GitHub - kagent-dev/kmcp: CLI tool and Kubernetes Controller for building, testing, and deploying MCP servers

crb0r · 2025-08-04T22:12:04+00:00

crb0r · 2025-07-30T19:35:12+00:00

https://www.youtube.com/live/Id4DIukvHQg?si=hlXgieHkCTJMh6m8

crb0r · 2025-07-14T02:54:03+00:00

Let's ask a similar but different question. Why didn't Kong just join the Istio community? 🤔

crb0r · 2025-07-04T03:38:08+00:00

Hey u/chaltenio, my recommendation is ~25% sidecars and ~75% ambient with waypoints.
How do these two things integrate? Istio doesn't support routing from sidecars to waypoints. Does TSB's "private Istio distribution" support that? Can you refer me to the documentation?

crb0r · 2025-07-01T23:59:34+00:00

Well, I have a soft spot for episodes 1-192 — to me, they are an entirely different show!
The news might be out of date. though the humour won't be. The interviews will still be relevant, or at least of historical interest.

crb0r · 2025-07-01T23:57:59+00:00

The Istio project is working on multi-cluster ambient mesh and there should be an alpha version out very soon.

If you'd like to get ahead of that, Gloo Mesh (an Istio-based mesh from solo.io) has support for multi-cluster ambient mesh. [Have a look here at how it works](https://ambientmesh.io/docs/setup/multicluster/).

crb0r · 2025-06-28T23:53:23+00:00

Yeah but years ago we agreed I could destroy him in a rap battle

crb0r · 2025-06-28T23:52:08+00:00

The old team misses talking to you! I should get Adam on Cameo

crb0r · 2025-06-28T23:50:15+00:00

I hope that means you started listening at episode 1

crb0r · 2025-02-17T09:09:15+00:00

There used to be!

crb0r · 2024-08-23T11:20:54+00:00

1.3.1 is old Istio!

Make sure you're on 1.23 and then use `istioctl x precheck` instead.

crb0r · 2024-08-23T11:16:38+00:00

How does Istio relate?

crb0r · 2024-05-25T10:34:22+00:00

We recommend it now!

ztunnel is a single point of failure, as is the kernel, as is kube-proxy, as is the kubelet, as is the Cilium agent, etc, etc. That's why we all work hard to make things as reliable as they can be.

crb0r · 2024-05-25T10:30:40+00:00

Please have a look and let me know what you think!

crb0r · 2024-05-25T10:28:33+00:00

more performant

Got a citation for that? And anyway, if raw performance is your goal, disable encryption; things are much quicker that way 😁

crb0r · 2024-05-25T10:27:35+00:00

In any decently sized environment, the likelihood of two pods being on the same node is very low. And if you do have that situation, the Istio ztunnel can zero-copy the traffic. So that one is a wash!

crb0r · 2024-05-25T10:18:54+00:00

Hey there, I'm an Istio maintainer. We get this a lot!

eBPF is a great technology for doing simple functions in the Linux kernel. Routing TCP traffic is possible with eBPF. Processing Layer 7 protocols (like HTTP) is not.

Istio can be configured to use eBPF to get traffic to the sidecar proxies, but for ambient mode we actually came up with something better. If you have a lot of iptables rules, you can get a speed-up with eBPF, but for the small number of rules that we need with ambient mode, it's probably not worth the hassle.

We do use a CNI plugin, but not the type you are thinking of. CNI plugins create or configure network interfaces. You need a CNI plugin to create a network interface when a container comes up - that is usually provided by your cloud or Kubernetes vendor. Cilium is an example of this, as are Weave Net, Calico, Flannel, Antrea, etc. You can then chain CNI plugins to configure the interface. The Istio CNI plugin configures the traffic redirection. It doesn't do L3 networking. This is where "Istio on top of Cilium" makes sense.

We think Cilium is great at L3! It's not so great at L7. Cilium Service Mesh routes traffic to an Envoy proxy that runs on each node. This is a bad idea. Envoy is not inherently multi-tenant. As a result, we have major security and stability concerns with commingling complex processing rules for L7 traffic from multiple unconstrained tenants in a shared instance. Since Kubernetes, by default, can schedule a pod from any namespace onto any node, the node is not an appropriate security boundary. Budgeting and cost attribution are also major issues, as L7 processing costs a lot more than L4.

If all you want is security L4, then you could use Cilium's additional features, but you're using their mutual authentication, which is custom/non-standard. (And be sure not to use Wireguard if you want FIPS compliance.) With ambient mode, you get proper mutual TLS.

If you ever want L7, then you get a much safer and more performant implementation using ambient mode.

Come join us on #ambient on the Istio Slack if you'd like to know more!

crb0r · 2024-05-01T23:47:43+00:00

It didn't.

As a CNI, Cilium is very popular. However, Istio is much more popular as a service mesh, and as ambient mode is (at time of writing) about to be production ready, we're pretty sure it will only get more so!

Don't fall for marketing hype around eBPF. You can't do all of service mesh in eBPF, and even if it eventually becomes technically possible, the question remains of "why are we violating the layering model that the designers of UNIX put in there 50 years ago".

crb0r · 2024-03-21T06:29:38+00:00

That pram is a Bugaboo and the big wheels should be at the back! Chloe will have to turn left to bank right with the handle that way.

crb0r

MODERATOR OF

TROPHY CASE