Switching kube-proxy mode from IPVS to nftables Many of you have heard about the nginx-ingress controller retirement, right? But have you also heard about the deprecation of IPVS mode in Kubernetes 1.35? Kubernetes 1.35 release notes: https://kubernetes.io/blog/2025/12/17/kubernetes-v1-35-release/#deprecation-of-ipvs-mode-in-kube-proxy If your Kubernetes clusters are running kube-proxy in IPVS mode, it is time to prepare for switching to nftables. What I found interesting is that the official AWS EKS documentation still recommends IPVS mode, with only a small mention that nftables is ‘in development’: https://docs.aws.amazon.com/eks/latest/best-practices/ipvs.html ...

There is a great article on the AWS Blog: How to use AWS Secrets Manager and ABAC for enhanced secrets management in Amazon EKS. The only downside of that approach is that it uses OpenID Connect (OIDC) and IRSA for authentication. But there is now a better and simpler option: Amazon EKS Pod Identity. ...

Many of us use CloudFlare to protect our websites and services from malicious activity. In this post, I’ll show you how to configure Fail2ban to block bad actors directly on CloudFlare. Nginx setup Before we start, make sure your Nginx logs contain real client IP addresses. If your logs still show CloudFlare IPs, follow my earlier guide: Handling Real IP in Nginx Behind Load Balancer and Cloudflare ...

What is a YubiKey? A YubiKey is a small hardware device used as a second factor of authentication. It works similarly to one-time codes sent by SMS or email - but much more securely. To authenticate, the YubiKey must be physically inserted into your computer or connected via NFC. This makes it nearly impossible for remote attackers to compromise your credentials. Getting a YubiKey The best place to buy a YubiKey is directly from Yubico. You can also buy them from trusted retailers, but always verify the device is genuine using Yubico’s verification page. ...

Replacing Battery in Wahoo Elemnt Roam v1 I love cycling, and like any passionate rider, I have a few bikes. And like every respectable biker, I use a cycling computer. Mine is an older one - the Wahoo Elemnt Roam v1. It covers all my daily needs perfectly: heart rate, cadence, speed, and navigation. It’s a wonderful device or at least it was until recently, when its battery died. Fully charged, it lasted only 7 km before dying completely. ...

Managing Internal TLS Trust in Kubernetes with cert-manager and trust-manager How do you maintain a secure SSL/TLS connection between services within a Kubernetes cluster? One simple (but unsafe) answer is to create a self-signed certificate and skip verification with a flag like --insecure-skip-tls-verify. A more advanced solution is to use a service mesh (e.g., Linkerd, Istio), which automatically manages certificates and trust. But what if you want something simpler and lighter? That’s where trust-manager comes in. It’s the easiest way to manage trust bundles in Kubernetes and OpenShift clusters. ...

Starting with RouterOS v7.5, MikroTik introduced the ability to run Linux containers directly on supported devices. This opens up a world of possibilities from running ad-blockers like Pi-hole to local DNS resolvers such as DNSCrypt-proxy. In this guide, I’ll show how I migrated my Pi-hole setup from a Raspberry Pi Zero to a MikroTik router. So far it’s been running smoothly. Prerequisites Before we start, make sure you have: MikroTik RouterOS v7.5+ ARM64-based device External storage (USB or M.2, formatted as ext3 or ext4) Physical access to the device (you’ll need to reboot it manually) We’ll install two containers: ...

SSH Telegram Notify Have you ever wanted to get a Telegram notification when someone logs into your server via SSH? I did! I also wanted to automate the entire setup with Ansible for faster deployment and updates. So, I created an Ansible role that does exactly that. It automatically configures your servers to send login/logout notifications to Telegram. It currently supports Debian/Ubuntu, but can easily be extended to other Linux distributions. ...

AWS infrastructure changes notifications with Slack CloudTrail is a powerful service that helps audit the actions of users and roles in your AWS account. It can be integrated with other services to improve the way you react to infrastructure changes. This is especially useful for large projects. In this article, we’ll describe both a basic and an improved way to track infrastructure changes in your AWS account and send notifications to Slack. ...

In Prometheus, memory usage is dominated by the number of time series currently stored in the head block (plus indexes). Your goal is to find which metrics/labels/targets create the most series and which ones churn (get created/removed frequently). Use the built-in TSDB status endpoint Prometheus exposes a helper endpoint that lists the top offenders: http://<prometheus>:9090/api/v1/status/tsdb?limit=50 Useful sections in the JSON: seriesCountByMetricName – metric names with the most series labelValueCountByLabelName – label names with the most distinct values seriesCountByLabelPair – specific label=value pairs that explode series (Recent versions) memoryInBytesByLabelName – memory cost per label name You can filter further with match[], for example: ...