Recently I’ve been working on a project for the Buffalo Kubernetes Meetup, we want to provide users with a sandbox environment to hack around in, or perhaps even do some sort of workshop or scavenger hunt. However, we have a few constraints; predominately cost. Whatever the solution, it needs to be stood up fast, and deleted fast. Once delete there can’t be any leftover resources because those cost money.
So TL;DR Haproxy has a builtin prometheus-exporter now: https://github.com/haproxy/haproxy/tree/master/contrib/prometheus-exporter In on-prem Kubernetes clusters there is no IAAS loadbalancer options, so a common setup is to run haproxy and keepalived as static pods. This adds some complexity upfront but runs rock solid in production as the control plane VIP is always available and HaProxy automatically removes control plane nodes from rotation. I’ve been maintaining a Kubernetes cluster at home for dev-work and one of the more recent things I did was spool up some monitoring IE Grafana and Prometheus.
Disclamer; this is not a complete list, and should only be used a starting point to sanity check new Virtual Server deployments. Change your default SSH Port Disable root ssh Disable ssh password auth Enable IPTables/nftables Configure IPTables Enable two factor auth in pam Properly setup sudo Setup yubikey and/or google-authenticator Disable TLSv1, SSLv2, and SSLv3 on all of your services Enforce decent crypto algorithms Enable auditd Enable and configure SELinux Configure services to run on private addresses, (127.
I’ve been hosting my own DNS for a while now. Going on.. hmmm… let’s see I started that job in 2011 and I had been hosting from home… probably 9 years. And I have a confession, I made a rookie mistake. My name servers didn’t match my registrar’s glue records. Essentially, a glue record is the NS records your registrar provides to find your name servers. My bad… seems that some of my secondary domains have been missing email for awhile now.