Podless Kubernetes

Sidecarless? Why not podless?

May 7, 2024 · 6 min

Testing a Kubernetes Networking Implementation Without Kubernetes

How Istio tests its networking proxy without Kubernetes, Docker, or root.

April 25, 2024 · 7 min

Securing Prometheus with Istio Ambient

tl;dr: it just works

April 15, 2024 · 2 min

Building a better Kubernetes Client

Like most other Kubernetes controllers in, Istio is written in Go and relies on the client-go library. While this provides an excellent low-level building block, usage in higher level code in Istio led to a variety of issues that led us to develop our own higher level, opinionated client for Istio. This post covers the issues we faced and how we incrementally solved them. Background knowledge At a high level, client-go provides a few layers for interactions with the API server:...

March 23, 2024 · 7 min

Opinionated Istio Feature Recommendations

Which features I recommend using, or not using, in Istio

February 6, 2024 · 6 min

Truly Extensible Proxies

Exploring an extreme service mesh architecture to maximize extensibility.

October 13, 2023 · 13 min

Proxy Layers

The OSI model attempts to build a model for network communications, where increasingly high level layers are built upon lower layers. This is only slightly useful in practice, as the real world is not so simple. In service mesh, generally discussion is reduced to L4 and L7, or TCP and HTTP. This oversimplifies the problem, leading to some confusion. Thinking in terms of termination Simply saying "HTTP" is not really clear about what is going on....

October 12, 2023 · 4 min

Service Mesh Proxy Classes

When looking at service mesh (or even general networking) architectures, the basic idea is to send network traffic through some component, which handles various functionality. This could be authentication, authorization, encryption, observability, reliability, networking, etc. There are a few different classes of components that can do this, though: Different types of proxy deployments Native application enhancement. The application itself is compiled in with functionality. This could be something like gRPC (or, even more "meshy", gRPC with xDS), Finagle, Hystrix, etc....

October 11, 2023 · 8 min

Istio Ambient is not a "Node Proxy"

The common messaging around Istio Ambient Mesh is that is a "node proxy." For example, from The New Stack ... architecture that moves the proxy functionality from the pod-level to the node-level. While this is technically accurate, it is misleading and really missing the point and benefits of Ambient. A brief history of service mesh architectures This skips quite a bit of information, but is close enough. One of the earlier service meshes on the market was Linkerd 1 - not to be confused with Linkerd 2, which most people just call "Linkerd" today....

August 22, 2023 · 3 min

Waypoint Proxies The Hard Way

How to achieve an architecture similar to "Waypoint Proxies" without ambient mesh, or even Istio.

August 22, 2023 · 11 min