[AWS Blog] Transforming Istio into an enterprise-ready service mesh for Amazon ECS
How Istio ambient mode brings an enterprise-ready service mesh to Amazon ECS.
Scaling Ambient In Your Sleep
How ambient achieves massive scale without toil.
"Zero to Value" in two steps with Istio ambient mode
When we first started designing what eventually became Istio ambient mode, there were many directions we explored, both in terms of implementation, and what our goals were. What resonated most, though, was that we wanted to provide an incredibly easy onboarding story for a subset of functionality. This subset, ultimately, was getting Mutual TLS deployed for all service-to-service communication within a cluster. I talk a bit more about this here. Since then, I think we have delivered on this promise... and gone even further! In this post, I wanted to highlight some of the areas that I think ambient helps deliver some serious value to users with minimal complexity. ...
Looking back on "Building Better Controllers" 2 years later
Over 2 years ago, I started working on some ideas to build better Kubernetes controllers. In this post, I wanted to give a bit of a retrospective on how things have gone since then. Over the years working on Istio and other projects, I observed a number of major issues with controllers: Most code was about error-prone event handling and state reconciliation, rather than business logic. Most tests, in turn, were about the same. This, in turn, made the code extremely complex, brittle, and often incorrect. This complexity lead to user facing compromise: incorrectness and performance issues. You might argue I should just write a better controller that is faster and without bugs. Maybe, but probably not. ...
[Cloud Native Now Blog] How Istio Ambient is Revolutionizing Cloud Connectivity
External Blog Post.
On-Demand Development Environments
Tools to create reproducible development environments are basically everywhere these days, from Development Containers to Nix wrappers to questionable Docker hacks. However, all of these (that I have found) have a common flaw that bothers me: they all require eagerly fetching the entire environment to get anything done. This kills the premise of these environments providing any easy on-ramp for users when the first step is to download GBs of binaries. Across projects I work on, we have probably 5-10GB of dependencies, but its extremely unlikely a single developer will use more than a fraction of these at a time. Even for repeat contributors, updates to these are not always incremental (though some are), bringing continued pain as time goes on. ...
Inline (YAML) Langauge Injection in JetBrains IDEs
JetBrains IDEs (IntelliJ, GoLand, etc) have a nifty feature called Language Injection that lets you get full language features when a language is embedded within another. For example, a SQL query within a string within a Go file. A few of these come out of the box, but they are pretty limited -- I only had some XML ones prior to enabling the Databases plugin which added a few SQL ones. Fortunately, there is the ability to add custom ones. Unfortunately, this is expressed in a proprietary language with, as far as I can tell, zero documentation. ...
I just want mTLS on Kubernetes
An overview of options to deploy mTLS on Kubernetes
NetworkPolicy: the wrong solution to the right problem
Core problems with the API make it a challenging to use in a secure, scalable manner.
Stop Trusting Your Nodes
Zero trust architectures should not treat nodes as highly privileged components.