Skip to content
~/jwright▮
AboutSkillsProjectsBlogContact

#Tag

Posts tagged “networking”

← All posts

  1. 14 July 2026·5 min read

    Observe first, deny second

    Everyone writes network policy from the architecture diagram, and the diagram is always wrong. The only allowlist that survives contact with production is one written from the flows you actually watched — applied out-of-band, proven enforcing, and only then handed to GitOps.

    • security
    • networking
    • cilium
    • hubble
    • kubernetes
    • gitops
  2. 14 July 2026·5 min read

    SNAT ate my source IP

    A LoadBalancer service with the default traffic policy rewrites every incoming packet's source to the node's own address — so by the time a network policy sees it, the real client is gone. You cannot allowlist a sender the network has already erased.

    • security
    • networking
    • cilium
    • kubernetes
    • load-balancing
  3. 23 June 2026·2 min read

    The most secure inbound port is the one you never open

    Exposing self-hosted services to the internet with zero open ports, zero port-forwarding, and the origin's IP never leaving the building.

    • cloudflare
    • networking
    • security
    • zero-trust
    • kubernetes
jonny@bztmon:~ · session receipt✓ Synced · Healthy

$ whoami

Jonathon Wright— Platform & Infrastructure Engineer

$ traceroute www.bztmon.com

served from a homelab Kubernetes cluster, over an encrypted tunnel

$ git log -1 --format=receipt

HEAD ac333e2· built 2026-07-14 08:44Z· reconciled by ArgoCD

$ contact --priority low-ms

ping me on LinkedIn or email — everything else is best-effort delivery.

$

© 2026 Jonathon Wright·CC BY-NC-SA 4.0·built with Astro, shipped via GitOps