Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
jq-r 10 hours ago

Those "necessary" add-ons and sidecars are out of control, but its the people problem. I'm part of the infra team and we manage just couple of k8s clusters, but those are quite big and have very high traffic load. The k8s + terraform code is simple, with no hacks, reliable and easy to upgrade. Our devs love it, we love it too and all of this makes my job pleasant and as little stressful as possible.

But we recently hired a staff engineer to the team (now the most senior) and the guy just cannot rest still. "Oh we need a service mesh because we need visibility! I've been using it on my previous job and its the best thing ever." Even though we have all the visibility/metrics that we need and never needed more than that. Then its "we need a different ingress controller, X is crap Y surely is much better!" etc.

So its not inexperienced engineers wanting newest hotness because they have no idea how to solve stuff with the tools they have, its sometimes senior engineers trying to justify their salary, "seniority" by buying into complexity as they try to make themselves irreplaceable.

ysofunny 7 hours ago | parent | next [-]

> Then its "we need a different ingress controller, X is crap Y surely is much better!" etc.

I regard these as traits of a junior dev. they're thinking technology-first, not problem-first

jppittma 8 hours ago | parent | prev | next [-]

Service mesh is complicated, but the reason you use it integrate services across clusters. That and it has a bunch of useful reverse proxy features. On the other hand, It took me and 2 other guys two evenings of blood, sweat, and tears to understand what the fuck a virtual service actually does.

It’s not strictly necessary, but if you’ve had to put in the work elsewhere, I’d use it.

cyberpunk 8 hours ago | parent | prev | next [-]

To be fair, istio and cilium are extremely useful tools to have under your belt.

There’s always a period of “omgwhat” when new senior engineers join and they want to improve things. There’s a short window between joining and getting bogged into a million projects where this is possible.

Embrace it I recon.

p_l 3 hours ago | parent [-]

Doing it well IMO requires not deploying everything as sidecar but maybe, maybe, deploying it as shared node service.

In fact pretty sure I've read a write up from Alibaba? on huge wins in performance due to moving Istio out of sidecar and into shared node service.

cyberpunk an hour ago | parent [-]

Sure, cilium is also much faster than istio. But I guess it depends on your workload. We don't care all that much about performance vs compliance (non-hft finance transactional stuff) and I think we're doing things reasonably well. :}

p_l 21 minutes ago | parent [-]

I didn't mean replace istio with cilium, I meant running the proxy and routing operations as shared part per node instead of per pod

cyberpunk 4 minutes ago | parent [-]

How does that even work with envoy? The magic sauce behind istio is that every connection is terminated using iptables into the envoy process (sidecar), and istiod spaffs envoy configurations around the place based on your vs/dr/pas/access controls etc.

I suppose you could have a giant envoy and have all the proxy-configs all mashed together but I really don't see any benefit to it? I can't even find documentation that says it's possible..

withinboredom 7 hours ago | parent | prev | next [-]

> So its not inexperienced engineers wanting newest hotness because they have no idea how to solve stuff with the tools they have, its sometimes senior engineers trying to justify their salary, "seniority" by buying into complexity as they try to make themselves irreplaceable.

The grass is always greener where you water it. They joined your company because the grass was greener there than anywhere else they could get an offer at. They want to keep it that way or make it even greener. Assuming that someone is doing something to become 'irreplaceable' is probably not healthy.

zelphirkalt an hour ago | parent | next [-]

They want to make it "greener" for whom? I think that is the question.

withinboredom 4 minutes ago | parent [-]

Wherever they came from, I suppose. There’s a reason they left.

monooso 7 hours ago | parent | prev [-]

I really don't understand this comment.

alienchow 8 hours ago | parent | prev | next [-]

How do you scale mTLS ops when the CISO comes knocking?

6 hours ago | parent | prev [-]
[deleted]