William Morgan

A planned outage for... your service mesh https://twitter.com/vmwcloudstatus/status/1473009453364506627 …

My Google calendar this weekhttps://twitter.com/rabihalameddine/status/1471480362828238850 …

Congrats to the @scarf_oss team! We are very happy users at @BuoyantIO https://twitter.com/avi_press/status/1471215118121779203 …

Some choice quotes from @halcyondude in this article about @Linkerd at @EverQuoteInsure!https://twitter.com/Linkerd/status/1470873119325921280 …

I always find it a bit tacky when founders brag about sales... but I'll just say that right now at @BuoyantIO everything is beautiful and nothing hurts

https://twitter.com/mWSL5VsXYWpuUoF/status/1460094204231647239 …

And while I'm sympathetic to resource consumption, we should address that by shrinking proxies, not moving to a less secure model. IMO the future of cloud native traffic security *must* be built on the workload identity and pod-level enforcement, and not on anything less.

Plenty of service mesh articles that come through @thenewstack that I roll my eyes at and ignore. This one got my attention because I think eBPF is super cool and I have a ton of respect for the folks that are doing it. But I just don't think this is the right argument.

The future is also a) keeping network processing code as far away from the kernel as possible, in the safety of userspace; b) only doing network stuff in memory-safe languages; and c) minimizing sidecar resource cost through good ol' fashioned engineering.

Finally, the conclusion: "eBPF appears to be the natural path for the service mesh data plane." For @Linkerd, at least, this is not the case. The future of Linkerd's data plane is sidecars, workload identity via mTLS, authz from that identity, and keeping the PEP in the pod.

But network encryption can at best do host identity, or network identity, which has little meaning in a cloud native world. It's the difference between "I am @wm" vs "I am someone who lives in Austin" or "I am someone wearing a blue shirt". Who would you trust?

Why? Encryption is meaningless without authentication. And authentication is only meaningful to the extent that the identities themselves "mean" something. The workload identities provided by mTLS are meaningful—they tell you the service on the other end.

The article moves on to encryption: "if your only reason for using a service mesh is to provide encryption, you may want to consider network-level encryption". This is presented as an alternative to mTLS. But network layer encryption is *not* an alternative to mTLS.