I figured out how to access Kubernetes services on my cluster without the need for kubectl port-forward or an ingress. It can all be done with Linux routing tables, and Wireguard makes this trivial to set up.

NixOS 21.11 switched to the nf_tables backend for iptables. Let’s see what this means, and what new things we can and cannot do.

Kubernetes networking is complicated. It’s not complex, mind you, as there’s no emergent behaviour. It’s just complicated because there are lots of moving parts that are used in different circumstances. Let’s explore how the parts fit together by walking through several scenarios.

Wireguard is a nifty little tool. The tagline describes it as an “extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography”. I have been using it for years to tunnel into my servers, as an Internet gateway, and as a jumpbox into the servers’ VLAN. Recently, I figured out how to configure it as a secure mesh between the servers.