04:49 <colemickens> I missed a lot of good chat today...

04:49 <colemickens> I love it all.

10:27 <johanot> I'm close to a PR replacing KubeDNS with CoreDNS. AFAIK CoreDNS is the new standard for Kubernetes DNS addon from version 1.11 and beyond. Do you have any inputs on this? Any reasons why we might keep support for KubeDNS?

10:36 <colemickens> I'm not aware of any. Seems like a welcome change.

10:37 <colemickens> (I'd be curious for any words about your plans for the module rewrite, given that it's not tied to the release now, etc.)

10:43 <johanot> colemickens: So.. https://github.com/NixOS/nixpkgs/pull/45670 is still open, and I was really hoping to progress that at some point. But the problem is mainly, that it depends on changes cloudflare certmgr, which.. looks kind of dead. The maintainers seems uninterested in responding to my requests. Basically, my top priority is to implement a fully secure kubernetes module. The current one is only

10:43 <johanot> 50% TLS-enabled.

10:44 <colemickens> oh right, I keep seeing you nudge it along but I have them as separate concerns in my head.

10:44 <colemickens> makes sense, it's too bad they don't seem more responsive. thanks for the thoughts.

10:44 <Ox4A6F> I had to init a v1.11.3 cluster with --feature-gates=CoreDNS=false, because some network plugin was misbehaving.

10:45 <johanot> Ox4A6F: oh? which network plugins?

10:46 <Ox4A6F> romana

10:48 <colemickens> how does that work? I assumed CNI plugins wouldn't work out of box since they tend to try to drop statically binaries on the host and have kubelet exec them?

10:48 <colemickens> or are you doing the romana agent bits with nixos config?

10:48 <colemickens> just curious, I've started packaging kube-router into nixpkgs/module because of my perception of this problem, it'd be nice to use off the shelf CNI plugins w/o modification

10:49 <johanot> colemickens: We use kube-router here and already have a module. Just haven't gotten around upstreaming yet

10:51 <johanot> colemickens: I case you are interested: https://gist.github.com/johanot/8e086e88c6215015b6156a012a7741d8

10:52 <johanot> Most funky thing about kube-router is that it assumes that /etc is writable :P

10:53 <colemickens> I feel like the luckiest guy in IRC. Thank you for sharing!

10:54 <srhb> A lot of the troubles of cni went away when johanot changed us over to kube-router

10:54 <srhb> It has warts, but it's waaaay better than the usual methods

10:54 <srhb> And easier to change, too.

10:54 <johanot> colemickens: anytime! I would like become co-maintainer on that in case you upstream to nixpkgs.

10:55 <johanot> srhb: First couple of versions we had here were kinda buggy, but it quickly improved. Especially because the maintainer overthere takes issues and PRs on kube-router seriously. :)

10:56 <srhb> Yeah, it's so much easier to do anything when upstream is responsive.

11:12 <Ox4A6F> I'm also evaluating kube-router/cilium.

12:46 <johanot> CoreDNS PR for anyone interested: https://git.io/fxbJZ

13:56 <johanot> colemickens: Do you plan to upstream kube-router or should I look into that? I might have some "free time" for that Friday.