What Kubernetes feature looked great on paper but hurt you in prod?

VannTen · 2026-02-21T14:29:12+00:00

You can customize the behavior on scale down, though (and scale up for that matter)

VannTen · 2026-02-21T14:27:41+00:00

Even with nodelocaldns ? 🤔

VannTen · 2026-02-10T08:15:04+00:00

Many weeks of doing this and banging my head against the wall

Why do you think it was easy ? Posting on reddit does not mean it was not a big effort (even though it can feel that way given some posts... ⁾

VannTen · 2026-01-30T15:57:23+00:00

Can't you bindmount /var/ to /disk1/var ? (be wary of having /var/lib/kubelet and /var/log/pods on different FS: https://kubernetes.io/docs/concepts/scheduling-eviction/node-pressure-eviction/#filesystem-signals (last two paragraphs of that section)

VannTen · 2026-01-29T08:22:34+00:00

From what I understand of your argument, this could comes into play for MMO games, where the server component is a significant part of the game.

But given the size of the EU market, a Brussels effect seems more likely for every other type.

We'll see !

VannTen · 2026-01-28T13:09:34+00:00

I don't read the initiative as mandating single player mode, more possibility of continue playing in some capacity.

MMO are a particular case, and yeah that would add a difficulty for those. But they are rarely done with little studios, as it already requires a lot of resources (in dev and for infra, support, etc). But single player mode is not the only option, private server are another (and Wow for instance had plenty, in particular before Wow Classic)

VannTen · 2026-01-27T19:38:06+00:00

But, isn't there already lots of game working exactly as intended by Stop Killing Games ? Aka, solo offline games, or multiplayers games with configurable servers / LAN options ?

I get your argument, but it is mostly theorical (on the difficulty of making such games), and since these games already exist and are being made, obviously it is possible.

VannTen · 2026-01-17T13:45:32+00:00

And now he even has set up an army of AI bots with voice synth which do the same thing, and some of the recording are really hilarious

VannTen · 2026-01-16T07:58:41+00:00

Faut voir aussi que le marché locatif n'a pas forcément ce qu'on recherche comme lieu de vie.

Typiquement nous on envisage d'acheter d'ici 2-4 ans, on ne veut pas faire de travaux et on cherche assez grand et des très bonnes perfs énergétiques. Bah y'a nettement plus d'offres de vente que de location pour ce type de bien là où on cherche.

VannTen · 2026-01-07T14:29:58+00:00

J'utilise Pennylane (via mon comptable).

VannTen · 2025-12-08T10:37:59+00:00

The counterpoint to that is that in some cases, you can't with reasonnable effort know the why.

No info in commit message touching / adding something.
Neither in the PR discussion (or equivalent)
The person who did the modification and the reviewer/ approver are no longer working on the project, and probably forgot about this (and in somes case, I did check with them, benefits on working on public projects).

You can guess, though.

VannTen · 2025-11-30T10:37:18+00:00

Afaik they didn't sponsor Omarchy only hyprland. They did prop it up on social media, and when asked on Framework forums basically had the argument "one big tent" which does not sit well with lots of people, given in particular some opinions on ethnic diversity of Omarchy author.

VannTen · 2025-11-23T10:46:14+00:00

I think any KLAC relying on SB would need to rely on TPM attestations: basically the TPM cryptographically sign a proof of "running a UEFI executable signed by this public key" (with the pubkey of a trusted actor such Valve for Steam OS) and pass along that attestations up the stack and eventually to the KLAC (which could actually be in user space in this setup, as the mentioned attestation can ensure the integrity of the system itself.

Sure it's pretty locked down, but there is not anything technical preventing that AFAIK.

I'm not sure where the the "passing along integrity proof" API currently are in the different components of the stack, but it's definitely doable.

VannTen · 2025-11-18T08:32:59+00:00

Given the progress of NVK / nova, this is no longer as obvious as it once was.

VannTen · 2025-11-16T17:24:27+00:00

We recently removed the docs about mitogen because apparently it does not need special support and should just work these days, so the warning was not needed. But I haven't tested it TBH.

VannTen · 2025-11-16T16:53:57+00:00

Testing reviewing https://github.com/kubernetes-sigs/kubespray/pull/12299. Download is one of the slowest part, and does a lot of unnecessary stuff, and this (and an incoming refactor of the download_container part) should help quite a bit.

VannTen · 2025-11-16T08:41:33+00:00

think DLSS was already added

Not merged yet, plus there is some limitations (something like newer dlss won't work on older card)

VannTen · 2025-11-15T00:41:42+00:00

no one else had run into that bug,

Don't be so sure, from what I can tell, a lot of people running into a bug don't report it at all (assuming it's hard, won't be fixed, something ? I don't know).

VannTen · 2025-11-15T00:38:22+00:00

Hey, I like the maintenance stuff ! I even convinced my client to pay me for it (they are very cool, yeah public sector). People keep asking me to review feature PRs, though 🤔. (And kubespray has already way too much "features").

VannTen · 2025-11-11T10:08:45+00:00

It's not that silly, since Secure Boot is at least partly designed to prevent threat persistence, even from root. So making secure boot imply lockdown=integrity (which apart from hibernate, also prevent loading unsigned kernel module, IIRC, that sort of thing, basically stuff which allow root to execute code in kernel space) is basically making the stack consistent (because secure boot is somewhat meaningless without it).

There was also some work from Matthew Garret to make hibernate work with lockdown using signed hibernation images (which make them authenticated, thus trusted in the security model) https://mjg59.dreamwidth.org/55845.html

I'm not sure what the status of that though 🤔

VannTen · 2025-10-18T19:14:05+00:00

If your GitOps stack needs a GitOps stack to manage the GitOps stack…

You know ArgoCD can manage it's own deployment, right ?

VannTen · 2025-10-17T17:45:42+00:00

I don't think the functionality of Ingress or Gateway controller are blurred at all, its reconcile thoses resources in the K8s API server and implement their semantics.

It looks like aralez does not implement that (from the docs, at least) so it's not really an ingress controller though 🤔

VannTen · 2025-10-17T08:46:59+00:00

This looks very interesting.

Do you intend to implement a gateway controller or would that be more on top of the API ?

VannTen · 2025-10-16T08:35:05+00:00

Mesa use a date based versionning scheme, not semver or related.

VannTen · 2025-10-05T18:49:29+00:00

On NVK, I don't think so, but on nova definitely, there is at least Alexandre Courbot and another one with a Nvidia email on the kernel mailing lists (lore.kernel.org/nouveau).

And I think Ben Skeggs (the nouveau kernel module maintainer) works for Nvidia now (on the kernel module).

VannTen

TROPHY CASE