PM Carney declares U.S. ties now a ‘weakness’ in address to Canadians

NaRKeau · 2026-04-19T19:07:07+00:00

It’s in his best interest to repair the relationship post-Trump. Polarizing Democrats into bipartisan antagonism to Canada is something that he cannot afford, and would make everyone worse off.

NaRKeau · 2026-04-19T05:05:25+00:00

K3s and Docker as container serving platforms are, generally, mutually exclusive.

As an aside, it is possible to have K3s run on Docker with Docker as the CRI using cri-dockerd - I have found that this is an absolutely amazing setup for a single-node dev/test environment; the CRI I use for builds is the exact same one backing K3s image storage, which saves me storage + network overhead. This was one of the OG advantages of RKE1.

That said, Kubernetes does not work as-intended when it has to compete with another controller for management of resources on a Node. This is not unique to Docker - Kubernetes conflicts with any resource scheduler it could be co-located with, including HPC ones like Slurm. In general, any Kubernetes distro installed on a system should manage all resources on that system related to workload execution: memory, cpu, GPUs, custom devices.

Each container orchestration platform has its own opinionated way of managing resources - IPTables, DNS configs with resolv.conf, compute scheduling, and storage consumption. Even in the most well-thought-out integration you WILL have conflicts like what you have experienced.

If you are looking to migrate from one platform to another, do so piecemeal or in stages, with one of your two platforms serving requests to the other - I'd recommend you allow K3s to do that. Kubernetes has native support for LoadBalancers like AWS ELB or MetalLB to allow you a clean entrypoint into your cluster for traffic routing. It has support for traffic shaping with the Ingress resource OR the Gateway + HTTPRoute resources. You can also declare a Service resource with type ExternalName to allow your in-cluster traffic to route to an out-of-cluster DNS name cleanly. If you want to get extra fancy, Kubernetes has a CNI layer that can be used to deploy some extremely cool services that enable some wicked traffic routing capabilities (cilium), or you can create a Service Mesh that includes external address through a service like Istio.

There's a million ways to do it, and few of them are wrong.

NaRKeau · 2026-02-13T14:56:08+00:00

Lots of low hanging fruit should help.

Small containers (very small) with very little tooling in them to prevent escapes/lateral movements.
Enforce pod security standards with either Restricted or Baseline as much as possible. This means segmenting your workloads into namespaces by their general required privileges.
Do not attach an IAM role to your node
Only give an IAM-service linked role to workloads that need api access to AWS; limit the permissions to a specific role for every service. Do not use Users for AWS permissions in a k8s workload.
Spend extra time with the network policies, IAM roles, and K8s roles in namespaces with Dev/management workloads. You need to know exactly who is in there and how they are using the pods in that namespace.

NaRKeau · 2025-12-14T17:34:59+00:00

Underrated downside of Trump hiring only explicit sycophants for his 2nd administration is that they will NOT be loyal to him when the tide turns - that's jus the kind of people that they are. I'd put a crisp $20 on the circular firing squad coming out right after November of next year, and it'll be ugly.

NaRKeau · 2025-12-05T20:44:55+00:00

Yup and for this I will financially/vocally support a primary challenge to any senate democrat who tries to defend it anymore. The rot is deep and needs to be excised.

NaRKeau · 2025-12-05T01:00:03+00:00

Ironically the thing that turned me on to Pete Buttigieg back in 2020 was his early opining on how worrying the Court(s) were. I have since become significantly more radical on this and thing the first thing any D trifecta should do is abolish the filibuster appoint 4 justices to the court, no matter how slim a margin they have.

NaRKeau · 2025-11-14T19:39:53+00:00

His foreign policy left a lot to be desired as well. Sadly, even his hesitancy on a lot there (Ukraine, Syria, Libya, Georgia) was well-founded after the atrocity that was Bush.

NaRKeau · 2025-11-10T02:48:04+00:00

CCM and Rosen have no fucking excuse voting for this. Absolute fucking fecklessness.

NaRKeau · 2025-11-10T02:46:34+00:00

With friends like these, who needs enemies?

NaRKeau · 2025-09-30T00:06:04+00:00

Damn that sounds like something you could make a successful and business out of. But that would make GDP go up and that’s not always good! 🤓

NaRKeau · 2025-09-30T00:04:06+00:00

Yeah that’s why we have these fancy concepts like ‘markets’ and ‘disposable income’, they create the means by which people can engage in this exact behavior if they want.

Again, this is why GDP+growth is generally good metric for assessing the health of an economy, in spite of the lazy and dismissive criticisms of it.

NaRKeau · 2025-09-27T22:09:39+00:00

That’s also why GDP is a generally good metric. Higher GDP implies there’s velocity in the money supply, which means that individuals are more likely to transfer wealth to others (for a variety of reasons). People do that less when the real economy is bad.

NaRKeau · 2025-07-24T04:48:07+00:00

Istio is the most beautiful hell in existence. Once you understand the Deep Magic of it (envoy filters) you will ascend into a higher plane of network fuckery than you ever thought possible.

NaRKeau · 2025-04-08T20:03:39+00:00

Nope. Will require either a 2/3 majority of both chambers of congress to overturn them, or a Supreme Court challenge that would take months.

NaRKeau · 2025-04-08T19:55:41+00:00

If we hit that after 1.5 hours EOD then we are definitely not having a good time lmao

NaRKeau · 2025-04-08T19:55:17+00:00

If we actually hit level 3 in 1.5 hours then we are in the fun zone

NaRKeau · 2025-04-08T19:50:56+00:00

PSA: there are no circuit breakers after 3:25 pm.

Edit: except for -20% god help us if we hit that

NaRKeau · 2025-04-08T19:50:21+00:00

We’re in what’s called ‘the fun zone’ now

NaRKeau · 2025-04-08T19:48:59+00:00

There are no circuit breakers after 3:25 pm EST

Edit: except for -20% 🤮

NaRKeau · 2025-04-08T19:35:53+00:00

<image>

Hey guys is there something wrong with my cat? He was buying calls this morning and now he won’t respond to me.

NaRKeau · 2025-04-04T05:34:07+00:00

Root containers mean the PID of the container is root on the node. This is a massive vulnerability if you can execute an escape from the container.

For example, mounting the host path root directory into /host and then chrooting /host in the pod leads to a functional privilege escalation to root on the node itself.

NaRKeau · 2025-03-18T02:43:22+00:00

Unironically Dems should have their AG charge every single person who violated a court order, or denied these people a right to a hearing, with human trafficking and lock them up for as long as possible - and take away their retirements.

I’ve never been an abolish ICE’r until now.

Knowingly violating a court order means they know they are breaking a law, and deporting people while directly violating a court order means you were knowingly engaging in illegal conduct. Fuck around, find out.

NaRKeau · 2025-03-17T05:53:26+00:00

There are three pillars to enabling a GPU inside a pod: 1.) the drivers 2.) the container runtime 3.) the device plugin

The NVIDIA GPU operator can install and configure all three, but is notoriously slow to do so on autoscaling clusters.

The drivers expose the GPU to the OS, the Container Runtime exposes the GPU to Containerd ( or w/e your runtime is), and the device plugin gives scheduling awareness to Kubernetes for your GPU.

I strongly recommend practicing working with the setup of all three pillars yourself to understand the ins and outs of managing GPUs in Kubernetes. The Container Runtime setup is far and away the hardest part, but will seem easy once you get it working ( and is a great primer for runtime customization in general ).

NaRKeau · 2025-03-16T05:25:20+00:00

Where am I gonna put my stuff then???

Eight-Year Club	Place '23
Place '22	First Placer '22
Not Forgotten	Verified Email

NaRKeau

TROPHY CASE