Kubernetes

Internal traffic should travel an independent path at every layer – gateway, pods, database – not just live behind a different URL prefix.

I cabled my five-node rack behind a switch to get off wifi. The cutover worked. Internet bandwidth dropped 50-85% across the cluster. Here is what happened and why I am keeping it anyway.

Two HP worker nodes dropped off my cluster after I pulled their USB wifi adapters. When I plugged them back in, neither came up. The adapters were fine – I’d put them in the wrong machines.

A simple SELECT by primary key took 6 seconds. Postgres was fine. The network was fine. The culprit was a default Linux wifi setting I’d never heard of.

In the ATG monolith, production DB credentials lived behind a JBoss SSH gate — effectively unreachable without infra access. After modernizing to microservices on Azure Kubernetes, every developer’s Azure account could read prod DB, Redis, and Service Bus secrets from Key Vault with a single CLI command. VPN and device whitelisting gated the network path, but not the humans. The migration didn’t just change our architecture — it quietly widened the insider blast radius.

A ReadWriteOnce PVC meant my blog couldn’t run two replicas. Switching to NFS from a NAS gave me zero-downtime rolling updates and a one-command deploy workflow.

How I built a Google Photos alternative running on a 3-node Kubernetes cluster at home, protected by MFA authentication, and exposed securely via Cloudflare Tunnel with zero open ports.