Posts

Hubble is Cilium’s observability platform built on top of eBPF for network visibility and monitoring. Components Overview 1. Hubble (in Cilium Agent) Location: Runs inside each Cilium pod (DaemonSet on every node) Functionality: Captures network flows using eBPF at the kernel level Monitors all pod-to-pod traffic on that node Collects metadata: source/dest IPs, ports, protocols, HTTP methods, DNS queries Stores flows in memory (ring buffer) Exposes gRPC API on port 4244 for querying flows What it sees: ...

Istio + SPIRE Integration - Complete Setup Guide This guide provides step-by-step instructions to integrate Istio with SPIRE for workload identity management. Prerequisites Kubernetes cluster (tested on EKS) kubectl configured with cluster access helm 3.x installed istioctl installed Cluster context name (e.g., foo-eks-cluster) Step 1: Install SPIRE 1.1 Add SPIRE Helm Repository 1 2 helm repo add spiffe https://spiffe.github.io/helm-charts-hardened/ helm repo update 1.2 Install SPIRE CRDs 1 2 3 helm install spire-crds spiffe/spire-crds \ -n spire-server \ --create-namespace 1.3 Install SPIRE Server and Agent Create a values file for your cluster. For example, spire-values-foo-cluster.yaml: ...

Istio mTLS with SPIRE - How It Works Overview When using Istio with SPIRE, applications communicate using plain HTTP, but the Istio sidecars automatically upgrade connections to mTLS using SPIRE-issued certificates. This provides transparent security without requiring application code changes. Communication Flow sequenceDiagram participant Curl as curl container(Plain HTTP) participant CurlProxy as curl's istio-proxySPIFFE: spiffe://foo.com/ns/default/sa/curl participant HttpbinProxy as httpbin's istio-proxySPIFFE: spiffe://foo.com/ns/default/sa/httpbin participant Httpbin as httpbin container(Plain HTTP) Curl->>CurlProxy: 1. HTTP Requesthttp://httpbin:8000/headers CurlProxy->>HttpbinProxy: 2. mTLS Handshake(mutual authentication) CurlProxy->>HttpbinProxy: 3. Encrypted mTLS Connection(SPIRE certificates) HttpbinProxy->>Httpbin: 4. HTTP Request(decrypted, localhost) Httpbin->>HttpbinProxy: HTTP Response HttpbinProxy->>CurlProxy: 5. Encrypted Response(adds X-Forwarded-Client-Cert) CurlProxy->>Curl: HTTP Response(decrypted) Step-by-Step Process 1. Application Makes HTTP Request 1 curl http://httpbin:8000/headers The curl container sends a plain HTTP request No TLS, no certificates, no encryption at application level 2. Sidecar Intercepts Request curl’s istio-proxy sidecar intercepts the outbound HTTP request Determines the destination is httpbin service 3. mTLS Handshake curl’s sidecar initiates mTLS connection to httpbin’s sidecar Both sidecars present their SPIRE-issued certificates: curl sidecar: spiffe://foo.com/ns/default/sa/curl httpbin sidecar: spiffe://foo.com/ns/default/sa/httpbin Mutual authentication succeeds using SPIRE trust domain 4. Encrypted Communication HTTP request is encrypted and sent over mTLS connection Only the sidecars handle encryption/decryption Application containers remain unaware of TLS 5. Sidecar Forwards to Application httpbin’s sidecar decrypts the request Forwards plain HTTP to httpbin container on localhost Adds X-Forwarded-Client-Cert header with client identity 6. Response Returns httpbin container sends HTTP response httpbin’s sidecar encrypts it with mTLS curl’s sidecar decrypts and forwards to curl container Evidence of mTLS X-Forwarded-Client-Cert Header 1 2 3 4 5 { "X-Forwarded-Client-Cert": [ "By=spiffe://foo.com/ns/default/sa/httpbin;Hash=...;Subject=\"O=SPIRE,C=US\";URI=spiffe://foo.com/ns/default/sa/curl" ] } This header proves: ...

Has the Human Engineer Become Obsolete? On the Contrary, Their Role is More Critical Than Ever Can AI coding assistants replace human engineers? I believe the answer is no, at least not in the current technological landscape. Through my recent work on several customer proof-of-concepts, I’ve observed that AI coding tools following the Vibe Coding methodology excel at rapid prototyping when provided with clear specifications. They perform exceptionally well for straightforward tasks—implementing specific fixes, adjusting styles, or building simple applications like Todo lists or Snake games. For these well-defined, isolated tasks, AI assistants demonstrate remarkable efficiency. ...