Posts

Your cluster looks healthy. Pods are running. Metrics are green. Everything works. Until a node fails during peak traffic. Or the database connection pool exhausts. Or that one service nobody remembers deploying starts consuming all available memory. You can wait for these things to happen in production at 3 AM. Or you can break things intentionally, on your terms, and fix the weaknesses before they become outages. This is chaos engineering. ...

You don’t need a cloud provider to run Kubernetes. You don’t need expensive servers. You need three mini-PCs and an afternoon. This is how I built my homelab cluster — the same cluster that runs my GitLab, monitoring, home automation, and everything else I refuse to trust to someone else’s computer. Why K3s? K3s is Kubernetes, simplified: Single binary — ~70MB, includes everything Low resource — Runs on Raspberry Pi, runs great on mini-PCs Production ready — Same API, same workloads, less overhead Batteries included — Built-in ingress, load balancer, storage It’s not “Kubernetes lite.” It’s Kubernetes without the enterprise cruft. ...

Every Kubernetes cluster eventually needs persistent storage. The question is: which solution? For self-hosted clusters without cloud provider storage classes, two options dominate: Longhorn and Rook-Ceph. Both are CNCF projects. Both provide replicated block storage. Both work well. But they’re very different in philosophy, complexity, and use cases. I’ve run both in production. Let me share what I’ve learned. The Fundamental Difference Longhorn: Simple distributed block storage built for Kubernetes. Each volume is replicated across nodes using standard Linux storage primitives. ...

A cryptographic signature is one of the few things online that means exactly what it says. If the key is yours and the signature verifies, the content came from you. No vendor issued this identity, no CA can revoke it, no platform can suspend it. It exists because you generated the key, and it stays yours as long as you control the private half. Most of what we call “online identity” is on loan from someone else: a handle that can be banned, a checkmark that can be removed, an email address that a domain owner can reclaim. A GPG signature sits outside all of that. Either the key that signed this paragraph is yours, or it is not, and no one else gets to decide. ...

Your phone buzzes at 3 AM. You groggily check: “High CPU usage on node-worker-3.” You look at the graph, see it’s been at 75% for 10 minutes, and go back to sleep. Tomorrow, same alert. Next week, you stop checking altogether. This is alert fatigue, and it’s dangerous. When everything alerts, nothing does. Real incidents get lost in the noise. I’ve been on both sides — drowning in alerts, and running systems where pages are rare and always actionable. The difference isn’t better tools. It’s better thinking about what deserves attention. ...