networking

Archive of posts with category 'networking'

Scaling Istio

In a large, busy cluster, how do you scale Istio to address Istio-proxy Container being OOM-Killed and Istiod crashes if too many connected istio-proxies?

22 Oct 2023

Work Around Max Count of Security Group Rules on EKS

AWS EKS on VPC networks need AWS Security Group Rules (SG) to receipt ingress traffic. But what if you reach the max rules count in your SG?

26 Sep 2023

Layer-4 Load Balancer & Zero-downtime Autoscaling and Upgrade

Your Kubernetes cluster probably has a shared ingress for north-south traffic, coming from a cloud load balancer and lands on your favorite proxies like Envoy, or Istio gateways, or Nginx....

06 Aug 2023

Kubernetes Networking From the First Principles

We go from containers and network namespace to Pod-to-Pod, Pod-to-Service, and external-client-to-Service networking.

01 Mar 2022

The Good, Bad, and Ugly: Istio for Short-lived Pods

Kubernetes does not differentiate sidecars and application containers in a Pod. Hence, enabling Istio for short-running workloads imposes additional challenges to the conventional approach of injecting an Envoy sidecar to...

26 Apr 2020

DNS, UDP, IP Anycast, and All That

DNS prefers UDP. There are times when DNS must run on TCP (request or response size exceeds a single packet, perhaps due to too many response records), but UDP is...

05 Apr 2020

Lessons from Scaling GKE: L4 ILB Tops at 250 Nodes

My team at Cruise operates tens of Kubernetes clusters with 10,000s cores and 100s of TB of RAM. Since migration to GCP, we have hit several interesting scaling issues. One...

20 Mar 2020

A Brilliant Hack: Why does Layer 2/3 Checksum use 1’s Complement, Not 2’s

A super quick recap, one’s complement represents negative x by reverting every bit of x, while two’s complement negative x as one’s complement of x plus 1. Symbolically,

07 Apr 2019

JWT + Third-party Oauth in Single Page App

Imagine you run a single page app at example.com that communicates with backends over restful API and is authenticated with JWT tokens managed by you, but identities are managed by...

13 Feb 2019

A Primer on Secure Communication Channels

In the world of internet, sending messages in clear text is like swimming naked. We would love some secure communication channels free from eavesdropping or tampering. Security as such is...

10 Sep 2017

Sloppy Quorum And Eventual Consistency

Here is where we stand. Fisher-Lynch-Patterson has shown that consensus is not guaranteed in bounded time in a purely asynchronous network. The CAP theorem shows that from consistency, availability, and...

18 Nov 2016

Charles Xu

Archive of posts with category 'networking'

Scaling Istio

In a large, busy cluster, how do you scale Istio to address Istio-proxy Container being OOM-Killed and Istiod crashes if too many connected istio-proxies?

Work Around Max Count of Security Group Rules on EKS

AWS EKS on VPC networks need AWS Security Group Rules (SG) to receipt ingress traffic. But what if you reach the max rules count in your SG?

Layer-4 Load Balancer & Zero-downtime Autoscaling and Upgrade

Your Kubernetes cluster probably has a shared ingress for north-south traffic, coming from a cloud load balancer and lands on your favorite proxies like Envoy, or Istio gateways, or Nginx....

Kubernetes Networking From the First Principles

We go from containers and network namespace to Pod-to-Pod, Pod-to-Service, and external-client-to-Service networking.

The Good, Bad, and Ugly: Istio for Short-lived Pods

Kubernetes does not differentiate sidecars and application containers in a Pod. Hence, enabling Istio for short-running workloads imposes additional challenges to the conventional approach of injecting an Envoy sidecar to...

DNS, UDP, IP Anycast, and All That

DNS prefers UDP. There are times when DNS must run on TCP (request or response size exceeds a single packet, perhaps due to too many response records), but UDP is...

Lessons from Scaling GKE: L4 ILB Tops at 250 Nodes

My team at Cruise operates tens of Kubernetes clusters with 10,000s cores and 100s of TB of RAM. Since migration to GCP, we have hit several interesting scaling issues. One...

A Brilliant Hack: Why does Layer 2/3 Checksum use 1’s Complement, Not 2’s

A super quick recap, one’s complement represents negative x by reverting every bit of x, while two’s complement negative x as one’s complement of x plus 1. Symbolically,

JWT + Third-party Oauth in Single Page App

Imagine you run a single page app at example.com that communicates with backends over restful API and is authenticated with JWT tokens managed by you, but identities are managed by...

A Primer on Secure Communication Channels

In the world of internet, sending messages in clear text is like swimming naked. We would love some secure communication channels free from eavesdropping or tampering. Security as such is...

Sloppy Quorum And Eventual Consistency

Here is where we stand. Fisher-Lynch-Patterson has shown that consensus is not guaranteed in bounded time in a purely asynchronous network. The CAP theorem shows that from consistency, availability, and...

Explore →