| ▲ | cyberpunk 8 hours ago |
| To be fair, istio and cilium are extremely useful tools to have under your belt. There’s always a period of “omgwhat” when new senior engineers join and they want to improve things. There’s a short window between joining and getting bogged into a million projects where this is possible. Embrace it I recon. |
|
| ▲ | p_l 3 hours ago | parent [-] |
| Doing it well IMO requires not deploying everything as sidecar but maybe, maybe, deploying it as shared node service. In fact pretty sure I've read a write up from Alibaba? on huge wins in performance due to moving Istio out of sidecar and into shared node service. |
| |
| ▲ | cyberpunk an hour ago | parent [-] | | Sure, cilium is also much faster than istio. But I guess it depends on your workload. We don't care all that much about performance vs compliance (non-hft finance transactional stuff) and I think we're doing things reasonably well. :} | | |
| ▲ | p_l 17 minutes ago | parent [-] | | I didn't mean replace istio with cilium, I meant running the proxy and routing operations as shared part per node instead of per pod | | |
| ▲ | cyberpunk a minute ago | parent [-] | | How does that even work with envoy? The magic sauce behind istio is that every connection is terminated using iptables into the envoy process (sidecar), and istiod spaffs envoy configurations around the place based on your vs/dr/pas/access controls etc. I suppose you could have a giant envoy and have all the proxy-configs all mashed together but I really don't see any benefit to it? I can't even find documentation that says it's possible.. |
|
|
|
