​​I remember being on a meetup in the Twitter HQ where people were talking about the success of Finagle and eventually presented an idea and some first versions of Linkerd.

It was in 2017 and now Linkerd is a graduated project of CNCF.

Congratulations!

These is an interesting part:

Linkerd is the first service mesh to rise to the level of graduation. But Linkerd has a long history of firsts: Linkerd was the first service mesh project and the one to coin the term itself. It was the first project to enter the CNCF’s inception (now sandbox) phase. It was the first CNCF project to adopt Rust

P.S. A nostalgic photo from the Twitter HQ

#networking

Consul API Gateway is now in beta.

It also got TCPRoute Support as well as now it's supported in the official Helm Chart.

There is also a new learning material for you to take a closer look at it.

#hashicorp #kubernetes #networking #consul

Ever wondered, how a TCP connection works in slow-mo?

Here's an article just about that. There's a video as well. The link is in the article.

TBH, would be nice if this article covers not only the basics of TCP, but other features as well. Like RST packets.

Also, here's an interesting investigative read, which is not exactly about TCP, but it's features played thy key role for the investigation. Or this case, that actually happened in my company

#networking #tcp

Back in a day, a friend of mine was ranting that this is not that obvious to spin up a VPN server in Kubernetes as online tutorials suggested.

Now, you can make a Wireguard operator do it for you. I haven't personally tested this operator. Yet, it has some positive comments on Reddit.

#kubernetes #networking

Folks talk a lot about networking in Kubernetes, but not so much about networking in Nomad.

Here’s an article that describes the latter.

Karan has some other great articles about Nomad in his blog, by the way. So, feel free to check other stuff too!

#nomad #hashicorp #networking

I got my education in Telecommunications. It’s not that important fact right now, because I don’t work in this field, this I have likely forgotten everything I learned 😄

However, articles like this one spark somewhat nostalgic feelings.

Microsoft have written in their blog about how lessons learned from cloud technologies help improving the security of telecom networks.

This article also contains links to the related researches and practices. So, you can still find some interesting bits about modern day security approaches even if you’re not interested in telecom networks specifically.

#security #networking #microsoft

It looks like Linkerd is also removing a proxy from its architecture.

The proxy is supposed to be replaced with eBPF:

https://twitter.com/wm/status/1577081662848241664?s=46&t=Z1tocg3BTRFKNSGBmvzLOw

#kubernetes #networking #linkerd

The whole purpose of managed services is that you don’t need to care much about many things except costs. Yet, cost management could be tricky in the cloud.

Obviously, there are many consultants and services that build their business model by helping people to save some bucks.

However, there are also community solutions.

For example, here’s a community calculator for AWS VPN and a similar calculator for Google Cloud VPN.

Bonus: Reddit discussion about the Google Cloud VPN Costs calculator.

#aws #gcp #costs #networking

I remember people creating NAT instances in AWS because NAT Gateway was not available at a time.

Now, some claim that NAT Gateway is too expensive, thus nat instances is the way.

The circle is complete, I guess.

Anyways, here’s alterNAT - self provisioned NAT instances in AWS.

To be completely honest, there are use cases for NAT instances indeed and they do not claim that this solution is for everyone.

#aws #networking

Kubeshark is an traffic viewer for Kubernetes providing deep visibility into all API traffic and payloads going in, out and across containers and pods inside a Kubernetes cluster.

I don’t have much to add here. This is basically a Wireshark for Kubernetes. So, if you probably know it if you need something like this. Otherwise, I would say that one can live Ok without it. Yet, if you ever need to analyze, what’s going on with requests in your cluster, you can always use this tool!

#kubernetes #networking

A couple of days ago I attended a CNCF meetup here in Berlin (full recording is available on YouTube). So, I want to share some things that were presented there.

- NeuVector - an open-source security solution for Kubernetes recently bought by Suse. It has UI, so one can do click-ops if they want, but one can then export all the rules into custom definitions and apply in any other cluster. Obviously, you can configure NeuVector using only YAML as well. Feel free to explore their GitHub. Although, the website has more information about the tool.

- Tetragon - another real-time observability/security tool based on eBPF by the developers of Cilium. It doesn’t do CVE scans like NeuVector, but provides some real-time visibility and rules enforcement. Also, it doesn’t have a fancy UI.

- Cilium service mesh. It’s also based on eBPF. Check it out if you want to have a service mesh, but not sure about heavyweight solutions like Istio.

- Despite that several Cilium-based tools I mentioned before, the second talk was about the Cilium Cluster Mesh. It’s not new, but this solution looks very promising, especially if you’re running multiple clusters for HA or multi-region purposes.

#Kubernetes #security #networking

I love reading postmortems. A good postmortem usually unveils a set of problems some of which you can have in your company as well. As they say: there is never a single root cause.

Here is a postmortem from Reddit about their Pi-day outage.

It has everything you love: complex systems, legacy software, processes that were not tested that well, sacred knowledge that is long gone, etc.

Don’t get me wrong, I’m saying that not to shame Reddit. In fact they did a great job highlighting all the problems. It’s much harder and takes more courage than just say: Calico broke - Calico bad.

Also, I have similar problems at my place as well and I bet you have too. This why it’s important to recognize the importance of such “low priority tech debt”. Cleaning that out may save your company’s ass someday.

#kubernetes #networking #postmortem

If you want to get familiar with Cilium, the Linux Foundation has a free Introduction to Cilium course, which is a part of the bigger CNCF learning path.

#learning #networking #cilium

Today, I'd like to share with you a series of articles that I currently read. It's called "Let's code a TCP/IP stack" and it provides a very nice insight into the Linux networking stack. I'm still going through all the articles but I'm sharing all of them here:

1. Let's code a TCP/IP stack, 1: Ethernet & ARP
2. Let's code a TCP/IP stack, 2: IPv4 & ICMPv4
3. Let's code a TCP/IP stack, 3: TCP Basics & Handshake
4. Let's code a TCP/IP stack, 4: TCP Data Flow & Socket API
5. Let's code a TCP/IP stack, 5: TCP Retransmission

#networking

An interesting read by Monzo about how they implemented Kubernetes Network Policies for 1.5k microservices.

There are some questionable parts in there, in my opinion. For example, why building your own tool to "guess" where an app connects to if you could use a network monitoring tool. However, those are not directly related to the main topic.

An interesting part is how folks in Monzo "reverted" the idea behind Network Policies using templating. So, instead of a target services allowing internal connections, a caller can specify the groups of services it wants to connect to.

Although, I think it partially negates the idea of Network Policies, I can completely understand, why Monzo did that from the UX perspective.

Also, here's a Reddit discussion on the topic. I love the top comment there:

 How would you even know that another team plans to connect your apps?
- By communicating...

#kubernetes #networking

Did you know that Isovalent (a company behind Cilium) has some amazing labs that can teach you about using Cilium, Hubble, and Tetragon.

The labs have multiple tracks, such as: platform, network, security, etc.

These labs also cover topics like the new GatewayAPI. Doing some of these labs tight now at #cfgmgmtcamp24 and love them so far!

#kubernetes #networking #cilium #ebpf

An old but great article about load balancing by Matt Klein - the creator of Envoy Proxy.

"Load balancing" is the term we often throw around, so it's always a good thing to take a glance on how does it work.

Another old article is a comparison of the circuit breaking functionality between Envoy (and inherently Istio) and Netflix Hystrix, which is a dedicated circuit breaker library.

#networking