mo ago

I could type your arcane iptables commands for a couple hundred an hour. That stuff is easy compared to some software development tasks. I have sometimes struggled, but I've always found a solution after a few hours max.

esseph2mo ago

> I guess with on-prem stuff things are often less ephemeral, so there's slightly less need

Kubernetes is running on bare metal quite a lot of places.

j / k navigate · click thread line to collapse

0 comments

ahartmetz2mo ago

esseph2mo ago

> I guess with on-prem stuff things are often less ephemeral, so there's slightly less need

Kubernetes is running on bare metal quite a lot of places.

j / k navigate · click thread line to collapse