Yeah that is how I have it setup in Truenas Core, I was curious on what is possible with the newer versions of SCALE because I am looking at migrating to SCALE.
-
Important Announcement for the TrueNAS Community.
The TrueNAS Community has now been moved. This forum has become READ-ONLY for historical purposes. Please feel free to join us on the new TrueNAS Community Forums
Truenas Scale-Apps-vlan
- Thread starter BlueScreenTT
- Start date
Yeah that is how I have it setup in Truenas Core, I was curious on what is possible with the newer versions of SCALE because I am looking at migrating to SCALE.
- Joined
- Jan 1, 2016
- Messages
- 9,700
From the GUI perspective, CORE and SCALE are set up in the same way... even if the stacks below that are actually different... (for SCALE, LAGG is actually a bond and bridges are named like br01 instead of bridge1... same outcomes though from a high level perspective)
Physical NIC(s) -> LAGG (if you're doing that) -> VLAN(s) if you're doing those -> Bridge (IP address goes here if you want one on that interface for the host) -> apps or VMs get assigned to the respective bridge interface.
You can set as many (within practical limits) VLANs as you want on one NIC/LAGG, but you shouldn't expect to also pass untagged traffic on that interface once you start with it.
Be mindful that the Kubernetes Settings can only be set for one bridge/interface though (Apps | Settings | Advamced Settings), so that may have some impact on some apps and how they can work.
Physical NIC(s) -> LAGG (if you're doing that) -> VLAN(s) if you're doing those -> Bridge (IP address goes here if you want one on that interface for the host) -> apps or VMs get assigned to the respective bridge interface.
You can set as many (within practical limits) VLANs as you want on one NIC/LAGG, but you shouldn't expect to also pass untagged traffic on that interface once you start with it.
Be mindful that the Kubernetes Settings can only be set for one bridge/interface though (Apps | Settings | Advamced Settings), so that may have some impact on some apps and how they can work.
Last edited:
So with jails I have each jail connected to a bridge, with multiple bridges connected to different vlans some of which are separate from the host subnet. How would I handle this with SCALE and Kubernetes? In the end I am looking for the ability to isolate apps on their respective vlan, similar to how I have jails setup in Core.
- Joined
- Jan 1, 2016
- Messages
- 9,700
Well, you will probably need to start by learning a lot about Kubernetes networking...
Kubernetes has its own network and paths out to the world, in addition to what you may or may not be able to do with individual containers (remembering that they don't in principle have their own IP stack in the same way that jails can with VNET).
If you don't control the kubernetes network, your apps won't be isolated from each other... do you even care about that or are you wanting to keep users away from some apps?... which is better done with authenticators and ingress controllers like traefik (with something like authentik if needed to be more sure about security).
Short version: IP address isn't necessarily the best/new way to control access to things. It may be time to re-think your entire approach to "segregation".
Yeah without the networking stack this would pose an issue. So is the entire Kubernetes implementation running on a single networking stack?
I also use pfsense with firewall rules to control what traffic is allowed to traverse between vlans. I am not isolating users here, this is to separate devices from each other. This is for a home environment not enterprise so I am trying to keep things simple and the less third party software/services needed the better.
- Joined
- Jan 1, 2016
- Messages
- 9,700
There's no single/simple answer here...
Kubernetes has its own networking system, which in turn has its own possibilities with add-ons like flannel, etc. which make networking across worker nodes work in different ways and other services like DNS and load balancing available.
I'm not sure that calling it a stack represents its complexity accurately. It's a system/architecture.
In order to keep your apps away from each other, you would need to use the app config to deploy each one into a separate kubernetes network space (not hard, just give the network a different name in each case and kubernetes takes care of it).
You then use something like Traefik (and maybe some other products to do load balancing and authentication) to allow only the parts of the kubernetes network that you specify to ingress/egress.
There are lots of videos and online courses explaining kubernetes networking, so I'll stop there as I'm certainly no definitive expert either, but the model of "walled garden" and using firwealls and VLANs to keep apps separated is dead under the container orchestration/DEV-OPS model.
Kubernetes has its own networking system, which in turn has its own possibilities with add-ons like flannel, etc. which make networking across worker nodes work in different ways and other services like DNS and load balancing available.
I'm not sure that calling it a stack represents its complexity accurately. It's a system/architecture.
In order to keep your apps away from each other, you would need to use the app config to deploy each one into a separate kubernetes network space (not hard, just give the network a different name in each case and kubernetes takes care of it).
You then use something like Traefik (and maybe some other products to do load balancing and authentication) to allow only the parts of the kubernetes network that you specify to ingress/egress.
There are lots of videos and online courses explaining kubernetes networking, so I'll stop there as I'm certainly no definitive expert either, but the model of "walled garden" and using firwealls and VLANs to keep apps separated is dead under the container orchestration/DEV-OPS model.
Last edited:
Yeah I have not played around with Kubernetes yet, but it does sound interesting and powerful. My Truenas Core system has been rock stable, so I hesitate to mess with it.
While generally I can run most things in Core, SCALE being built on Linux opens up more options for apps. I was considering a hypervisor at some point, but since this is a home environment I did not see the need to add another layer of complexity.
Did you find a solution to route app through a specific interface?
