Istio

Zero trust architectures should not treat nodes as highly privileged components.

Istio's installation has a long, winding, complex history, leading to an interesting current state. In this post, I hope to explain some of the historical context of how we arrived to the current state, and where I think the project is going. This is all my personal perspective and memory of things that happened years ago, so there is likely some divergence from reality. The Past When I first started working on Istio in 2019, Istio 1.0 had just been released. The ecosystem was a pretty difference place back then. ...

How we built a best-of-both-worlds experience with Istio ambient mode.

Installing Istio... hard could it be? A simple istioctl install is all you need... right?

Does Istio ambient introduce a SPOF? No.

Sidecarless? Why not podless?

How Istio tests its networking proxy without Kubernetes, Docker, or root.

tl;dr: it just works

Like most other Kubernetes controllers in, Istio is written in Go and relies on the client-go library. While this provides an excellent low-level building block, usage in higher level code in Istio led to a variety of issues that led us to develop our own higher level, opinionated client for Istio. This post covers the issues we faced and how we incrementally solved them. Background knowledge At a high level, client-go provides a few layers for interactions with the API server: ...

Which features I recommend using, or not using, in Istio