Kapil Agrawal
@netops2devops.net
Kubernetes platform Security Engineer by profession. Also a recovering network engineer. Open source exuberant. Fan of open standards. Spends way too much time in homelab
I skipped most of the keynotes or talks about AI slop
November 14, 2025 at 1:19 AM
I skipped most of the keynotes or talks about AI slop
IPv6 Only Kubernetes with Cilium: What to Know Before Production
netops2devops.net
November 2, 2025 at 4:52 PM
I think you maybe looking for multus 😅 Cilium also supports doing separate subnets per pod but that’s an enterprise feature IIRC. there’s also cni.dev which might be worth looking into.
CNI
cni.dev
October 28, 2025 at 5:49 AM
I think you maybe looking for multus 😅 Cilium also supports doing separate subnets per pod but that’s an enterprise feature IIRC. there’s also cni.dev which might be worth looking into.
Yeah container networking world has a whole lot of catching up to do with IPv6
October 28, 2025 at 5:44 AM
Yeah container networking world has a whole lot of catching up to do with IPv6
Envoy uses a feature within the Linux Kernel called TPROXY (transparent proxy). So technically your application sees the original client IP and not the reverse proxy IP, if that helps. Now granted I have never worked with SIP so I could be mistaken.
October 28, 2025 at 5:36 AM
Envoy uses a feature within the Linux Kernel called TPROXY (transparent proxy). So technically your application sees the original client IP and not the reverse proxy IP, if that helps. Now granted I have never worked with SIP so I could be mistaken.
Since pod address are ephemeral there has to be a mechanism that provides a fixed stable address (Gateway address) for the application that an end user can access.
October 28, 2025 at 5:29 AM
Since pod address are ephemeral there has to be a mechanism that provides a fixed stable address (Gateway address) for the application that an end user can access.
pod to pod and pod to wan is Unicast. Ingress has to be a virtual IP. It’s basically a load balancer for your Pods. Albeit, since Cilium uses Envoy proxy as L7 proxy underneath it preserves the original source IP. So when user traffic reaches pod it sees real source IP
October 28, 2025 at 5:27 AM
pod to pod and pod to wan is Unicast. Ingress has to be a virtual IP. It’s basically a load balancer for your Pods. Albeit, since Cilium uses Envoy proxy as L7 proxy underneath it preserves the original source IP. So when user traffic reaches pod it sees real source IP
Using cilium’s BGP LoadBalancer IPAM to hand out addresses to Gateway api and announce those over BGP as well! From user’s perspective they hit the gateway api to access an application.
October 28, 2025 at 5:24 AM
Using cilium’s BGP LoadBalancer IPAM to hand out addresses to Gateway api and announce those over BGP as well! From user’s perspective they hit the gateway api to access an application.
I’m planning to cover just that in part4. Still working on part 3 this week😅 but yes I do have a working architecture/config with #cilium that uses native routing i.e no tunneling or masquerading. Each namespace gets a clean /64 using multi-pool ipam. POD addresses announced via BGP.
October 28, 2025 at 5:19 AM
I’m planning to cover just that in part4. Still working on part 3 this week😅 but yes I do have a working architecture/config with #cilium that uses native routing i.e no tunneling or masquerading. Each namespace gets a clean /64 using multi-pool ipam. POD addresses announced via BGP.
Would using ‘iota’ solve your use case for enums? blog.learngoprogramming.com/awesome-go-e...
★ Ultimate Visual Guide to Go Enums ★
Golang Enums & iota Guide—Full of tips and tricks with visuals and runnable code examples.
blog.learngoprogramming.com
October 27, 2025 at 3:27 AM
Would using ‘iota’ solve your use case for enums? blog.learngoprogramming.com/awesome-go-e...
topics for subsequent posts:
- IPv6 address planning to run #cilium in native routing with cluster pool vs. multi-pool ipam.
- Cilium BGP control plane with LB IPAM and GatewayAPI for ingress
- Predictable egress IP without using an egress gateway (aka no SNAT/masquerading)
Stay tuned ;)
- IPv6 address planning to run #cilium in native routing with cluster pool vs. multi-pool ipam.
- Cilium BGP control plane with LB IPAM and GatewayAPI for ingress
- Predictable egress IP without using an egress gateway (aka no SNAT/masquerading)
Stay tuned ;)
October 25, 2025 at 5:38 PM
topics for subsequent posts:
- IPv6 address planning to run #cilium in native routing with cluster pool vs. multi-pool ipam.
- Cilium BGP control plane with LB IPAM and GatewayAPI for ingress
- Predictable egress IP without using an egress gateway (aka no SNAT/masquerading)
Stay tuned ;)
- IPv6 address planning to run #cilium in native routing with cluster pool vs. multi-pool ipam.
- Cilium BGP control plane with LB IPAM and GatewayAPI for ingress
- Predictable egress IP without using an egress gateway (aka no SNAT/masquerading)
Stay tuned ;)
part2 covers building the simplest #IPv6 only #k3s cluster using @cilium.io
netops2devops.net/series/k8s-c...
netops2devops.net/series/k8s-c...
Simplest IPv6 only k3s cluster using Cilium
netops2devops.net
October 25, 2025 at 5:24 PM
part2 covers building the simplest #IPv6 only #k3s cluster using @cilium.io
netops2devops.net/series/k8s-c...
netops2devops.net/series/k8s-c...
part1 covers underlying #ipv6 infrastructure requirements before installing #kubernetes
netops2devops.net/series/k8s-c...
netops2devops.net/series/k8s-c...
IPv6 infrastructure before deploying Kubernetes
netops2devops.net
October 25, 2025 at 5:23 PM
part1 covers underlying #ipv6 infrastructure requirements before installing #kubernetes
netops2devops.net/series/k8s-c...
netops2devops.net/series/k8s-c...
1.25.3 is available now 😁https://formulae.brew.sh/formula/go#default
go
Homebrew’s package index
formulae.brew.sh
October 16, 2025 at 3:44 AM
1.25.3 is available now 😁https://formulae.brew.sh/formula/go#default
So far we have been getting away with the problem by putting our IPv6 only GW api service behind an external LoadBalancer (with a dual stacked VIP) I wonder if there is a way to translate nat46 directly on the node instead of relying on the external LB. Thoughts?
October 13, 2025 at 2:16 AM
So far we have been getting away with the problem by putting our IPv6 only GW api service behind an external LoadBalancer (with a dual stacked VIP) I wonder if there is a way to translate nat46 directly on the node instead of relying on the external LB. Thoughts?
Hi @kindnet.es thanks for developing and sharing this. I am curious how one would solve nat46 though (with or without your agent)? I am running Kubernetes in IPv6 only environment and often run into cases where end user is coming from IPv4 address and they want to access my gateway api v6 address
October 13, 2025 at 2:11 AM
Hi @kindnet.es thanks for developing and sharing this. I am curious how one would solve nat46 though (with or without your agent)? I am running Kubernetes in IPv6 only environment and often run into cases where end user is coming from IPv4 address and they want to access my gateway api v6 address
Say what you may but as far as readability goes I don't find #rust to be nearly as intuitive or readable as #go .. It's so easy to be productive with go after spending just a week dabbling with basics. I don't think I can say the same for rust but I suspect it's just a matter of practice 😅
October 4, 2025 at 3:06 AM