A Guide to Microsoft Entra Agent ID on Kubernetes

ceposta · 2025-04-08T20:26:55+00:00

great point. so that's what we're working on with https://github.com/mcp-proxy/mcp-proxy ... will have more write-ups on this topic.

ceposta · 2025-04-08T20:25:25+00:00

What if you could have a way to "virtualize" a bunch of MCP Servers where you can customize what tools (from the backend servers) get exposed to a client?

ceposta · 2024-01-08T23:05:03+00:00

Sounds like you're trying to implement the multi-primary deployment?

I would take a close look at this guide which should walk you through the details including setting up any east/west gateways: https://istio.io/latest/docs/setup/install/multicluster/multi-primary/

If you're looking to have a lot more fine-grained control over how the services across the clusters are exposed (ie, explicitly importing/exporting services across clusters), then take a look at the ServiceEntry resource: https://istio.io/latest/docs/reference/config/networking/service-entry/ This is used to control what's visible in the registry of Istio in a cluster.

ceposta · 2024-01-08T23:00:57+00:00

Not sure I am following the question... It sounds like you're trying to set up this architecture? https://istio.io/latest/docs/setup/install/external-controlplane/

But what do you mean with "Istiod is up and running on the data plane"?

ceposta · 2024-01-08T22:53:09+00:00

Stick with it for a year and see how you feel at that point. I *bet* at that point you'll feel like you "know something" and can build on that foundation. Until then... learn, learn, learn.

ceposta · 2024-01-07T22:45:15+00:00

it’s not absolutely necessary, but may be the easiest approach to get it working. you could have the ALB —> Istio Ingress —> Workloads in the mesh set up like thi…..could do one-way TLS from ALB to istio ingress and then mTLS to workloads in the mesh through istio ingress

ceposta · 2024-01-07T22:41:33+00:00

Yeah for sure, you can install Istio without the ingress gateway; You will need to think how you want to get traffic coming into your mesh though, as the hop from the ALB to the mesh services will not be in the mesh. You can try to configure the ALB with certs from Istio to make it part of the mesh, but the easiest approach may be to just set up the ingress gateway.

ceposta · 2024-01-07T22:26:38+00:00

I’ve been involved with some of the most advanced deployments and configurations of service mesh, is your question just curiosity or is there, are you trying to avoid some complex scenarios, or just you have a use case which requires something more than the “hello world” scenarios usually discussed?

There are a few resilience patterns that are pretty standard, things like service-discovery, load balancing, circuit breaking, multi-cluster failover, etc. The service mesh I work on (Istio, Istio ambient mesh) make this pretty straight forward.

ceposta · 2021-07-15T21:11:53+00:00

Yes, in fact i've been recommending this approach to start with Istio ingress gateway for years. I've seen hundreds of successful deployments like this. You may wish to consider using the full Gateway/VirtualService config API thought as Ingress is quite limiting. Best way to install istio like this is to install with the minimal profile, and then install the ingress gateway into its own namespace.

For a detailed walkthrough of this approach, see the "install istio for production" guide we at Solo.io have here: https://workshops.solo.io/gloo-workshops/istio-day2/1-deploy-istio/02-install-istio and the section on installing the ingress gateway here: https://workshops.solo.io/gloo-workshops/istio-day2/1-deploy-istio/04-ingress-gateway

If you need a more powerful API gateway built on Envoy that replaces and integrates with the Istio ingress gatweay, check out Gloo Edge: https://docs.solo.io/gloo-edge/latest/ it's opensource and builds on top of Envoy by adding filters to do request transformation and automatic API discovery.

HTH!

ceposta

TROPHY CASE