OpenTelemetry Changed How I Think About Observability
A practical, opinionated take on OpenTelemetry - why it matters, what it actually solves, and how to instrument across Kubernetes, Lambda, ECS, and EC2 without losing your mind.
$ ls /blog/
DevOps, backend engineering, and cloud-native deep dives
Filter by tag:
13 min read
AWS Control Tower Account Factory - The Gotchas Nobody Tells You
Real-world lessons from automating AWS account provisioning with Control Tower, Service Catalog, and Terraform. The silent failures, IAM traps, and StackSet timing issues that cost us days.
#aws#control-tower#terraform#service-catalog#iam#platform-engineering#multi-account
21 min read
Building an Automated Multi-Account AWS Architecture with Control Tower and Terraform
A hands-on walkthrough of enabling AWS Control Tower, designing an OU structure, automating account provisioning via Service Catalog, and deploying security baselines - from zero to fully automated account vending in production.
#aws#control-tower#terraform#multi-account#organizations#service-catalog#sso#iam-identity-center#scps#platform-engineering#spacelift#security#devops
37 min read
Spacelift from Scratch: Automating Terraform at Scale with Spaces, Stacks, OPA Policies, and a Private Module Registry
A complete guide to setting up Spacelift for multi-team Terraform automation - from zero to production with spaces, dynamic stacks, OPA security policies in Rego, private module registry, and GitOps-driven infrastructure.
#spacelift#terraform#opa#rego#iac#gitops#platform-engineering#devops#modules#policy-as-code
9 min read
Migrating ClickHouse From EC2 to ClickHouse Cloud - Every Approach We Tried and Why Most Failed
S3 backup/restore, direct connectivity, Parquet exports - none of them worked cleanly. Here's the full war story of migrating a production ClickHouse instance to Cloud, the version mismatch that broke everything, and the dumb-simple approach that actually got the job done.
#clickhouse#aws#migration#database#devops#production
11 min read
Identity Aware Proxy: Zero Trust Access for Internal Applications
Deep dive into Identity Aware Proxies - what they are, how they work, and how to implement them with GCP IAP, Pomerium, and OAuth2-Proxy. Includes Terraform and Kubernetes examples.
#identity-aware-proxy#zero-trust#security#kubernetes#terraform#oauth2
11 min read
10 Rules for Negotiating Your Job Offer (From 7 Years of Engineering)
Most engineers massively undervalue themselves because no one taught them how to negotiate. Here's everything I've learned from negotiating salaries, contracts, titles, and more.
#career#negotiation#salary#engineering-culture#advice
15 min read
ELK Stack Migration: From 6.x to 8.x - The Complete Guide
A comprehensive guide to migrating your Elasticsearch, Logstash, and Kibana stack from version 6.x to 8.x. Covers breaking changes, migration strategies, index compatibility, and zero-downtime approaches.
#elasticsearch#elk#kibana#logstash#migration#observability
6 min read
Platform Engineering in 2026 - It's About the Discipline, Not the Tools
Platform engineering has become the most misunderstood role in tech. Everyone's building 'platforms' but few understand what actually makes one successful. Here's what I've learned building platforms for teams of 10 to 500.
#platform-engineering#devops#developer-experience#internal-platforms#idp
15 min read
Implementing Vertical Autoscaling for Aurora Databases Using Lambda Functions
AWS doesn't offer vertical autoscaling for Aurora – so we built it. CloudWatch Alarms, SNS, Lambda coordination, and the gotchas we hit in production.
#aurora#rds#aws#lambda#autoscaling#terraform#serverless
12 min read
Terraform State Surgery - Splitting, Moving, and Refactoring Without Downtime
A practical guide to breaking up monolithic Terraform state files, moving resources between states, and refactoring infrastructure safely. Includes real examples, scripts, and the exact commands we use.
#terraform#state#migration#refactoring#iac#devops
13 min read
Terraform 0.11 to 1.11 Migration - The Full Journey
A detailed guide on migrating Terraform from 0.11 to 1.11, covering HCL2 syntax changes, the S3 bucket resource split, state manipulation, and ensuring zero-drift upgrades.
#terraform#iac#migration#aws#s3#state-management#hcl2
14 min read
Running Clawdbot 24/7 on a Hetzner VPS – Terraform, Security Hardening, and the Bits the Docs Miss
A production-grade setup for Clawdbot on Hetzner Cloud with Terraform provisioning, proper SSH hardening, fail2ban, UFW, unattended-upgrades, and optional Tailscale – the stuff you actually need in prod.
#clawdbot#hetzner#terraform#vps#security#devops#automation
12 min read
Elastic Cloud Setup Guide - From Zero to Production
A comprehensive guide to setting up Elastic Cloud (Elasticsearch Service), including deployment configuration, security setup, index lifecycle management, integrations, and cost optimization.
#elasticsearch#elastic-cloud#observability#logging#saas#managed-services
11 min read
Clawdbot Manual Setup – Step-by-Step VPS Configuration with WhatsApp Integration
A detailed walkthrough for setting up Clawdbot on a Hetzner VPS from scratch – SSH hardening, firewall configuration, Tailscale, and WhatsApp Business integration using a dedicated number.
#clawdbot#hetzner#vps#whatsapp#devops#security#tutorial
14 min read
Self-Hosted GitLab on Kubernetes - A Startup's Journey
A detailed guide on deploying GitLab on AKS using Helm charts, with Azure SQL as the database backend. Covers architecture decisions, configuration, lessons learned, and the gotchas we hit in production.
#gitlab#kubernetes#aks#azure#helm#devops#self-hosted#startup
11 min read
Cloud Unit Economics for Multi-Tenant SaaS - Cost Per Customer, Not Per Service
How to calculate true cost-per-tenant in a shared infrastructure environment. Covers EKS with Karpenter, shared databases (Aurora, DynamoDB), and tools like OpenCost, CloudZero, and custom attribution approaches.
#finops#cloud-costs#kubernetes#eks#multi-tenant#saas#unit-economics#aws
7 min read
DORA Metrics Implementation - Measuring What Matters
DORA metrics are the industry standard for measuring DevOps performance. Here's how to implement them properly, avoid common pitfalls, and actually use them to improve your team's delivery.
#dora#devops#metrics#engineering-culture#cicd#platform-engineering
28 min read
7 Years of Infrastructure Decisions: What I'd Do Again and What I Regret
Every infrastructure decision I'd make again – and the ones I wouldn't – after running production workloads across fintech, open-source, IoT, and beyond.
#kubernetes#aws#infrastructure#devops#platform-engineering#lambda#ecs#terraform#networking
10 min read
MLOps for DevOps Engineers - What You Actually Need to Know
MLOps is becoming a critical skill for DevOps engineers. Here's what matters: the infrastructure patterns, tooling, and operational practices that make ML systems work in production - from someone who learned the hard way.
#mlops#devops#kubernetes#machine-learning#platform-engineering#infrastructure
10 min read
Debugging JVM Thread Exhaustion on EC2: A Contractor War Story
How I diagnosed and fixed a Java application that kept crashing under load – from 'cannot create native thread' errors to properly tuned JVM settings, system limits, and right-sized EC2 instances.
#java#jvm#ec2#debugging#performance#memory#threads#linux#devops
7 min read
That Time I Gave Away £50k Worth of Consulting for Free (And What It Taught Me About the Industry)
On interview take-home tests that are suspiciously specific, contractors who get ghosted after detailed proposals, and learning to play the game without becoming bitter about it.
#career#consulting#interviews#contracting#tech-industry#lessons-learned
4 min read
Dragonfly vs Redis: Modern In-Memory Store Comparison
Compare Dragonfly and Redis for caching and data storage. Dragonfly's multi-threaded architecture vs Redis single-threaded model.
#dragonfly#redis#caching#database#kubernetes#performance
3 min read
Vitess for MySQL: Horizontal Sharding Done Right
Scale MySQL horizontally with Vitess. Automatic sharding, online schema changes, and Kubernetes-native deployment for massive scale.
#vitess#mysql#database#sharding#kubernetes#scaling
4 min read
NATS JetStream: Lightweight Alternative to Kafka
Deploy NATS JetStream for messaging and streaming. Simpler than Kafka, faster than RabbitMQ, with persistence and exactly-once delivery.
#nats#jetstream#messaging#streaming#kubernetes#microservices
4 min read
VPA + HPA Together: The Right Way to Autoscale Both
Use Vertical Pod Autoscaler and Horizontal Pod Autoscaler together without conflicts. Includes KEDA integration and best practices.
#kubernetes#autoscaling#vpa#hpa#keda#performance
8 min read
Pod Topology Spread Constraints - Distributing Workloads Intelligently
Control how pods spread across nodes, zones, and regions. A deep dive into topology spread constraints for high availability and efficient resource utilization.
#kubernetes#scheduling#high-availability#pods#devops
4 min read
FinOps Automation: Kubecost, OpenCost, and Automated Rightsizing
Implement automated cloud cost optimization with Kubecost and OpenCost. Track costs per team, rightsize resources, and automate savings.
#finops#kubecost#opencost#kubernetes#cost-optimization#observability
16 min read
Migrating a Java Application from EC2 to ECS Fargate: A Step-by-Step Guide
The complete journey of containerising a Java JAR running on EC2 and deploying it to ECS Fargate – from local testing to Dockerfile, task definitions, networking, secrets management, and achieving production parity.
#java#ecs#fargate#docker#aws#containers#migration#terraform#devops
4 min read
Spot Instance Patterns: Graceful Handling and Cost Savings
Master AWS Spot Instances in production. Handle interruptions gracefully, use mixed instance groups, and save 60-90% on compute costs.
#aws#spot-instances#kubernetes#cost-optimization#eks#reliability
7 min read
The Real Difference Between Senior, Staff, and Principal Engineer
Everyone wants to know the difference between Senior, Staff, and Principal. After holding all three titles, I can tell you the real differences aren't what most people think. It's not about years - it's about scope.
#career#engineering-culture#leadership#principal-engineer#advice
4 min read
Karpenter Deep Dive: Node Provisioning That Actually Works
Master Karpenter for Kubernetes node autoscaling. Replace Cluster Autoscaler with faster, smarter provisioning. Includes cost optimization patterns.
#karpenter#kubernetes#autoscaling#aws#eks#cost-optimization
6 min read
The Principal Engineer Trap
The IC ladder looks appealing until you're at the top. Many senior engineers chase Principal titles without understanding what they're signing up for. Here's what nobody tells you.
#career#engineering-culture#leadership#principal-engineer
9 min read
The Fast Feedback Loop - Local Development with Kind, LocalStack, and Act
Combine Kind, LocalStack, and Act for a complete local development environment. Test Kubernetes, AWS services, and CI pipelines without leaving your laptop.
#devops#kind#localstack#act#kubernetes#aws#development
4 min read
Progressive Delivery with Flagger: Automated Canary Deployments
Implement automated canary deployments with Flagger. Metrics-based promotion, automated rollback, and integration with Istio, Linkerd, and Gateway API.
#flagger#canary#progressive-delivery#kubernetes#gitops#deployment
9 min read
Startup vs Scale-Up vs Enterprise: Where You'll Actually Learn the Most
After working across all three - tiny startups, hypergrowth scale-ups, and massive enterprises - I can tell you they're completely different jobs. Same title, same tech, completely different experience. Here's what each teaches you.
#career#startups#engineering-culture#advice#leadership
5 min read
SLO-Based Alerting: Burn Rate Alerts vs Threshold Alerts
Implement SLO-based alerting with burn rate alerts. Move from noisy threshold alerts to meaningful reliability signals using error budgets.
#slo#sre#alerting#prometheus#observability#reliability
5 min read
OpenTelemetry Collector Pipelines: Transform, Filter, Route Telemetry
Master OpenTelemetry Collector configuration. Build pipelines to transform metrics, filter traces, route logs, and reduce telemetry costs.
#opentelemetry#observability#metrics#traces#logs#collector
6 min read
Blameless Culture is Harder Than You Think
Everyone claims to have a blameless culture. Few actually do. Here's what real blamelessness looks like and why it's so difficult to achieve.
#engineering-culture#post-mortems#incident-management#leadership#psychological-safety
5 min read
Chaos Engineering with Litmus: Controlled Failure Injection
Implement chaos engineering in Kubernetes with LitmusChaos. Run pod failures, network chaos, and stress tests to validate system resilience.
#chaos-engineering#litmus#kubernetes#reliability#sre#testing
8 min read
LocalStack Deep Dive - AWS on Your Laptop
Run AWS services locally for faster development and testing. A practical guide to LocalStack covering S3, Lambda, DynamoDB, SQS, and integration testing patterns.
#localstack#aws#testing#development#devops#docker
6 min read
GitHub Actions OIDC – Ditch the AWS Access Keys Forever
How to authenticate GitHub Actions to AWS without storing secrets. OIDC federation explained, IAM role setup, and the token claims that control access.
#github-actions#oidc#aws#iam#security#cicd#devops
8 min read
Contract vs Perm: 4 Years of Both and What I'd Choose Now
I've done both. Multiple times. Here's the real trade-offs nobody talks about - the money, the time off problem, the boredom factor, and why your life situation matters more than you think.
#career#contracting#salary#advice#engineering-culture
6 min read
Port and Kratix: Internal Developer Platforms Beyond Backstage
Explore Port and Kratix for building internal developer platforms. Self-service infrastructure, developer workflows, and platform engineering patterns.
#platform-engineering#port#kratix#developer-experience#self-service
12 min read
AWS Account Provisioning at Scale with Control Tower, Service Catalog, and Terraform
How to build an automated account vending machine using AWS Control Tower Account Factory, Service Catalog, CloudFormation StackSets, and Terraform – from request to fully provisioned account with SSO and IAM roles.
#aws#control-tower#account-factory#terraform#service-catalog#organizations#sso#platform-engineering#devops
6 min read
Backstage Plugins: Building Custom Developer Portal Features
Build custom Backstage plugins for your internal developer portal. Create frontend components, backend APIs, and integrate with your existing tools.
#backstage#developer-portal#platform-engineering#react#typescript
5 min read
Kyverno vs OPA: Policy Engines Compared
Detailed comparison of Kyverno and OPA Gatekeeper for Kubernetes policy enforcement. Includes real examples, performance considerations, and migration guidance.
#kyverno#opa#gatekeeper#kubernetes#policy#security
7 min read
Test GitHub Actions Locally with Act
Stop pushing to test your workflows. Act lets you run GitHub Actions locally with instant feedback. Here's how to set it up and use it effectively.
#github-actions#ci-cd#act#devops#testing#automation
6 min read
Crossplane Compositions: Build Your Own Cloud API
Create custom cloud APIs with Crossplane Compositions. Abstract away complexity and give developers self-service infrastructure with guardrails.
#crossplane#kubernetes#platform-engineering#infrastructure#gitops
7 min read
AWS PrivateLink Deep Dive: Private Connectivity Patterns
Master AWS PrivateLink for private API access, cross-account connectivity, and SaaS integrations. Includes Terraform examples and multi-region patterns.
#aws#privatelink#networking#vpc#terraform#security
7 min read
Gateway API Advanced Patterns: Beyond Basic Ingress
Master Gateway API with traffic splitting, header-based routing, cross-namespace references, and TLS passthrough. The future of Kubernetes ingress.
#gateway-api#kubernetes#ingress#networking#traffic-management
10 min read
Cloud Tagging Strategies That Actually Work
Tagging is the foundation of cloud governance, cost allocation, and automation. Here's how to implement tagging consistently across your infrastructure using context modules, policies, and automation.
#aws#terraform#tagging#finops#governance#devops
6 min read
Tailscale in Production: WireGuard Mesh for Hybrid Cloud
Deploy Tailscale for secure connectivity across clouds, offices, and Kubernetes clusters. Zero-config VPN mesh with SSO integration and ACLs.
#tailscale#wireguard#vpn#networking#hybrid-cloud#zero-trust
6 min read
Cilium Service Mesh: Sidecar-Free with eBPF
Deploy a service mesh without sidecars using Cilium. Get mTLS, traffic management, and observability powered by eBPF at the kernel level.
#cilium#service-mesh#ebpf#kubernetes#mtls#networking
6 min read
Secretless Broker: Zero-Secret Applications
Remove secrets from your applications entirely with Secretless Broker. Inject database credentials, API keys, and certificates via sidecar without your app knowing they exist.
#secretless#security#kubernetes#zero-trust#secrets-management#sidecar
12 min read
Migrating 30 Repos from Jenkins to GitHub Actions – The Complete Runbook
A battle-tested playbook for migrating CI/CD pipelines from Jenkins to GitHub Actions at scale. Covers OIDC authentication, parallel running, secrets migration, and the gotchas that will bite you.
#github-actions#jenkins#cicd#devops#migration#aws#oidc
9 min read
Container Image Signing with Cosign - A Practical Guide
Sign and verify container images without managing keys. A hands-on guide to Cosign, keyless signing, and enforcing signatures in Kubernetes.
#security#cosign#containers#sigstore#kubernetes#devops
7 min read
OPA Gatekeeper: Policy as Code for Kubernetes
Implement admission control policies with OPA Gatekeeper. Enforce security standards, naming conventions, resource limits, and compliance requirements at the cluster level.
#opa#gatekeeper#kubernetes#policy-as-code#security#admission-control
6 min read
Database on Kubernetes - When It Makes Sense
Running databases on Kubernetes is controversial. Sometimes it's the right call, sometimes it's a disaster waiting to happen. Here's how to decide, and how to do it properly if you choose to proceed.
#kubernetes#databases#postgresql#stateful#operators#storage
9 min read
eBPF for Security: Kernel-Level Observability Without Agents
Deep dive into eBPF-based security tools - Cilium, Falco, and Tetragon. Learn how to implement runtime security, network policies, and threat detection at the kernel level.
#ebpf#security#cilium#falco#tetragon#kubernetes
9 min read
SPIFFE and SPIRE: Zero Trust Workload Identity
Deep dive into SPIFFE and SPIRE for workload identity. Replace shared secrets with cryptographic identity for service-to-service authentication. Includes Kubernetes deployment and mTLS examples.
#spiffe#spire#zero-trust#security#kubernetes#mtls
20 min read
Backstage on AWS ECS - Production-Ready Deployment with RDS and Cognito
A comprehensive guide to deploying Spotify's Backstage developer portal on AWS ECS Fargate with PostgreSQL RDS, Cognito authentication, and proper production hardening.
#backstage#aws#ecs#rds#cognito#terraform#docker#devops#platform-engineering
12 min read
Terraform Best Practices (Part 2) - Testing, CI/CD, Security, and Team Workflows
Advanced Terraform practices covering testing strategies, CI/CD pipelines, security hardening, drift detection, and team collaboration patterns for infrastructure as code at scale.
#terraform#iac#devops#cicd#testing#security
9 min read
Database Backup to S3 with Kubernetes CronJobs
Build a production-ready database backup system using Kubernetes CronJobs, PostgreSQL, and S3. Includes a complete local testing environment with KIND and LocalStack.
#kubernetes#postgresql#s3#backup#cronjob#localstack#devops#databases
9 min read
Build an ETL Pipeline with Python, PostgreSQL, and Airflow
A practical guide to building an ETL pipeline that extracts weather data from OpenWeatherMap, transforms it with pandas, and loads it into PostgreSQL. Includes Airflow orchestration with email notifications.
#etl#python#airflow#postgresql#docker#data-engineering#devops
13 min read
Terraform Best Practices (Part 1) - Project Structure, State, and Modules
A comprehensive guide to Terraform best practices covering project organisation, state management, module design, and foundational patterns for scalable infrastructure as code.
#terraform#iac#devops#aws#best-practices
7 min read
Build a SOC Homelab with Docker - Elasticsearch, Cribl, and Log Simulation
Set up a Security Operations Center lab environment using Docker. Includes Elasticsearch, Kibana, Cribl Stream for log routing, and simulated log generators for hands-on security analysis practice.
#security#soc#elasticsearch#cribl#docker#homelab#devops#siem
7 min read
Remote Work Won
The RTO push isn't about productivity. The data is clear: remote work works. What's really happening is a fight over control, real estate, and management inability to adapt.
#remote-work#engineering-culture#productivity#management#career
13 min read
Migrating Event Store Data from SQL Server and Oracle to DynamoDB with AWS DMS
How we used AWS DMS with database views, partitioned replication tasks, and Terraform to migrate event sourcing data from on-prem SQL Server and Oracle to DynamoDB – the architecture, the gotchas, and production Terraform you can reuse.
#dynamodb#sql-server#oracle#migration#aws#dms#terraform#event-sourcing#platform-engineering#devops
7 min read
K3s Homelab Setup Guide - Running Kubernetes on Raspberry Pi 5
Build a lightweight Kubernetes cluster on three Raspberry Pi 5 devices. Step-by-step guide covering K3s installation, cluster configuration, and deployment testing.
#kubernetes#k3s#raspberry-pi#homelab#devops#containers
5 min read
NetworkPolicy Default Deny – The One Rule We Add to Every Namespace
Why your Kubernetes cluster is wide open by default, and the single NetworkPolicy that changes everything. Copy, paste, deploy, sleep better.
#kubernetes#security#networkpolicy#networking#zero-trust
9 min read
Software Supply Chain Security - Sigstore, SLSA, and Beyond
Your dependencies are an attack vector. Here's how to secure your software supply chain with Sigstore, SLSA frameworks, SBOMs, and admission policies that actually work.
#security#supply-chain#sigstore#slsa#sbom#kubernetes#devops
10 min read
Serverless Container Framework - Deploy Containers to Lambda and Fargate with Ease
Deploy containerised applications to AWS Lambda or Fargate with a simple YAML config. No infrastructure code required - just define your containers and deploy.
#serverless#containers#aws#lambda#fargate#docker#devops
7 min read
SRE for Small Teams
You don't need Google's budget to practice SRE. Here's how to implement Site Reliability Engineering principles with a small team and limited resources.
#sre#devops#reliability#on-call#monitoring#incident-management
9 min read
FinOps for Engineering Teams - Making Cost Everyone's Problem
Cloud cost management isn't just for finance. Here's how engineering teams can build cost awareness into their workflow without slowing down delivery.
#finops#cloud#aws#cost-optimization#devops#engineering
9 min read
Pod Security Standards Enforcement - The PSP Replacement That Actually Works
How to enforce Pod Security Standards using the built-in Pod Security Admission controller. Covers Privileged, Baseline, and Restricted profiles, migration from PSPs, namespace labeling, and exemptions.
#kubernetes#security#pod-security#psp#admission-controller#hardening
8 min read
Ephemeral Containers for Production Debugging
Debug distroless and minimal containers in production without redeploying. Ephemeral containers let you attach debugging tools to running pods - here's how to use them effectively.
#kubernetes#debugging#containers#production#kubectl#devops
7 min read
Why I replaced AWS NAT Gateway with a NAT Instance - and saved 20$ of dollar per month
AWS offers NAT Gateways as the default, fully managed solution for letting private subnet resources reach the internet. However, NAT Gateways can be pricey: Hourly cost: ~₹3.75/hour (varies by region) Data transfer cost: Additional ₹3.75/GB on top of standard data transfer For small dev/test environments or personal labs, these costs can add up quickly. In contrast, a NAT Instance is just a normal EC2 instance configured to perform IP forwarding and NAT. It’s typically much cheaper to run a small instance (`t3.micro`) than a NAT Gateway, especially if your traffic volume is modest.
#aws#nat#gateway#instance#cost#savings
10 min read
External Secrets Operator with AWS Secrets Manager - Stop Mounting Secrets in ConfigMaps
How to use External Secrets Operator to sync AWS Secrets Manager secrets to Kubernetes. Covers SecretStore, ExternalSecret, IAM with IRSA, templating, and production patterns.
#kubernetes#external-secrets#aws#secrets-manager#security#gitops
6 min read
Why Senior Engineers Should Write Docs
Documentation is often treated as junior work. That's backwards. The most impactful documentation comes from senior engineers, and writing it is a force multiplier for your expertise.
#documentation#engineering-culture#leadership#career#technical-writing
5 min read
The Kubernetes ndots:5 Problem – Why DNS Lookups Take 15 Seconds
A deep dive into why external DNS resolution in Kubernetes can be painfully slow, how the default ndots:5 setting causes unnecessary lookups, and practical fixes that actually work.
#kubernetes#dns#networking#coredns#performance#debugging
9 min read
NAT Gateway Alternatives - Cutting Your AWS Bill Without Losing Sleep
NAT Gateways are the silent budget killer in AWS. Here's how to reduce costs with NAT instances, VPC endpoints, IPv6, and architectural changes - with real numbers and trade-offs.
#aws#nat#networking#cost-optimization#vpc#finops
5 min read
Kubernetes Sidecar Startup Order - Making Your Main App Wait
How to ensure sidecar containers are ready before your main app starts. Covers startupProbe, postStart hooks, and why readinessProbe doesn't do what you think.
#kubernetes#sidecars#pods#containers#devops
7 min read
The 10x Engineer is a Myth
The idea of the 10x engineer has done more harm than good. What actually matters is team multipliers - engineers who make everyone around them better.
#engineering-culture#teams#leadership#career#productivity
3 min read
EKS IP Exhaustion: Running out of IPs, one way to fix it
Running out of IP addresses in AWS EKS can be a subtle yet critical issue. It often manifests as pods stuck in a pending state or nodes failing to join the cluster, leading to deployment bottlenecks and potential downtime. Understanding the root cause and implementing effective solutions is essential for maintaining cluster health and scalability. Now, there are many ways to fix this, but this is one way.
#aws#eks#networking#cni#ip-exhaustion#prefix-delegation
12 min read
AWS VPC Endpoints - Keep Your Traffic Off the Internet
How to use VPC Endpoints to access AWS services without internet gateways or NAT. Covers Gateway vs Interface endpoints, PrivateLink, endpoint policies, cost optimization, and production Terraform patterns.
#aws#vpc#privatelink#networking#security#endpoints#terraform
6 min read
Incident Management That Actually Works
Most incident processes are theatre. Here's how to build incident management that reduces downtime, prevents recurrence, and doesn't burn out your team.
#incident-management#sre#on-call#post-mortems#devops
5 min read
Kubernetes Cluster Upgrades: Production-Ready Guide
Technical guide for upgrading managed Kubernetes clusters across GKE, EKS, and AKS
#kubernetes#gke#eks#aks#cluster-management#devops
13 min read
Common DevOps Interview Questions Candidates Fail
The questions that separate senior engineers from those who memorised tutorials. Real interview failures, what interviewers are actually looking for, and how to answer with depth.
#devops#interviews#career#kubernetes#aws#terraform#sre
12 min read
AWS Service Control Policies (SCPs) - Guardrails for Your Organization
How to use SCPs to set permission guardrails across your AWS Organization. Covers SCP evaluation logic, deny vs allow strategies, common patterns, and production-ready Terraform examples.
#aws#organizations#scps#security#iam#governance#terraform
13 min read
AWS Config Rules with Auto Remediation - Enforce Compliance Automatically
How to use AWS Config Rules to detect compliance violations and automatically remediate them using SSM Automation documents. Covers managed rules, custom rules, remediation actions, and complete Terraform examples.
#aws#aws-config#compliance#security#automation#ssm#terraform
14 min read
GKE Upgrade Guide and Rollback Strategy: A Production-Ready Approach
Comprehensive guide for safely upgrading GKE clusters with minimal downtime and robust rollback procedures
#kubernetes#gke#google-cloud#devops#cluster-management
5 min read
The Meeting That Should Have Been a Doc
Most meetings are information broadcasts disguised as collaboration. Learn when to meet, when to write, and how to save everyone's time.
#meetings#productivity#engineering-culture#remote-work#documentation
7 min read
OpenTelemetry from Scratch
OpenTelemetry unifies traces, metrics, and logs under one standard. This guide covers how to instrument your applications, set up collectors, and actually make sense of the data.
#opentelemetry#observability#tracing#metrics#logging#kubernetes
9 min read
ECS Task Sets: Blue/Green Deployments Without CodeDeploy
How to use ECS external deployment controllers and task sets for manual blue/green deployments – the setup, the CLI commands, the Terraform, and an honest assessment of when it's worth the complexity.
#ecs#aws#blue-green#deployments#task-sets#fargate#terraform#devops
11 min read
Kubernetes Gateway API vs Ingress - When to Migrate and How
Gateway API is the successor to Ingress, bringing role-oriented design, native traffic splitting, and cross-namespace routing. This post compares both APIs, when to migrate, and practical migration patterns.
#kubernetes#gateway-api#ingress#networking#traffic-management#k8s
6 min read
Securing Your Clawdbot & Setting Up Powerful Integrations
A comprehensive guide to hardening your Clawdbot installation and integrating with Google Workspace, GitHub, and Notion – turning your AI assistant into a productivity powerhouse.
#clawdbot#security#google-workspace#github#notion#integrations#oauth#tutorial
14 min read
RDS Proxy for Lambda - Solving the Connection Exhaustion Problem
How to use Amazon RDS Proxy to handle database connections from Lambda functions at scale. Covers connection pooling, IAM authentication, Terraform setup, and the gotchas you'll hit in production.
#aws#lambda#rds#rds-proxy#serverless#databases#terraform#connection-pooling
12 min read
Lessons From 5 Years of Kubernetes in Production – Cluster Crashes, Ditching Self-Managed, Cost Cuts, and the Tooling That Actually Works
Two major cluster crashes, migrating from kops to EKS, slashing compute costs with Karpenter, and the observability stack we rebuilt three times.
#kubernetes#eks#aws#production#devops#karpenter#observability
8 min read
eBPF Deep Dive - Beyond Cilium
eBPF is transforming how we observe, secure, and network Linux systems. This guide covers the fundamentals, practical use cases beyond Cilium, and how to start writing your own eBPF programs.
#ebpf#linux#networking#security#observability#kernel
8 min read
Working with Databases in Kubernetes: Connections, Dumps and Data Extraction
A practical guide to connecting to PostgreSQL databases in Kubernetes – exec into pods, VPN access, SOCKS5 proxies, pg_dump, kubectl cp and getting data out when you need it.
#kubernetes#postgresql#database#kubectl#devops#socks5#pg_dump
9 min read
Production War Stories: The NGINX Log Rotation That Caused a P1
How a 'safe' AMI upgrade led to traffic drops, zombie log files, and disk exhaustion – and the debugging journey that followed. A real incident from on-call, with technical details and lessons learned.
#nginx#incident#log-rotation#linux#on-call#devops#production#war-stories
5 min read
Stop Chasing Certifications
Certifications have become a checkbox exercise. They don't prove competence, and they often distract from what actually matters: building things and solving real problems.
#career#certifications#learning#engineering-culture
9 min read
Right-Sizing Kubernetes Workloads - Stop Burning Money
Most Kubernetes clusters waste 50-70% of their resources. Here's how to measure what you're actually using, fix the worst offenders, and automate the process - without breaking production.
#kubernetes#cost-optimization#resource-management#devops#cloud#finops
10 min read
Service Mesh Comparison - Istio vs Linkerd vs Cilium
Service meshes promise observability, security, and traffic management. But which one should you choose? A practical comparison based on running all three in production.
#kubernetes#service-mesh#istio#linkerd#cilium#networking#devops
18 min read
Building Production AMIs with Packer: CI Pipelines, Terraform Integration, and Security Best Practices
Complete guide to building immutable AMIs with Packer in production - CI/CD pipelines, Terraform ASG integration, rollback strategies, maintenance workflows, and security hardening.
#packer#ami#aws#terraform#ci-cd#devops#immutable-infrastructure#security
12 min read
AWS Managed Prefix Lists with Terraform - Stop Hardcoding CIDRs
How to use AWS Managed Prefix Lists to eliminate hardcoded CIDR blocks in security groups and route tables. Covers AWS-managed prefixes, customer-managed lists for data centres, and production Terraform patterns.
#aws#terraform#security#networking#prefix-lists#security-groups#vpc
8 min read
Building an Internal Developer Platform
A practical guide to building an IDP that developers actually want to use. Covers the build vs buy decision, Backstage implementation, and the organisational changes required for success.
#platform-engineering#idp#backstage#developer-experience#devops
8 min read
GitOps with ArgoCD - A Practical Setup Guide
A hands-on guide to implementing GitOps with ArgoCD. Covers installation, application management, sync strategies, secrets handling, and the patterns that actually work in production.
#gitops#argocd#kubernetes#cicd#deployment#automation
9 min read
DNS UDP Truncation: Why Your ECS Tasks Aren't Getting Traffic
How DNS UDP's 512-byte limit caps responses at ~8 A records, breaking service discovery for scaled ECS/CloudMap workloads – and the sidecar solution to bypass it.
#dns#udp#ecs#cloudmap#traefik#service-discovery#aws#networking#devops
7 min read
Standups Are Broken
Daily standups were meant to improve communication. Instead, they've become status meetings that waste time and interrupt deep work. There's a better way.
#engineering-culture#productivity#agile#remote-work#team-management
14 min read
How we migrated our CDN to AWS CloudFront at Trainline
How we migrated our CDN to AWS CloudFront at Trainline
#cdn#aws#cloudfront#trainline
2 min read
Private API Gateway - Part 2: Secure Cross-VPC Access with PrivateLink and IAM Authentication
Extend your private API Gateway with secure access from other VPCs using PrivateLink and enforce IAM-based authentication.
#aws#api-gateway#vpc#privatelink#security#iam
7 min read
Your Startup Doesn't Need Kubernetes
Kubernetes is an incredible technology that solves real problems. But for most startups, it's the wrong tool. Here's how to know when you're ready - and what to use instead.
#kubernetes#startups#architecture#infrastructure#devops#hot-takes
4 min read
Container Networking Deep Dive Part 1: Single Network Namespace on a VM
In the first part of our Container Networking Deep Dive, we explore how to set up a single network namespace inside a VM and connect it to the host using a veth pair.
#linux#networking#namespaces#containers#devops
5 min read
Container Networking Deep Dive Part 2: Two Namespaces on the Same Host
In the second part of our Container Networking Deep Dive, we connect two network namespaces via a bridge on the same Linux host.
#linux#networking#netns#containers#bridge
3 min read
Deploying Kafka on Kubernetes with Strimzi
A step-by-step guide to setting up a Kafka cluster on a local Kind cluster using the Strimzi operator, with optional Terraform provisioning.
#k8s#kafka#strimzi#operator#kind#terraform
4 min read
Deep Dive into EC2 Networking
Deep Dive into EC2 Networking: ENIs, IP Addressing and Deployment Architectures
#ec2#networking#eni#ip#deployment#architecture
3 min read
EKS Private Network with Twingate
How to setup a private network for your EKS cluster with Twingate
#kubernetes#eks#twingate#private#network
17 min read
Managing Dynatrace Alerts at Scale with Custom Ansible Roles
How we automated Dynatrace alerting configuration using custom Ansible roles - covering alert profiles, problem notifications, metric events, and maintenance windows across multiple environments.
#dynatrace#ansible#monitoring#alerting#automation#observability#iac
4 min read
Using GKE DNS-based endpoints for Secure cluster access
Using GKE DNS-based endpoints for Secure cluster access
#k8s#gke#dns#private#cluster#access
4 min read
Secure Gateways: Configuring Mutual TLS using Gateway API on GKE
In this blog, we configure mutual TLS (mTLS) using Gateway API on GKE, securing ingress traffic with client certificate validation.
#kubernetes#gateway-api#mtls#gke#security
4 min read
Route 53 Deep Dive: Multi-Region Latency Routing with Health-Based Failover
A hands-on guide to configuring AWS Route 53 for latency-based routing across multiple regions, incorporating health checks for automatic failover.
#aws#route53#dns#terraform#failover#latency-routing
3 min read
SPIFFE and SPIRE in Kubernetes
Secure Your Kubernetes with SPIFFE + SPIRE: Zero-Trust Identity for Workloads
#kubernetes#spiffe#spire
4 min read
EKS without VPC CNI: Deploying Calico with IPIP and BGP
AWS EKS defaults to the VPC CNI plugin, assigning VPC IPs to pods via ENIs. While straightforward, this setup limits pod density per node and consumes VPC IPs rapidly. To overcome these constraints, deploying Calico with IPIP or BGP offers a scalable alternative.
#aws#eks#calico#cni#networking#bgp#ipip
4 min read
Kubernetes DNS Spoofing: Exploiting NET_RAW and ARP
DNS spoofing in Kubernetes remains a critical threat, enabling attackers to redirect traffic, intercept data, or disrupt services. This article explores how such attacks occur and outlines strategies to prevent them.
#kubernetes#dns#security#coredns#arp#net_raw#mitm
4 min read
Private AKS Cluster with Twingate: Secure API Access Without a Public Endpoint
Running Kubernetes clusters privately is a growing best practice. In this blog, I'll walk you through deploying a private AKS cluster on Azure with no public API endpoint, and enabling secure access via Twingate VPN, which provides identity-based access without opening up your network.
#azure#aks#kubernetes#vpn#twingate#private-cluster#networking
3 min read
Apache Pulsar Playground: Running Pulsar Locally on kind with Dashboards, Clients, and Admin Tools
In this blog, I'll walk you through setting up a full-featured Apache Pulsar playground using kind (Kubernetes in Docker). Whether you're testing Pulsar for learning or demoing a real pub/sub model with admin tools and monitoring, this setup gives you everything.
#apache-pulsar#kubernetes#kind#helm#messaging#pubsub#devtools
13 min read
What Actually Happens When You kubectl apply – The Full Chain From YAML to Running Pod
The complete journey: client-side vs server-side apply, admission controllers, etcd persistence, controller reconciliation, scheduler binding, and kubelet container creation. Every step traced.
#kubernetes#kubectl#api-server#etcd#controllers#scheduler#kubelet#devops
5 min read
How to Increase EBS Disk Size on EC2 (Without Downtime)
Online EBS volume resizing for running instances – the IaC way with Terraform and ASG instance refresh, plus the manual escape hatch when you need it now. No reboot required.
#aws#ebs#ec2#terraform#disk#storage#devops
11 min read
Building a Custom GitHub Action for Traefik Traffic Weighting
How I built a GitHub Action to manage blue/green and canary deployments by dynamically updating Traefik weighted services – with SigV4 authentication, YAML configuration, and a generator API.
#github-actions#traefik#blue-green#canary#deployments#aws#sigv4#devops#ci-cd
9 min read
mTLS with Traefik: Hands-On Setup with Step CA
A complete walkthrough of setting up mutual TLS with Traefik and Smallstep CA – from certificate generation to client authentication. Includes local DNS, ACME integration, and a working demo you can deploy.
#mtls#traefik#tls#security#certificates#smallstep#pki#devops
5 min read
Crossplane and Localstack
Crossplane + LocalStack on kind: 100 % Local AWS Infrastructure-as-Code
#crossplane#localstack
8 min read
Falco on K8s (Kind)
Falco Kubernetes Lab: Runtime Threat Detection with Prometheus & Grafana
#falco#kind#prometheus#grafana
3 min read
Zero to Production: GitHub Actions CI/CD into GKE with Workload Identity
In this deep dive, we set up a secure, production-ready CI/CD pipeline from GitHub Actions to GKE using Workload Identity Federation—no secrets needed.
#gke#github-actions#ci-cd#oidc#workload-identity
4 min read
Securing APIs in AWS: Private API Gateway + VPC Endpoint Deep Dive
Learn how to deploy a secure, private-only API Gateway inside your VPC using interface endpoints, resource policies, and VPC integration.
#aws#api-gateway#vpc#networking#security#terraform
4 min read
AWS PrivateLink with Terraform
A hands-on technical guide to implementing AWS PrivateLink between VPCs using Terraform.
#aws#privatelink#vpc#terraform#networking#security
16 min read
Kubernetes Networking: A Deep Dive From First Principles
How packets actually flow in Kubernetes – from veth pairs to CNI plugins to kube-proxy modes. With AWS/EKS context throughout.
#kubernetes#networking#eks#aws#cni#cilium#calico
4 min read
Serverless containers in Kubernetes with Fargate (Part 2) — Hands-on
A hands-on article on deploying an application on Kubernetes with Fargate.
#kubernetes#fargate#eks#aws
29 min read
The Ultimate Pathway to DevOps Revamped
How to get started in DevOps?
#devops#roadmap#aws#platform#engineering
4 min read
Deploying Vault with a Custom AMI
An end-to-end guide for baking a Vault AMI using Packer and deploying a Vault EC2 instance on AWS.
#vault#aws#packer#ami#devops
4 min read
ECS Fargate Deep Dive Part 1: How Fargate Really Works
In the first part of our ECS Fargate Deep Dive, we break down what happens behind the scenes when you run a task on Fargate — Firecracker microVMs, ENIs, IAM and the hidden host fleet.
#aws#ecs#fargate#containers#devops
3 min read
ECS Fargate Deep Dive Part 2: Firecracker in Action
In the second part of our ECS Fargate Deep Dive, we get hands-on with Firecracker — the lightweight VMM that powers Fargate — and simulate task isolation and networking locally.
#aws#ecs#fargate#firecracker#containers#devops
3 min read
Solving the AWS OIDC Chicken-and-Egg Problem with GitHub Actions
Solving the AWS OIDC Chicken-and-Egg Problem with GitHub Actions
#aws#github#oidc
6 min read
BGP in the Cloud – A Deep Dive into AWS Direct Connect, Routing Pathologies, and What Breaks in Production
A production-focused deep dive into how BGP actually behaves over AWS Direct Connect – route selection, failover, ASN design, MEDs, prepending, blackholing scenarios, and the real-world issues teams hit at scale.
#bgp#aws#direct-connect#networking#hybrid-cloud#production#routing
11 min read
Helm Atomics: The Flag That Saves Your Production Deploys (And Its Hidden Gotchas)
Deep dive into Helm's --atomic, --wait, and --cleanup-on-fail flags. How they work, when to use them, the CI/CD pipeline trap that catches everyone, and production-ready deployment patterns.
#helm#kubernetes#devops#cicd#deployments#rollback
13 min read
The Terraform State Chicken-and-Egg Problem – And Why Bootstrapping Is Just Physics
You can't use Terraform to create the S3 bucket that stores Terraform state. Here's how to bootstrap your remote backend properly, plus the philosophical reason this pattern exists everywhere in software.
#terraform#aws#s3#dynamodb#infrastructure#devops#state-management
6 min read
Creating a Lab Container
An end-to-end guide for creating a lab container for DevOps training.
#devops#docker#lab#container
5 min read
The ever-changing landscape of modern applications
A look at the ever-changing landscape of modern applications
#devops#kubernetes#docker#containers