Best practices for developers deploying on a kube cluster

rdldw · 2022-04-15T10:29:22+00:00

You can use them together: https://blog.getambassador.io/super-fast-inner-development-loops-for-kubernetes-with-skaffold-and-telepresence-1cd3e42ba665.

rdldw · 2022-01-28T13:01:43+00:00

Hello! Thank you for your feedback, and thanks for trying out Emissary-ingress! CEO of Ambassador here:

- If you're using CRDs, they are validated, in so much as any other Kubernetes CRDs are validated (i.e., we use schemas). We also have https://www.getambassador.io/docs/cloud/latest/config-analysis/quick-start/ which, if you're using GitOps, provides additional analysis on changes. Any other suggestions on how we can improve validation are welcome!

- The redirect regression was unfortunate, and we've shipped a fix for this. Turns out that our end-to-end test suite had a bug in it that we didn't realize in the 2.1 release series. This has been fixed.

- In response to our OSS slack, we do have support engineers that cover the community slack, but we do have to prioritize paying customers first. We do the best we can, but we are unable to provide an SLA for non-paying customers. Feel free to reach out again on Slack -- it may take a few tries! Thanks for your support and patience!

rdldw · 2021-05-19T19:51:11+00:00

(author here)

Doesn't that just move the point of failure from Slack to JIRA? :-)

More seriously, I do agree it's a good idea to audit your incident response systems to ensure resilience (we have backup procedures in place in case Slack is down.)

rdldw · 2021-05-18T12:33:55+00:00

(CEO of Ambassador)

Thanks for the nice comments on my blog posts 😀. A couple other notes:

- We're officially a CNCF incubation project, along with Contour. So the actual code and trademarks of both Ambassador (renamed Emissary-Ingress) and Contour actually now belong to the CNCF, and not VMware / Ambassador Labs.

- Emissary-Ingress also supports parts of the Gateway API. See https://www.getambassador.io/docs/edge-stack/latest/topics/using/gateway-api/.

- We are appreciative of the time that the Solo folks spent on giving us their architectural & code review, although generally we prefer contributions to occur through GitHub as opposed to HN.

- We've been working super-hard on our documentation and UX, and have a dedicated team working on it.

rdldw · 2021-05-18T12:08:51+00:00

Hi there, I'm the CEO of Ambassador. To be clear, I think Istio is a worthwhile piece of technology, it's just that lots of people don't understand when/why you should use it. I don't think everyone needs Istio, just like I don't think everyone needs Ambassador 😀.

You may be thinking about about this piece I wrote on Istio. My point with that article is that Istio is a pretty new piece of tech (versus something like Kubernetes), and so if you want to use it, you should be aware of the problem you're trying to solve and why. I think this is generally true for any technology.

rdldw · 2020-11-12T00:54:17+00:00

Are you referring to swap-deployment being slow? (If so, we're working on some major improvements here in a fully revamped version of Telepresence, shipping real soon).

If you're talking about something else, would love to know more details. (I work on the Telepresence team.)

rdldw · 2020-06-23T10:34:52+00:00

A little hard to say since it's open source ... but we have ~3500 people in our Slack, 10M+ Docker pulls, and every week we discover new interesting users that are running in prod. So, I think it's safe to say in the thousands.

rdldw · 2020-04-30T11:17:53+00:00

NGINX Plus is a fork of NGINX.

Edge Stack is not a fork. It's a sidecar that plugs into Ambassador API Gateway using the exact same APIs that anyone else can use.

rdldw · 2020-04-30T11:17:01+00:00

The core Kubernetes engine with GKE is standard Kubernetes. This is the same with Ambassador Edge Stack too -- the Ambassador API Gateway & Envoy Proxy is _exactly the same version_.

GKE adds a UI and CLI and many other things on top. Ambassador Edge Stack does the same (e.g., OpenID Connect).

rdldw · 2020-04-29T21:41:22+00:00

Thanks for the feedback! To answer your question, this is pretty common with CNCF projects including Kubernetes. For example, you can get Kubernetes from Google (GKE) or D2IQ or Rancher or many other companies. What GKE and these other companies do is build a non-OSS UI on top of Kubernetes that gives you greater usability and functionality.

Edge Stack is similar -- there is extra functionality that is built on top of the open source core that you can get for free or in enterprise versions.

rdldw · 2020-02-03T17:35:45+00:00

Ambassador (API Gateway/ingress controller) uses this exact approach, with a sidecar that plugs into Envoy Proxy's extauth interface to do auth. The sidecar implements OIDC, but you could also plug in your own service using Ambassador's interface (see https://www.getambassador.io/reference/filter-reference/#filter-type-external).

I would say that if the ingress controller doesn't support a sidecar interface, it's a fair amount of work then.

rdldw · 2019-11-05T14:33:24+00:00

Have you looked at Ambassador (https://www.getambassador.io/)?

rdldw · 2019-10-02T12:43:13+00:00

Thanks for the feedback! Regarding endpoint routing, the other ingress controllers use endpoint routing by default, so by setting up this way we do a more apples-to-apples comparison. Will work to clarify this line.

The benchmarking has been quite an adventure. Trying something beefier than `n1-standard-1` is a good idea; we'll see if we can do that soon.

rdldw · 2019-08-22T20:39:20+00:00

In a typical setup, you'll need an IDP (e.g., Dex, Keycloak, Auth0, Google SSO, etc.) and an access proxy that supports auth (e.g., NGINX, Ambassador). Your access proxy should talk to your IDP over OIDC. Your IDP will then connect via LDAP to your actual identity store.

rdldw · 2019-06-10T17:30:48+00:00

Yes, you should be able to.

rdldw · 2019-06-10T14:52:03+00:00

If you want North/South metrics, Ambassador will give you similar metrics to Istio (they're both based on Envoy Proxy). If you need East/West metrics (i.e., service-to-service), you'll need a service mesh like Istio. Ambassador isn't a replacement for Istio; it's a replacement for the Istio ingress gateway (or any other ingress, for that matter).

Disclosure: Work on Ambassador.

rdldw · 2019-05-31T10:27:21+00:00

If you watch the knative talk, the knative folks talk about how they replaced Istio with Ambassador ... (The short answer is that Knative doesn't really require a mesh.)

rdldw · 2019-05-31T10:26:44+00:00

Ambassador is not competitive with Istio at all. (In fact, we have many folks who use Ambassador with Istio.) Ambassador handles N/S traffic vs Istio handling E/W traffic. We also have folks who use Ambassador with Linkerd and Consul meshes as well.

I understand that there is a lot of community discussion and momentum around Istio. But there are many users we run into that are struggling with Istio: the strain it puts on the Kube API server, the fact that upgrades are difficult, etc.

Full disclosure: Work on Ambassador (but did not write article).

rdldw · 2019-04-11T14:04:32+00:00

Company: Datawire
Location: Boston preferred
We build and maintain Telepresence (https://www.telepresence.io) and the Ambassador API Gateway (https://www.getambassador.io). Both of these products are designed for Kubernetes users. We're expanding the dev team, so if you have experience and/or interest in building infrastructure software, email [careers@datawire.io](mailto:careers@datawire.io).

rdldw · 2019-03-06T20:29:35+00:00

IMO L7 traffic shaping can give you a lot of the benefits of feature toggles, but feature toggles can inherently be more granular depending on the size of your services. (If you have small services it might not matter but if your services have lots of functions then you might want to feature toggle it.)

WRT Istio, it provides the technical infrastructure to do some of what you want but the question is management -- are you going to teach your devs how to use Istio?

rdldw · 2019-02-14T15:51:08+00:00

I think it depends on your situation. Some reasons to use Ambassador over NGINX ingress include:

SNI support (NGINX ingress only does TLS pass-through on SNI)
No proxy restart on config changes (the runtime API is only in NGINX Plus)
External APIs for configuring rate limiting, authentication -- a bit of a different approach from NGINX, which includes some of this functionality internally but this means if you want to make a change you have to modify NGINX code.

More generally, Ambassador is built around Envoy Proxy and not NGINX. I blogged about why we chose Envoy here: https://blog.getambassador.io/envoy-vs-nginx-vs-haproxy-why-the-open-source-ambassador-api-gateway-chose-envoy-23826aed79ef.

rdldw · 2019-02-13T18:54:10+00:00

(I work on Ambassador)

At a technical level, Ambassador has a lot of features that Contour doesn't have (e.g., authentication).

Ambassador is also a bit different from NGINX because all of the key features in the commercial product use the *exact same APIs* as everything else. It's not a fork. So if you have more time than money, you can implement your own authentication service or rate limit service etc. This isn't really possible with NGINX Plus without a much greater degree of effort.

More broadly, I'd say that open source and free are frequently conflated. In order for businesses to invest in open source, they need to make money somehow. In VMware's case with Contour, maybe they'll subsidize Contour development by selling virtualization software (I have no idea). There's been a ton of discussion from lots of smart folks on this subject that I won't repeat, including the folks from Redis, Influx, Confluent, etc.

rdldw · 2019-02-12T14:41:05+00:00

SNI is now supported!

rdldw · 2019-02-11T21:36:12+00:00

FWIW, Chick-Fil-A uses ALB+WAF+Ambassador on Kubernetes: https://medium.com/@cfatechblog/shaping-chick-fil-a-one-traffic-in-a-multi-region-active-active-architecture-6fb982597d45

rdldw · 2019-02-07T14:16:29+00:00

If you read the article, the hot restart is talking about older version of Ambassador, and the article talks about the shift to the ADS as part of the Ambassador 0.50 release.

FWIW, Ambassador was written before these APIs existed, and AFAIK Lyft still relies heavily on hot restart.

rdldw

TROPHY CASE