Posts

The Post The Post Sync to Git Repository The Repository to be Synced Creating the Infra and Syncing to Repository Deploying Changes to the Cluster Deploy Sync to OCI Artifact The Repository to be Synced Creating the Infra and Syncing to OCI Artifact Building and Deploying Changes to the Cluster Build Deploy Summary I have created some code with examples to complement GCP - GKE How to - ACM. [Read More]

The Post It’s actually WIP - most of the ideas are here but I still need to review it and think a bit more about the options I want to explore later.. Problem Statement Let’s say we have “multi-tenant GKE clusters” where many tenants deploy their workloads and have their own namespaces… they dont access the namespaces directly, they deploy through a pipeline and manage everything without kubectl (from a IDP). [Read More]

This Post This post is pretty broad, here is the table of contents: This Post KPIs, SLOs, SLIs, SLAs and Golden Signals Golden Signals KPIs SLOs and SLIs Bringing Everything Together Playbooks Draft of a playbook KPIs, SLOs, SLIs, SLAs and Golden Signals Term What is it used for? What is it? Key Performance Indicators (KPI) It’s what we measure to know how we are doing Golden Signals The most important metrics that often help solve INCs quickly Service Level Indicators (SLI) Are the limits/targets/metrics that we want to track/view, alert on, etc. [Read More]

Overview When talking about Disaster Recovery it’s always good to refer to RPO and RTO: There are many options here and my number 1 recommendation is that, if you can afford and/or there is a good use case, use active/active computes, such as clusters/vms/managed isntance group/etc. If having active/active with a “smart DNS” that does health checks for the compute instances is not a good fit (infra that doesn’t require something around 99. [Read More]

OKRs As a manager or individual contributor we have to: Figure out the pains/problems Define what we have to work Define what is an acceptable solution Define how to measure progress towards an acceptable solution I have learned that the simpler they are the more likely we are to actually achieving them. Also, people must buy into this idea and they must contribute by creating their own sub-OKRs. [Read More]

This Post I covered ASM egress and a bit of ingress in another post Using ASM Egress and Ingress Gateways. Outbound If running ASM in strict outbound mode - which should be the case if it’s not a development environment then we need to use a ServiceEntry. There are multiple options and this post: ISTIO Egress Performance shows everything we need to know about the different options for egress. I want to talk about 2: 1. [Read More]

This Post This Post Service Mesh - ASM and ISTIO ASM in your GKE clusters Receiving External Traffic… Putting Things Together Service Mesh - ASM and ISTIO ASM uses an implementation of ISTIO, but like GKE is a implementation of kubernetes, ASM is kind of the managed version of ISTIO. I have seem people manage their own ISTIO, just like people can manage their own kubernetes control plane - I have done it in the past and I think there are very few reasons to want to manage our own but it really depends on what is needed. [Read More]

TLDR; If you want something simple which works well and only applies the difference, go with Git Repository Sync; if you want something more flexible, and that offers the possibility to use Binary Auth, for example, go with OCI Artifacts. In both scenarios teams can individually manage the lifecycle of what gets synced. OCI Artifacts are usually a better choice for a bigger number of teams and Repository Sync works well for smaller/less teams and/or lower environments. [Read More]

The Post Why do we think and react in a certain way? Why does our brain think about X when it sees/hears/feels/thinks Y? What invites the brain to connect different things, and how are feelings, thoughts, and perceptions/abstractions of reality playing a role in what we think?… How do you think? I’ve always been fascinated by a mix of the above questions, and Thought as a System by David Bohm is a good read to fuel those thoughts. [Read More]

About VPCSC Virtual Private Cloud Service Controls allows us to enforce GCP service access perimeters - this translates to “we can specify which GCP services (apis) can be used in a set of VPCs or projects, who can access those services, and from where they may be accessed”. VPCSC is similar to a firewall but for GCP services (apis)… Simple VPC-SC Here is an example: let’s say we have pr-project-3 in VPC-SC-1 that contains images in Google Artifact Registry and projects pr-project-2 in VPC-SC-1, np-project-2 in VPC-SC-2, and al-project-2 want to pull images from there. [Read More]