Network Reference¶

Network configuration and addressing for the fzymgc-house cluster.

IP Addressing Summary¶

Network	CIDR	Purpose
Node Network	`192.168.20.0/24`	Physical node IPs
Pod Network	`10.42.0.0/16`	Kubernetes pods
Service Network	`10.43.0.0/16`	Kubernetes services
MetalLB Pool 1	`192.168.20.145-149`	LoadBalancer VIPs
MetalLB Pool 2	`192.168.20.155-159`	LoadBalancer VIPs

Node Addresses¶

Control Plane Nodes¶

Node	IP Address	Role
tpi-alpha-1	`192.168.20.101`	Control plane (etcd)
tpi-alpha-2	`192.168.20.102`	Control plane (etcd)
tpi-alpha-3	`192.168.20.103`	Control plane (etcd)

Worker Nodes¶

Node	IP Address	Board
tpi-alpha-4	`192.168.20.104`	alpha
tpi-beta-1	`192.168.20.111`	beta
tpi-beta-2	`192.168.20.112`	beta
tpi-beta-3	`192.168.20.113`	beta
tpi-beta-4	`192.168.20.114`	beta

Virtual IPs¶

Address	Purpose	Provider
`192.168.20.140`	Kubernetes API VIP	kube-vip
`192.168.20.145-149`	Service LoadBalancers	MetalLB
`192.168.20.155-159`	Service LoadBalancers	MetalLB

DNS Configuration¶

External DNS (Cloudflare)¶

Domain: fzymgc.house

Record	Type	Target	Proxy
`vault`	CNAME	Cloudflare Tunnel	No (TCP passthrough)
`auth`	CNAME	Cloudflare Tunnel	Yes
`grafana`	CNAME	Cloudflare Tunnel	Yes
`argocd`	CNAME	Cloudflare Tunnel	Yes
`windmill`	CNAME	Cloudflare Tunnel	Yes
`mealie`	CNAME	Cloudflare Tunnel	Yes
`longhorn`	CNAME	Cloudflare Tunnel	Yes

Internal DNS Subdomain¶

k8s.fzymgc.house - Direct cluster access (not via Cloudflare)

Record	Type	Target
`*.k8s`	A	MetalLB Traefik VIP

Kubernetes DNS (CoreDNS)¶

Pattern	Resolution
`<svc>.<ns>.svc.cluster.local`	Service ClusterIP
`<pod-ip-dashed>.<ns>.pod.cluster.local`	Pod IP
`<svc>.<ns>.svc`	Short form (within cluster)

Ingress Architecture¶

Traffic Flow - External¶

Internet
    |
    v
Cloudflare Edge (WAF, DDoS protection)
    |
    v
Cloudflare Tunnel (encrypted)
    |
    v
cloudflared pod (namespace: cloudflared)
    |
    v
Traefik (namespace: traefik)
    |
    v
Backend Services

Traffic Flow - Internal¶

Internal Client
    |
    v
DNS: *.k8s.fzymgc.house -> MetalLB VIP
    |
    v
Traefik (namespace: traefik)
    |
    v
Backend Services

Traefik Configuration¶

Entrypoints¶

Name	Port	Protocol	Purpose
web	80	HTTP	Redirect to HTTPS
websecure	443	HTTPS	TLS termination

Middleware¶

Name	Namespace	Type	Purpose
authentik-auth	authentik	ForwardAuth	SSO authentication
redirect-https	traefik	RedirectScheme	HTTP to HTTPS

TLS Configuration¶

Certificate	Issuer	Domains
Wildcard	Let's Encrypt	`*.fzymgc.house`
Per-service	Let's Encrypt	Individual hostnames

MetalLB Configuration¶

Address Pools¶

apiVersion: metallb.io/v1beta1
kind: IPAddressPool
metadata:
  name: default
spec:
  addresses:
    - "192.168.20.145-192.168.20.149"
    - "192.168.20.155-192.168.20.159"

L2 Advertisement¶

All pools use L2 mode (ARP) for service advertisement.

apiVersion: metallb.io/v1beta1
kind: L2Advertisement
metadata:
  name: default
spec:
  ipAddressPools:
    - default

Calico Network Policies¶

Default Policies¶

Policy	Effect
Default deny ingress	All namespaces start with no ingress allowed
Allow DNS egress	Pods can reach CoreDNS
Allow internet egress	Pods can reach external addresses

Namespace Isolation¶

Each namespace has explicit NetworkPolicy resources allowing:

Ingress from Traefik (for HTTP services)
Ingress from monitoring (for metrics scraping)
Ingress from within the same namespace

Cloudflare Tunnel¶

Tunnel Configuration¶

Setting	Value
Tunnel Name	`fzymgc-house-main`
Namespace	`cloudflared`
Replicas	2
Protocol	QUIC (primary), HTTP/2 (fallback)

Ingress Rules¶

Configured in Cloudflare Zero Trust dashboard, routes to:

http://traefik.traefik.svc:80 (most services)
tcp://vault-active.vault.svc:8200 (Vault - TCP passthrough)

Port Reference¶

External Ports¶

Port	Protocol	Service
443	HTTPS	All web services (via Cloudflare)
6443	HTTPS	Kubernetes API (internal only)

Internal Service Ports¶

Service	Port	Protocol
Traefik	80/443	HTTP/HTTPS
Vault	8200	HTTPS
Authentik	80	HTTP
Grafana	3000	HTTP
ArgoCD	80/443	HTTP/HTTPS
VictoriaMetrics	8428	HTTP
Loki	3100	HTTP

Troubleshooting¶

Verify MetalLB¶

kubectl get ipaddresspools -n metallb
kubectl get l2advertisements -n metallb
kubectl get svc -A | grep LoadBalancer

Check Traefik Routes¶

kubectl get ingressroutes -A
kubectl get ingressroutetcps -A
kubectl get middlewares -A

DNS Resolution¶

# From within cluster
kubectl run -it --rm debug --image=busybox -- nslookup vault.vault.svc

# External resolution
dig vault.fzymgc.house

Network Policy Debugging¶

kubectl get networkpolicies -A
kubectl describe networkpolicy <name> -n <namespace>