OpenTelemetry Changed How I Think About Observability
A practical, opinionated take on OpenTelemetry - why it matters, what it actually solves, and how to instrument across Kubernetes, Lambda, ECS, and EC2 without losing your mind.
Tags
Browse posts by topic
348 topics · 154 posts
#devops 64
#kubernetes 61
#aws 55
#terraform 31
#security 31
#networking 25
#platform-engineering 15
#engineering-culture 13
#career 11
#containers 11
#eks 10
#observability 10
#docker 8
#vpc 7
#ecs 7
#migration 7
#leadership 6
#finops 6
#gitops 6
#cicd 6
#iac 6
#fargate 6
#cost-optimization 6
#production 5
#infrastructure 5
#automation 5
#github-actions 5
#sre 5
#cilium 5
#linux 5
#dns 5
#gke 5
#zero-trust 5
#productivity 4
#iam 4
#ci-cd 4
#testing 4
#privatelink 4
#reliability 4
#oidc 4
#mtls 4
#database 4
#advice 4
#localstack 4
#postgresql 4
#kind 4
#performance 4
#lambda 4
#control-tower 3
#service-catalog 3
#organizations 3
#backstage 3
#rds 3
#incident-management 3
#developer-experience 3
#ebpf 3
#clawdbot 3
#s3 3
#databases 3
#k8s 3
#traefik 3
#metrics 3
#monitoring 3
#ec2 3
#deployment 3
#deployments 3
#cni 3
#elasticsearch 3
#debugging 3
#kubectl 3
#gateway-api 3
#helm 3
#homelab 3
#on-call 3
#aks 3
#autoscaling 3
#opa 3
#remote-work 3
#opentelemetry 3
#serverless 3
#karpenter 2
#sso 2
#multi-account 2
#scps 2
#spacelift 2
#act 2
#governance 2
#bgp 2
#hybrid-cloud 2
#post-mortems 2
#idp 2
#github 2
#service-mesh 2
#hetzner 2
#vps 2
#tutorial 2
#saas 2
#sigstore 2
#contracting 2
#salary 2
#crossplane 2
#storage 2
#kafka 2
#interviews 2
#engineering 2
#alerting 2
#falco 2
#architecture 2
#java 2
#blue-green 2
#dynamodb 2
#state-management 2
#twingate 2
#private 2
#calico 2
#logging 2
#prometheus 2
#development 2
#cloud 2
#ingress 2
#traffic-management 2
#cluster-management 2
#k3s 2
#coredns 2
#pods 2
#gatekeeper 2
#documentation 2
#nat 2
#messaging 2
#policy-as-code 2
#packer 2
#ami 2
#principal-engineer 2
#api-gateway 2
#azure 2
#vpn 2
#canary 2
#spiffe 2
#spire 2
#startups 2
#teams 1
#account-factory 1
#ack 1
#prefix-lists 1
#security-groups 1
#mlops 1
#machine-learning 1
#aws-config 1
#compliance 1
#ssm 1
#iam-identity-center 1
#endpoints 1
#cognito 1
#developer-portal 1
#react 1
#typescript 1
#direct-connect 1
#routing 1
#psychological-safety 1
#cdn 1
#cloudfront 1
#trainline 1
#chaos-engineering 1
#litmus 1
#google-workspace 1
#notion 1
#integrations 1
#oauth 1
#whatsapp 1
#clickhouse 1
#tagging 1
#cloud-costs 1
#multi-tenant 1
#unit-economics 1
#namespaces 1
#netns 1
#bridge 1
#cosign 1
#backup 1
#cronjob 1
#stateful 1
#operators 1
#strimzi 1
#operator 1
#roadmap 1
#platform 1
#udp 1
#cloudmap 1
#service-discovery 1
#dora 1
#dragonfly 1
#redis 1
#caching 1
#dynatrace 1
#ansible 1
#kernel 1
#tetragon 1
#eni 1
#ip 1
#task-sets 1
#network 1
#ip-exhaustion 1
#prefix-delegation 1
#ipip 1
#elastic-cloud 1
#managed-services 1
#elk 1
#kibana 1
#logstash 1
#etl 1
#python 1
#airflow 1
#data-engineering 1
#external-secrets 1
#secrets-manager 1
#grafana 1
#firecracker 1
#kubecost 1
#opencost 1
#consulting 1
#tech-industry 1
#lessons-learned 1
#argocd 1
#cluster 1
#access 1
#google-cloud 1
#workload-identity 1
#rollback 1
#fluxcd 1
#hashicorp-vault 1
#identity-aware-proxy 1
#oauth2 1
#ebs 1
#disk 1
#port 1
#kratix 1
#self-service 1
#jenkins 1
#jvm 1
#memory 1
#threads 1
#raspberry-pi 1
#socks5 1
#pg_dump 1
#arp 1
#net_raw 1
#mitm 1
#networkpolicy 1
#sidecars 1
#kyverno 1
#policy 1
#lab 1
#container 1
#meetings 1
#gateway 1
#instance 1
#cost 1
#savings 1
#nats 1
#jetstream 1
#streaming 1
#microservices 1
#negotiation 1
#tools 1
#nginx 1
#incident 1
#log-rotation 1
#war-stories 1
#admission-control 1
#traces 1
#logs 1
#collector 1
#tracing 1
#immutable-infrastructure 1
#internal-platforms 1
#pod-security 1
#psp 1
#admission-controller 1
#hardening 1
#scheduling 1
#high-availability 1
#private-cluster 1
#flagger 1
#progressive-delivery 1
#apache-pulsar 1
#pubsub 1
#devtools 1
#pulsar 1
#rds-proxy 1
#connection-pooling 1
#management 1
#resource-management 1
#route53 1
#failover 1
#latency-routing 1
#secretless 1
#secrets-management 1
#sidecar 1
#gitlab 1
#self-hosted 1
#startup 1
#technical-writing 1
#istio 1
#linkerd 1
#slo 1
#soc 1
#cribl 1
#siem 1
#rego 1
#modules 1
#spot-instances 1
#sql-server 1
#oracle 1
#dms 1
#event-sourcing 1
#agile 1
#team-management 1
#certifications 1
#learning 1
#supply-chain 1
#slsa 1
#sbom 1
#tailscale 1
#wireguard 1
#hcl2 1
#best-practices 1
#state 1
#refactoring 1
#sigv4 1
#tls 1
#certificates 1
#smallstep 1
#pki 1
#vault 1
#aurora 1
#vitess 1
#mysql 1
#sharding 1
#scaling 1
#vpa 1
#hpa 1
#keda 1
#api-server 1
#etcd 1
#controllers 1
#scheduler 1
#kubelet 1
#hot-takes 1
#devops 64 posts
Building an Automated Multi-Account AWS Architecture with Control Tower and Terraform
A hands-on walkthrough of enabling AWS Control Tower, designing an OU structure, automating account provisioning via Service Catalog, and deploying security baselines - from zero to fully automated account vending in production.
Spacelift from Scratch: Automating Terraform at Scale with Spaces, Stacks, OPA Policies, and a Private Module Registry
A complete guide to setting up Spacelift for multi-team Terraform automation - from zero to production with spaces, dynamic stacks, OPA security policies in Rego, private module registry, and GitOps-driven infrastructure.
Migrating ClickHouse From EC2 to ClickHouse Cloud - Every Approach We Tried and Why Most Failed
S3 backup/restore, direct connectivity, Parquet exports - none of them worked cleanly. Here's the full war story of migrating a production ClickHouse instance to Cloud, the version mismatch that broke everything, and the dumb-simple approach that actually got the job done.
Platform Engineering in 2026 - It's About the Discipline, Not the Tools
Platform engineering has become the most misunderstood role in tech. Everyone's building 'platforms' but few understand what actually makes one successful. Here's what I've learned building platforms for teams of 10 to 500.
Terraform State Surgery - Splitting, Moving, and Refactoring Without Downtime
A practical guide to breaking up monolithic Terraform state files, moving resources between states, and refactoring infrastructure safely. Includes real examples, scripts, and the exact commands we use.
Running Clawdbot 24/7 on a Hetzner VPS – Terraform, Security Hardening, and the Bits the Docs Miss
A production-grade setup for Clawdbot on Hetzner Cloud with Terraform provisioning, proper SSH hardening, fail2ban, UFW, unattended-upgrades, and optional Tailscale – the stuff you actually need in prod.
Clawdbot Manual Setup – Step-by-Step VPS Configuration with WhatsApp Integration
A detailed walkthrough for setting up Clawdbot on a Hetzner VPS from scratch – SSH hardening, firewall configuration, Tailscale, and WhatsApp Business integration using a dedicated number.
Self-Hosted GitLab on Kubernetes - A Startup's Journey
A detailed guide on deploying GitLab on AKS using Helm charts, with Azure SQL as the database backend. Covers architecture decisions, configuration, lessons learned, and the gotchas we hit in production.
DORA Metrics Implementation - Measuring What Matters
DORA metrics are the industry standard for measuring DevOps performance. Here's how to implement them properly, avoid common pitfalls, and actually use them to improve your team's delivery.
7 Years of Infrastructure Decisions: What I'd Do Again and What I Regret
Every infrastructure decision I'd make again – and the ones I wouldn't – after running production workloads across fintech, open-source, IoT, and beyond.
MLOps for DevOps Engineers - What You Actually Need to Know
MLOps is becoming a critical skill for DevOps engineers. Here's what matters: the infrastructure patterns, tooling, and operational practices that make ML systems work in production - from someone who learned the hard way.
Debugging JVM Thread Exhaustion on EC2: A Contractor War Story
How I diagnosed and fixed a Java application that kept crashing under load – from 'cannot create native thread' errors to properly tuned JVM settings, system limits, and right-sized EC2 instances.
Pod Topology Spread Constraints - Distributing Workloads Intelligently
Control how pods spread across nodes, zones, and regions. A deep dive into topology spread constraints for high availability and efficient resource utilization.
Migrating a Java Application from EC2 to ECS Fargate: A Step-by-Step Guide
The complete journey of containerising a Java JAR running on EC2 and deploying it to ECS Fargate – from local testing to Dockerfile, task definitions, networking, secrets management, and achieving production parity.
The Fast Feedback Loop - Local Development with Kind, LocalStack, and Act
Combine Kind, LocalStack, and Act for a complete local development environment. Test Kubernetes, AWS services, and CI pipelines without leaving your laptop.
LocalStack Deep Dive - AWS on Your Laptop
Run AWS services locally for faster development and testing. A practical guide to LocalStack covering S3, Lambda, DynamoDB, SQS, and integration testing patterns.
GitHub Actions OIDC – Ditch the AWS Access Keys Forever
How to authenticate GitHub Actions to AWS without storing secrets. OIDC federation explained, IAM role setup, and the token claims that control access.
AWS Account Provisioning at Scale with Control Tower, Service Catalog, and Terraform
How to build an automated account vending machine using AWS Control Tower Account Factory, Service Catalog, CloudFormation StackSets, and Terraform – from request to fully provisioned account with SSO and IAM roles.
Test GitHub Actions Locally with Act
Stop pushing to test your workflows. Act lets you run GitHub Actions locally with instant feedback. Here's how to set it up and use it effectively.
Cloud Tagging Strategies That Actually Work
Tagging is the foundation of cloud governance, cost allocation, and automation. Here's how to implement tagging consistently across your infrastructure using context modules, policies, and automation.
Migrating 30 Repos from Jenkins to GitHub Actions – The Complete Runbook
A battle-tested playbook for migrating CI/CD pipelines from Jenkins to GitHub Actions at scale. Covers OIDC authentication, parallel running, secrets migration, and the gotchas that will bite you.
Container Image Signing with Cosign - A Practical Guide
Sign and verify container images without managing keys. A hands-on guide to Cosign, keyless signing, and enforcing signatures in Kubernetes.
Backstage on AWS ECS - Production-Ready Deployment with RDS and Cognito
A comprehensive guide to deploying Spotify's Backstage developer portal on AWS ECS Fargate with PostgreSQL RDS, Cognito authentication, and proper production hardening.
Database Backup to S3 with Kubernetes CronJobs
Build a production-ready database backup system using Kubernetes CronJobs, PostgreSQL, and S3. Includes a complete local testing environment with KIND and LocalStack.
Terraform Best Practices (Part 2) - Testing, CI/CD, Security, and Team Workflows
Advanced Terraform practices covering testing strategies, CI/CD pipelines, security hardening, drift detection, and team collaboration patterns for infrastructure as code at scale.
Build an ETL Pipeline with Python, PostgreSQL, and Airflow
A practical guide to building an ETL pipeline that extracts weather data from OpenWeatherMap, transforms it with pandas, and loads it into PostgreSQL. Includes Airflow orchestration with email notifications.
Build a SOC Homelab with Docker - Elasticsearch, Cribl, and Log Simulation
Set up a Security Operations Center lab environment using Docker. Includes Elasticsearch, Kibana, Cribl Stream for log routing, and simulated log generators for hands-on security analysis practice.
Terraform Best Practices (Part 1) - Project Structure, State, and Modules
A comprehensive guide to Terraform best practices covering project organisation, state management, module design, and foundational patterns for scalable infrastructure as code.
K3s Homelab Setup Guide - Running Kubernetes on Raspberry Pi 5
Build a lightweight Kubernetes cluster on three Raspberry Pi 5 devices. Step-by-step guide covering K3s installation, cluster configuration, and deployment testing.
Migrating Event Store Data from SQL Server and Oracle to DynamoDB with AWS DMS
How we used AWS DMS with database views, partitioned replication tasks, and Terraform to migrate event sourcing data from on-prem SQL Server and Oracle to DynamoDB – the architecture, the gotchas, and production Terraform you can reuse.
Software Supply Chain Security - Sigstore, SLSA, and Beyond
Your dependencies are an attack vector. Here's how to secure your software supply chain with Sigstore, SLSA frameworks, SBOMs, and admission policies that actually work.
Serverless Container Framework - Deploy Containers to Lambda and Fargate with Ease
Deploy containerised applications to AWS Lambda or Fargate with a simple YAML config. No infrastructure code required - just define your containers and deploy.
SRE for Small Teams
You don't need Google's budget to practice SRE. Here's how to implement Site Reliability Engineering principles with a small team and limited resources.
FinOps for Engineering Teams - Making Cost Everyone's Problem
Cloud cost management isn't just for finance. Here's how engineering teams can build cost awareness into their workflow without slowing down delivery.
Ephemeral Containers for Production Debugging
Debug distroless and minimal containers in production without redeploying. Ephemeral containers let you attach debugging tools to running pods - here's how to use them effectively.
Kubernetes Sidecar Startup Order - Making Your Main App Wait
How to ensure sidecar containers are ready before your main app starts. Covers startupProbe, postStart hooks, and why readinessProbe doesn't do what you think.
Common DevOps Interview Questions Candidates Fail
The questions that separate senior engineers from those who memorised tutorials. Real interview failures, what interviewers are actually looking for, and how to answer with depth.
Incident Management That Actually Works
Most incident processes are theatre. Here's how to build incident management that reduces downtime, prevents recurrence, and doesn't burn out your team.
Kubernetes Cluster Upgrades: Production-Ready Guide
Technical guide for upgrading managed Kubernetes clusters across GKE, EKS, and AKS
GKE Upgrade Guide and Rollback Strategy: A Production-Ready Approach
Comprehensive guide for safely upgrading GKE clusters with minimal downtime and robust rollback procedures
ECS Task Sets: Blue/Green Deployments Without CodeDeploy
How to use ECS external deployment controllers and task sets for manual blue/green deployments – the setup, the CLI commands, the Terraform, and an honest assessment of when it's worth the complexity.
Lessons From 5 Years of Kubernetes in Production – Cluster Crashes, Ditching Self-Managed, Cost Cuts, and the Tooling That Actually Works
Two major cluster crashes, migrating from kops to EKS, slashing compute costs with Karpenter, and the observability stack we rebuilt three times.
Working with Databases in Kubernetes: Connections, Dumps and Data Extraction
A practical guide to connecting to PostgreSQL databases in Kubernetes – exec into pods, VPN access, SOCKS5 proxies, pg_dump, kubectl cp and getting data out when you need it.
Production War Stories: The NGINX Log Rotation That Caused a P1
How a 'safe' AMI upgrade led to traffic drops, zombie log files, and disk exhaustion – and the debugging journey that followed. A real incident from on-call, with technical details and lessons learned.
Right-Sizing Kubernetes Workloads - Stop Burning Money
Most Kubernetes clusters waste 50-70% of their resources. Here's how to measure what you're actually using, fix the worst offenders, and automate the process - without breaking production.
Service Mesh Comparison - Istio vs Linkerd vs Cilium
Service meshes promise observability, security, and traffic management. But which one should you choose? A practical comparison based on running all three in production.
Building Production AMIs with Packer: CI Pipelines, Terraform Integration, and Security Best Practices
Complete guide to building immutable AMIs with Packer in production - CI/CD pipelines, Terraform ASG integration, rollback strategies, maintenance workflows, and security hardening.
Building an Internal Developer Platform
A practical guide to building an IDP that developers actually want to use. Covers the build vs buy decision, Backstage implementation, and the organisational changes required for success.
DNS UDP Truncation: Why Your ECS Tasks Aren't Getting Traffic
How DNS UDP's 512-byte limit caps responses at ~8 A records, breaking service discovery for scaled ECS/CloudMap workloads – and the sidecar solution to bypass it.
Your Startup Doesn't Need Kubernetes
Kubernetes is an incredible technology that solves real problems. But for most startups, it's the wrong tool. Here's how to know when you're ready - and what to use instead.
Container Networking Deep Dive Part 1: Single Network Namespace on a VM
In the first part of our Container Networking Deep Dive, we explore how to set up a single network namespace inside a VM and connect it to the host using a veth pair.
What Actually Happens When You kubectl apply – The Full Chain From YAML to Running Pod
The complete journey: client-side vs server-side apply, admission controllers, etcd persistence, controller reconciliation, scheduler binding, and kubelet container creation. Every step traced.
How to Increase EBS Disk Size on EC2 (Without Downtime)
Online EBS volume resizing for running instances – the IaC way with Terraform and ASG instance refresh, plus the manual escape hatch when you need it now. No reboot required.
Building a Custom GitHub Action for Traefik Traffic Weighting
How I built a GitHub Action to manage blue/green and canary deployments by dynamically updating Traefik weighted services – with SigV4 authentication, YAML configuration, and a generator API.
mTLS with Traefik: Hands-On Setup with Step CA
A complete walkthrough of setting up mutual TLS with Traefik and Smallstep CA – from certificate generation to client authentication. Includes local DNS, ACME integration, and a working demo you can deploy.
The Ultimate Pathway to DevOps Revamped
A practical roadmap into DevOps for engineers starting out — what to learn, in what order, and where the genuine value is vs the hype.
Deploying Vault with a Custom AMI
An end-to-end guide for baking a Vault AMI using Packer and deploying a Vault EC2 instance on AWS.
ECS Fargate Deep Dive Part 1: How Fargate Really Works
In the first part of our ECS Fargate Deep Dive, we break down what happens behind the scenes when you run a task on Fargate — Firecracker microVMs, ENIs, IAM and the hidden host fleet.
ECS Fargate Deep Dive Part 2: Firecracker in Action
In the second part of our ECS Fargate Deep Dive, we get hands-on with Firecracker — the lightweight VMM that powers Fargate — and simulate task isolation and networking locally.
Helm Atomics: The Flag That Saves Your Production Deploys (And Its Hidden Gotchas)
Deep dive into Helm's --atomic, --wait, and --cleanup-on-fail flags. How they work, when to use them, the CI/CD pipeline trap that catches everyone, and production-ready deployment patterns.
The Terraform State Chicken-and-Egg Problem – And Why Bootstrapping Is Just Physics
You can't use Terraform to create the S3 bucket that stores Terraform state. Here's how to bootstrap your remote backend properly, plus the philosophical reason this pattern exists everywhere in software.
Creating a Lab Container
An end-to-end guide for creating a lab container for DevOps training.
The ever-changing landscape of modern applications
A look at the ever-changing landscape of modern applications
#kubernetes 61 posts
Building a Production-Grade Homelab with K3s, Vault, and FluxCD
How I built a fully GitOps-managed Kubernetes homelab on a single mini PC - from unboxing to production. Proxmox bare metal install, K3s cluster, HashiCorp Vault secrets, full observability, and Cloudflare Tunnel.
OpenTelemetry Changed How I Think About Observability
A practical, opinionated take on OpenTelemetry - why it matters, what it actually solves, and how to instrument across Kubernetes, Lambda, ECS, and EC2 without losing your mind.
Identity Aware Proxy: Zero Trust Access for Internal Applications
Deep dive into Identity Aware Proxies - what they are, how they work, and how to implement them with GCP IAP, Pomerium, and OAuth2-Proxy. Includes Terraform and Kubernetes examples.
Self-Hosted GitLab on Kubernetes - A Startup's Journey
A detailed guide on deploying GitLab on AKS using Helm charts, with Azure SQL as the database backend. Covers architecture decisions, configuration, lessons learned, and the gotchas we hit in production.
Cloud Unit Economics for Multi-Tenant SaaS - Cost Per Customer, Not Per Service
How to calculate true cost-per-tenant in a shared infrastructure environment. Covers EKS with Karpenter, shared databases (Aurora, DynamoDB), and tools like OpenCost, CloudZero, and custom attribution approaches.
7 Years of Infrastructure Decisions: What I'd Do Again and What I Regret
Every infrastructure decision I'd make again – and the ones I wouldn't – after running production workloads across fintech, open-source, IoT, and beyond.
MLOps for DevOps Engineers - What You Actually Need to Know
MLOps is becoming a critical skill for DevOps engineers. Here's what matters: the infrastructure patterns, tooling, and operational practices that make ML systems work in production - from someone who learned the hard way.
Dragonfly vs Redis: Modern In-Memory Store Comparison
Compare Dragonfly and Redis for caching and data storage. Dragonfly's multi-threaded architecture vs Redis single-threaded model.
Vitess for MySQL: Horizontal Sharding Done Right
Scale MySQL horizontally with Vitess. Automatic sharding, online schema changes, and Kubernetes-native deployment for massive scale.
NATS JetStream: Lightweight Alternative to Kafka
Deploy NATS JetStream for messaging and streaming. Simpler than Kafka, faster than RabbitMQ, with persistence and exactly-once delivery.
VPA + HPA Together: The Right Way to Autoscale Both
Use Vertical Pod Autoscaler and Horizontal Pod Autoscaler together without conflicts. Includes KEDA integration and best practices.
Pod Topology Spread Constraints - Distributing Workloads Intelligently
Control how pods spread across nodes, zones, and regions. A deep dive into topology spread constraints for high availability and efficient resource utilization.
FinOps Automation: Kubecost, OpenCost, and Automated Rightsizing
Implement automated cloud cost optimization with Kubecost and OpenCost. Track costs per team, rightsize resources, and automate savings.
Spot Instance Patterns: Graceful Handling and Cost Savings
Master AWS Spot Instances in production. Handle interruptions gracefully, use mixed instance groups, and save 60-90% on compute costs.
Karpenter Deep Dive: Node Provisioning That Actually Works
Master Karpenter for Kubernetes node autoscaling. Replace Cluster Autoscaler with faster, smarter provisioning. Includes cost optimization patterns.
The Fast Feedback Loop - Local Development with Kind, LocalStack, and Act
Combine Kind, LocalStack, and Act for a complete local development environment. Test Kubernetes, AWS services, and CI pipelines without leaving your laptop.
Progressive Delivery with Flagger: Automated Canary Deployments
Implement automated canary deployments with Flagger. Metrics-based promotion, automated rollback, and integration with Istio, Linkerd, and Gateway API.
Chaos Engineering with Litmus: Controlled Failure Injection
Implement chaos engineering in Kubernetes with LitmusChaos. Run pod failures, network chaos, and stress tests to validate system resilience.
Kyverno vs OPA: Policy Engines Compared
Detailed comparison of Kyverno and OPA Gatekeeper for Kubernetes policy enforcement. Includes real examples, performance considerations, and migration guidance.
Crossplane Compositions: Build Your Own Cloud API
Create custom cloud APIs with Crossplane Compositions. Abstract away complexity and give developers self-service infrastructure with guardrails.
Gateway API Advanced Patterns: Beyond Basic Ingress
Master Gateway API with traffic splitting, header-based routing, cross-namespace references, and TLS passthrough. The future of Kubernetes ingress.
Cilium Service Mesh: Sidecar-Free with eBPF
Deploy a service mesh without sidecars using Cilium. Get mTLS, traffic management, and observability powered by eBPF at the kernel level.
Secretless Broker: Zero-Secret Applications
Remove secrets from your applications entirely with Secretless Broker. Inject database credentials, API keys, and certificates via sidecar without your app knowing they exist.
Container Image Signing with Cosign - A Practical Guide
Sign and verify container images without managing keys. A hands-on guide to Cosign, keyless signing, and enforcing signatures in Kubernetes.
OPA Gatekeeper: Policy as Code for Kubernetes
Implement admission control policies with OPA Gatekeeper. Enforce security standards, naming conventions, resource limits, and compliance requirements at the cluster level.
Database on Kubernetes - When It Makes Sense
Running databases on Kubernetes is controversial. Sometimes it's the right call, sometimes it's a disaster waiting to happen. Here's how to decide, and how to do it properly if you choose to proceed.
eBPF for Security: Kernel-Level Observability Without Agents
Deep dive into eBPF-based security tools - Cilium, Falco, and Tetragon. Learn how to implement runtime security, network policies, and threat detection at the kernel level.
SPIFFE and SPIRE: Zero Trust Workload Identity
Deep dive into SPIFFE and SPIRE for workload identity. Replace shared secrets with cryptographic identity for service-to-service authentication. Includes Kubernetes deployment and mTLS examples.
Database Backup to S3 with Kubernetes CronJobs
Build a production-ready database backup system using Kubernetes CronJobs, PostgreSQL, and S3. Includes a complete local testing environment with KIND and LocalStack.
K3s Homelab Setup Guide - Running Kubernetes on Raspberry Pi 5
Build a lightweight Kubernetes cluster on three Raspberry Pi 5 devices. Step-by-step guide covering K3s installation, cluster configuration, and deployment testing.
NetworkPolicy Default Deny – The One Rule We Add to Every Namespace
Why your Kubernetes cluster is wide open by default, and the single NetworkPolicy that changes everything. Copy, paste, deploy, sleep better.
Software Supply Chain Security - Sigstore, SLSA, and Beyond
Your dependencies are an attack vector. Here's how to secure your software supply chain with Sigstore, SLSA frameworks, SBOMs, and admission policies that actually work.
Pod Security Standards Enforcement - The PSP Replacement That Actually Works
How to enforce Pod Security Standards using the built-in Pod Security Admission controller. Covers Privileged, Baseline, and Restricted profiles, migration from PSPs, namespace labeling, and exemptions.
Ephemeral Containers for Production Debugging
Debug distroless and minimal containers in production without redeploying. Ephemeral containers let you attach debugging tools to running pods - here's how to use them effectively.
External Secrets Operator with AWS Secrets Manager - Stop Mounting Secrets in ConfigMaps
How to use External Secrets Operator to sync AWS Secrets Manager secrets to Kubernetes. Covers SecretStore, ExternalSecret, IAM with IRSA, templating, and production patterns.
The Kubernetes ndots:5 Problem – Why DNS Lookups Take 15 Seconds
A deep dive into why external DNS resolution in Kubernetes can be painfully slow, how the default ndots:5 setting causes unnecessary lookups, and practical fixes that actually work.
Kubernetes Sidecar Startup Order - Making Your Main App Wait
How to ensure sidecar containers are ready before your main app starts. Covers startupProbe, postStart hooks, and why readinessProbe doesn't do what you think.
Common DevOps Interview Questions Candidates Fail
The questions that separate senior engineers from those who memorised tutorials. Real interview failures, what interviewers are actually looking for, and how to answer with depth.
Kubernetes Cluster Upgrades: Production-Ready Guide
Technical guide for upgrading managed Kubernetes clusters across GKE, EKS, and AKS
GKE Upgrade Guide and Rollback Strategy: A Production-Ready Approach
Comprehensive guide for safely upgrading GKE clusters with minimal downtime and robust rollback procedures
OpenTelemetry from Scratch
OpenTelemetry unifies traces, metrics, and logs under one standard. This guide covers how to instrument your applications, set up collectors, and actually make sense of the data.
Kubernetes Gateway API vs Ingress - When to Migrate and How
Gateway API is the successor to Ingress, bringing role-oriented design, native traffic splitting, and cross-namespace routing. This post compares both APIs, when to migrate, and practical migration patterns.
Lessons From 5 Years of Kubernetes in Production – Cluster Crashes, Ditching Self-Managed, Cost Cuts, and the Tooling That Actually Works
Two major cluster crashes, migrating from kops to EKS, slashing compute costs with Karpenter, and the observability stack we rebuilt three times.
Working with Databases in Kubernetes: Connections, Dumps and Data Extraction
A practical guide to connecting to PostgreSQL databases in Kubernetes – exec into pods, VPN access, SOCKS5 proxies, pg_dump, kubectl cp and getting data out when you need it.
Right-Sizing Kubernetes Workloads - Stop Burning Money
Most Kubernetes clusters waste 50-70% of their resources. Here's how to measure what you're actually using, fix the worst offenders, and automate the process - without breaking production.
Service Mesh Comparison - Istio vs Linkerd vs Cilium
Service meshes promise observability, security, and traffic management. But which one should you choose? A practical comparison based on running all three in production.
GitOps with ArgoCD - A Practical Setup Guide
A hands-on guide to implementing GitOps with ArgoCD. Covers installation, application management, sync strategies, secrets handling, and the patterns that actually work in production.
Cilium in Kubernetes
Hands-on with Cilium CNI on a local kind cluster — installation, eBPF datapath verification, network policies and Hubble observability.
Your Startup Doesn't Need Kubernetes
Kubernetes is an incredible technology that solves real problems. But for most startups, it's the wrong tool. Here's how to know when you're ready - and what to use instead.
EKS Private Network with Twingate
How to setup a private network for your EKS cluster with Twingate
Secure Gateways: Configuring Mutual TLS using Gateway API on GKE
In this blog, we configure mutual TLS (mTLS) using Gateway API on GKE, securing ingress traffic with client certificate validation.
SPIFFE and SPIRE in Kubernetes
Secure Your Kubernetes with SPIFFE + SPIRE: Zero-Trust Identity for Workloads
Kubernetes DNS Spoofing: Exploiting NET_RAW and ARP
DNS spoofing in Kubernetes remains a critical threat, enabling attackers to redirect traffic, intercept data, or disrupt services. This article explores how such attacks occur and outlines strategies to prevent them.
Private AKS Cluster with Twingate: Secure API Access Without a Public Endpoint
Running Kubernetes clusters privately is a growing best practice. In this blog, I'll walk you through deploying a private AKS cluster on Azure with no public API endpoint, and enabling secure access via Twingate VPN, which provides identity-based access without opening up your network.
Apache Pulsar Playground: Running Pulsar Locally on kind with Dashboards, Clients, and Admin Tools
In this blog, I'll walk you through setting up a full-featured Apache Pulsar playground using kind (Kubernetes in Docker). Whether you're testing Pulsar for learning or demoing a real pub/sub model with admin tools and monitoring, this setup gives you everything.
What Actually Happens When You kubectl apply – The Full Chain From YAML to Running Pod
The complete journey: client-side vs server-side apply, admission controllers, etcd persistence, controller reconciliation, scheduler binding, and kubelet container creation. Every step traced.
AWS Controllers for Kubernetes
Manage AWS resources from Kubernetes manifests using AWS Controllers for Kubernetes (ACK). End-to-end demo on kind covering setup, RDS provisioning and the trade-offs vs Terraform.
Kubernetes Networking: A Deep Dive From First Principles
How packets actually flow in Kubernetes – from veth pairs to CNI plugins to kube-proxy modes. With AWS/EKS context throughout.
Serverless containers in Kubernetes with Fargate (Part 2) — Hands-on
A hands-on article on deploying an application on Kubernetes with Fargate.
Helm Atomics: The Flag That Saves Your Production Deploys (And Its Hidden Gotchas)
Deep dive into Helm's --atomic, --wait, and --cleanup-on-fail flags. How they work, when to use them, the CI/CD pipeline trap that catches everyone, and production-ready deployment patterns.
The ever-changing landscape of modern applications
A look at the ever-changing landscape of modern applications
#aws 55 posts
OpenTelemetry Changed How I Think About Observability
A practical, opinionated take on OpenTelemetry - why it matters, what it actually solves, and how to instrument across Kubernetes, Lambda, ECS, and EC2 without losing your mind.
AWS Control Tower Account Factory - The Gotchas Nobody Tells You
Real-world lessons from automating AWS account provisioning with Control Tower, Service Catalog, and Terraform. The silent failures, IAM traps, and StackSet timing issues that cost us days.
Building an Automated Multi-Account AWS Architecture with Control Tower and Terraform
A hands-on walkthrough of enabling AWS Control Tower, designing an OU structure, automating account provisioning via Service Catalog, and deploying security baselines - from zero to fully automated account vending in production.
Migrating ClickHouse From EC2 to ClickHouse Cloud - Every Approach We Tried and Why Most Failed
S3 backup/restore, direct connectivity, Parquet exports - none of them worked cleanly. Here's the full war story of migrating a production ClickHouse instance to Cloud, the version mismatch that broke everything, and the dumb-simple approach that actually got the job done.
Implementing Vertical Autoscaling for Aurora Databases Using Lambda Functions
AWS doesn't offer vertical autoscaling for Aurora – so we built it. CloudWatch Alarms, SNS, Lambda coordination, and the gotchas we hit in production.
Terraform 0.11 to 1.11 Migration - The Full Journey
A detailed guide on migrating Terraform from 0.11 to 1.11, covering HCL2 syntax changes, the S3 bucket resource split, state manipulation, and ensuring zero-drift upgrades.
Cloud Unit Economics for Multi-Tenant SaaS - Cost Per Customer, Not Per Service
How to calculate true cost-per-tenant in a shared infrastructure environment. Covers EKS with Karpenter, shared databases (Aurora, DynamoDB), and tools like OpenCost, CloudZero, and custom attribution approaches.
7 Years of Infrastructure Decisions: What I'd Do Again and What I Regret
Every infrastructure decision I'd make again – and the ones I wouldn't – after running production workloads across fintech, open-source, IoT, and beyond.
Migrating a Java Application from EC2 to ECS Fargate: A Step-by-Step Guide
The complete journey of containerising a Java JAR running on EC2 and deploying it to ECS Fargate – from local testing to Dockerfile, task definitions, networking, secrets management, and achieving production parity.
Spot Instance Patterns: Graceful Handling and Cost Savings
Master AWS Spot Instances in production. Handle interruptions gracefully, use mixed instance groups, and save 60-90% on compute costs.
Karpenter Deep Dive: Node Provisioning That Actually Works
Master Karpenter for Kubernetes node autoscaling. Replace Cluster Autoscaler with faster, smarter provisioning. Includes cost optimization patterns.
The Fast Feedback Loop - Local Development with Kind, LocalStack, and Act
Combine Kind, LocalStack, and Act for a complete local development environment. Test Kubernetes, AWS services, and CI pipelines without leaving your laptop.
LocalStack Deep Dive - AWS on Your Laptop
Run AWS services locally for faster development and testing. A practical guide to LocalStack covering S3, Lambda, DynamoDB, SQS, and integration testing patterns.
GitHub Actions OIDC – Ditch the AWS Access Keys Forever
How to authenticate GitHub Actions to AWS without storing secrets. OIDC federation explained, IAM role setup, and the token claims that control access.
AWS Account Provisioning at Scale with Control Tower, Service Catalog, and Terraform
How to build an automated account vending machine using AWS Control Tower Account Factory, Service Catalog, CloudFormation StackSets, and Terraform – from request to fully provisioned account with SSO and IAM roles.
AWS PrivateLink Deep Dive: Private Connectivity Patterns
Master AWS PrivateLink for private API access, cross-account connectivity, and SaaS integrations. Includes Terraform examples and multi-region patterns.
Cloud Tagging Strategies That Actually Work
Tagging is the foundation of cloud governance, cost allocation, and automation. Here's how to implement tagging consistently across your infrastructure using context modules, policies, and automation.
Migrating 30 Repos from Jenkins to GitHub Actions – The Complete Runbook
A battle-tested playbook for migrating CI/CD pipelines from Jenkins to GitHub Actions at scale. Covers OIDC authentication, parallel running, secrets migration, and the gotchas that will bite you.
Backstage on AWS ECS - Production-Ready Deployment with RDS and Cognito
A comprehensive guide to deploying Spotify's Backstage developer portal on AWS ECS Fargate with PostgreSQL RDS, Cognito authentication, and proper production hardening.
Terraform Best Practices (Part 1) - Project Structure, State, and Modules
A comprehensive guide to Terraform best practices covering project organisation, state management, module design, and foundational patterns for scalable infrastructure as code.
Migrating Event Store Data from SQL Server and Oracle to DynamoDB with AWS DMS
How we used AWS DMS with database views, partitioned replication tasks, and Terraform to migrate event sourcing data from on-prem SQL Server and Oracle to DynamoDB – the architecture, the gotchas, and production Terraform you can reuse.
Serverless Container Framework - Deploy Containers to Lambda and Fargate with Ease
Deploy containerised applications to AWS Lambda or Fargate with a simple YAML config. No infrastructure code required - just define your containers and deploy.
FinOps for Engineering Teams - Making Cost Everyone's Problem
Cloud cost management isn't just for finance. Here's how engineering teams can build cost awareness into their workflow without slowing down delivery.
External Secrets Operator with AWS Secrets Manager - Stop Mounting Secrets in ConfigMaps
How to use External Secrets Operator to sync AWS Secrets Manager secrets to Kubernetes. Covers SecretStore, ExternalSecret, IAM with IRSA, templating, and production patterns.
Why I replaced AWS NAT Gateway with a NAT Instance - and saved 20$ of dollar per month
AWS offers NAT Gateways as the default, fully managed solution for letting private subnet resources reach the internet. However, NAT Gateways can be pricey: Hourly cost: ~₹3.75/hour (varies by region) Data transfer cost: Additional ₹3.75/GB on top of standard data transfer For small dev/test environments or personal labs, these costs can add up quickly. In contrast, a NAT Instance is just a normal EC2 instance configured to perform IP forwarding and NAT. It’s typically much cheaper to run a small instance (`t3.micro`) than a NAT Gateway, especially if your traffic volume is modest.
NAT Gateway Alternatives - Cutting Your AWS Bill Without Losing Sleep
NAT Gateways are the silent budget killer in AWS. Here's how to reduce costs with NAT instances, VPC endpoints, IPv6, and architectural changes - with real numbers and trade-offs.
EKS IP Exhaustion: Running out of IPs, one way to fix it
Running out of IP addresses in AWS EKS can be a subtle yet critical issue. It often manifests as pods stuck in a pending state or nodes failing to join the cluster, leading to deployment bottlenecks and potential downtime. Understanding the root cause and implementing effective solutions is essential for maintaining cluster health and scalability. Now, there are many ways to fix this, but this is one way.
AWS VPC Endpoints - Keep Your Traffic Off the Internet
How to use VPC Endpoints to access AWS services without internet gateways or NAT. Covers Gateway vs Interface endpoints, PrivateLink, endpoint policies, cost optimization, and production Terraform patterns.
Common DevOps Interview Questions Candidates Fail
The questions that separate senior engineers from those who memorised tutorials. Real interview failures, what interviewers are actually looking for, and how to answer with depth.
AWS Service Control Policies (SCPs) - Guardrails for Your Organization
How to use SCPs to set permission guardrails across your AWS Organization. Covers SCP evaluation logic, deny vs allow strategies, common patterns, and production-ready Terraform examples.
AWS Config Rules with Auto Remediation - Enforce Compliance Automatically
How to use AWS Config Rules to detect compliance violations and automatically remediate them using SSM Automation documents. Covers managed rules, custom rules, remediation actions, and complete Terraform examples.
ECS Task Sets: Blue/Green Deployments Without CodeDeploy
How to use ECS external deployment controllers and task sets for manual blue/green deployments – the setup, the CLI commands, the Terraform, and an honest assessment of when it's worth the complexity.
RDS Proxy for Lambda - Solving the Connection Exhaustion Problem
How to use Amazon RDS Proxy to handle database connections from Lambda functions at scale. Covers connection pooling, IAM authentication, Terraform setup, and the gotchas you'll hit in production.
Lessons From 5 Years of Kubernetes in Production – Cluster Crashes, Ditching Self-Managed, Cost Cuts, and the Tooling That Actually Works
Two major cluster crashes, migrating from kops to EKS, slashing compute costs with Karpenter, and the observability stack we rebuilt three times.
AWS Managed Prefix Lists with Terraform - Stop Hardcoding CIDRs
How to use AWS Managed Prefix Lists to eliminate hardcoded CIDR blocks in security groups and route tables. Covers AWS-managed prefixes, customer-managed lists for data centres, and production Terraform patterns.
Building Production AMIs with Packer: CI Pipelines, Terraform Integration, and Security Best Practices
Complete guide to building immutable AMIs with Packer in production - CI/CD pipelines, Terraform ASG integration, rollback strategies, maintenance workflows, and security hardening.
DNS UDP Truncation: Why Your ECS Tasks Aren't Getting Traffic
How DNS UDP's 512-byte limit caps responses at ~8 A records, breaking service discovery for scaled ECS/CloudMap workloads – and the sidecar solution to bypass it.
How we migrated our CDN to AWS CloudFront at Trainline
Migrating the Trainline CDN to AWS CloudFront — traffic shaping with Lambda@Edge, the cache-hit ratio we landed on, and the production gotchas behind the cutover.
Private API Gateway - Part 2: Secure Cross-VPC Access with PrivateLink and IAM Authentication
Extend your private API Gateway with secure access from other VPCs using PrivateLink and enforce IAM-based authentication.
Route 53 Deep Dive: Multi-Region Latency Routing with Health-Based Failover
A hands-on guide to configuring AWS Route 53 for latency-based routing across multiple regions, incorporating health checks for automatic failover.
EKS without VPC CNI: Deploying Calico with IPIP and BGP
AWS EKS defaults to the VPC CNI plugin, assigning VPC IPs to pods via ENIs. While straightforward, this setup limits pod density per node and consumes VPC IPs rapidly. To overcome these constraints, deploying Calico with IPIP or BGP offers a scalable alternative.
How to Increase EBS Disk Size on EC2 (Without Downtime)
Online EBS volume resizing for running instances – the IaC way with Terraform and ASG instance refresh, plus the manual escape hatch when you need it now. No reboot required.
Building a Custom GitHub Action for Traefik Traffic Weighting
How I built a GitHub Action to manage blue/green and canary deployments by dynamically updating Traefik weighted services – with SigV4 authentication, YAML configuration, and a generator API.
AWS Controllers for Kubernetes
Manage AWS resources from Kubernetes manifests using AWS Controllers for Kubernetes (ACK). End-to-end demo on kind covering setup, RDS provisioning and the trade-offs vs Terraform.
Securing APIs in AWS: Private API Gateway + VPC Endpoint Deep Dive
Learn how to deploy a secure, private-only API Gateway inside your VPC using interface endpoints, resource policies, and VPC integration.
AWS PrivateLink with Terraform
A hands-on technical guide to implementing AWS PrivateLink between VPCs using Terraform.
Kubernetes Networking: A Deep Dive From First Principles
How packets actually flow in Kubernetes – from veth pairs to CNI plugins to kube-proxy modes. With AWS/EKS context throughout.
Serverless containers in Kubernetes with Fargate (Part 2) — Hands-on
A hands-on article on deploying an application on Kubernetes with Fargate.
The Ultimate Pathway to DevOps Revamped
A practical roadmap into DevOps for engineers starting out — what to learn, in what order, and where the genuine value is vs the hype.
Deploying Vault with a Custom AMI
An end-to-end guide for baking a Vault AMI using Packer and deploying a Vault EC2 instance on AWS.
ECS Fargate Deep Dive Part 1: How Fargate Really Works
In the first part of our ECS Fargate Deep Dive, we break down what happens behind the scenes when you run a task on Fargate — Firecracker microVMs, ENIs, IAM and the hidden host fleet.
ECS Fargate Deep Dive Part 2: Firecracker in Action
In the second part of our ECS Fargate Deep Dive, we get hands-on with Firecracker — the lightweight VMM that powers Fargate — and simulate task isolation and networking locally.
Solving the AWS OIDC Chicken-and-Egg Problem with GitHub Actions
Solving the AWS OIDC Chicken-and-Egg Problem with GitHub Actions
BGP in the Cloud – A Deep Dive into AWS Direct Connect, Routing Pathologies, and What Breaks in Production
A production-focused deep dive into how BGP actually behaves over AWS Direct Connect – route selection, failover, ASN design, MEDs, prepending, blackholing scenarios, and the real-world issues teams hit at scale.
The Terraform State Chicken-and-Egg Problem – And Why Bootstrapping Is Just Physics
You can't use Terraform to create the S3 bucket that stores Terraform state. Here's how to bootstrap your remote backend properly, plus the philosophical reason this pattern exists everywhere in software.
#terraform 31 posts
AWS Control Tower Account Factory - The Gotchas Nobody Tells You
Real-world lessons from automating AWS account provisioning with Control Tower, Service Catalog, and Terraform. The silent failures, IAM traps, and StackSet timing issues that cost us days.
Building an Automated Multi-Account AWS Architecture with Control Tower and Terraform
A hands-on walkthrough of enabling AWS Control Tower, designing an OU structure, automating account provisioning via Service Catalog, and deploying security baselines - from zero to fully automated account vending in production.
Spacelift from Scratch: Automating Terraform at Scale with Spaces, Stacks, OPA Policies, and a Private Module Registry
A complete guide to setting up Spacelift for multi-team Terraform automation - from zero to production with spaces, dynamic stacks, OPA security policies in Rego, private module registry, and GitOps-driven infrastructure.
Identity Aware Proxy: Zero Trust Access for Internal Applications
Deep dive into Identity Aware Proxies - what they are, how they work, and how to implement them with GCP IAP, Pomerium, and OAuth2-Proxy. Includes Terraform and Kubernetes examples.
Implementing Vertical Autoscaling for Aurora Databases Using Lambda Functions
AWS doesn't offer vertical autoscaling for Aurora – so we built it. CloudWatch Alarms, SNS, Lambda coordination, and the gotchas we hit in production.
Terraform State Surgery - Splitting, Moving, and Refactoring Without Downtime
A practical guide to breaking up monolithic Terraform state files, moving resources between states, and refactoring infrastructure safely. Includes real examples, scripts, and the exact commands we use.
Terraform 0.11 to 1.11 Migration - The Full Journey
A detailed guide on migrating Terraform from 0.11 to 1.11, covering HCL2 syntax changes, the S3 bucket resource split, state manipulation, and ensuring zero-drift upgrades.
Running Clawdbot 24/7 on a Hetzner VPS – Terraform, Security Hardening, and the Bits the Docs Miss
A production-grade setup for Clawdbot on Hetzner Cloud with Terraform provisioning, proper SSH hardening, fail2ban, UFW, unattended-upgrades, and optional Tailscale – the stuff you actually need in prod.
7 Years of Infrastructure Decisions: What I'd Do Again and What I Regret
Every infrastructure decision I'd make again – and the ones I wouldn't – after running production workloads across fintech, open-source, IoT, and beyond.
Migrating a Java Application from EC2 to ECS Fargate: A Step-by-Step Guide
The complete journey of containerising a Java JAR running on EC2 and deploying it to ECS Fargate – from local testing to Dockerfile, task definitions, networking, secrets management, and achieving production parity.
AWS Account Provisioning at Scale with Control Tower, Service Catalog, and Terraform
How to build an automated account vending machine using AWS Control Tower Account Factory, Service Catalog, CloudFormation StackSets, and Terraform – from request to fully provisioned account with SSO and IAM roles.
AWS PrivateLink Deep Dive: Private Connectivity Patterns
Master AWS PrivateLink for private API access, cross-account connectivity, and SaaS integrations. Includes Terraform examples and multi-region patterns.
Cloud Tagging Strategies That Actually Work
Tagging is the foundation of cloud governance, cost allocation, and automation. Here's how to implement tagging consistently across your infrastructure using context modules, policies, and automation.
Backstage on AWS ECS - Production-Ready Deployment with RDS and Cognito
A comprehensive guide to deploying Spotify's Backstage developer portal on AWS ECS Fargate with PostgreSQL RDS, Cognito authentication, and proper production hardening.
Terraform Best Practices (Part 2) - Testing, CI/CD, Security, and Team Workflows
Advanced Terraform practices covering testing strategies, CI/CD pipelines, security hardening, drift detection, and team collaboration patterns for infrastructure as code at scale.
Terraform Best Practices (Part 1) - Project Structure, State, and Modules
A comprehensive guide to Terraform best practices covering project organisation, state management, module design, and foundational patterns for scalable infrastructure as code.
Migrating Event Store Data from SQL Server and Oracle to DynamoDB with AWS DMS
How we used AWS DMS with database views, partitioned replication tasks, and Terraform to migrate event sourcing data from on-prem SQL Server and Oracle to DynamoDB – the architecture, the gotchas, and production Terraform you can reuse.
AWS VPC Endpoints - Keep Your Traffic Off the Internet
How to use VPC Endpoints to access AWS services without internet gateways or NAT. Covers Gateway vs Interface endpoints, PrivateLink, endpoint policies, cost optimization, and production Terraform patterns.
Common DevOps Interview Questions Candidates Fail
The questions that separate senior engineers from those who memorised tutorials. Real interview failures, what interviewers are actually looking for, and how to answer with depth.
AWS Service Control Policies (SCPs) - Guardrails for Your Organization
How to use SCPs to set permission guardrails across your AWS Organization. Covers SCP evaluation logic, deny vs allow strategies, common patterns, and production-ready Terraform examples.
AWS Config Rules with Auto Remediation - Enforce Compliance Automatically
How to use AWS Config Rules to detect compliance violations and automatically remediate them using SSM Automation documents. Covers managed rules, custom rules, remediation actions, and complete Terraform examples.
ECS Task Sets: Blue/Green Deployments Without CodeDeploy
How to use ECS external deployment controllers and task sets for manual blue/green deployments – the setup, the CLI commands, the Terraform, and an honest assessment of when it's worth the complexity.
RDS Proxy for Lambda - Solving the Connection Exhaustion Problem
How to use Amazon RDS Proxy to handle database connections from Lambda functions at scale. Covers connection pooling, IAM authentication, Terraform setup, and the gotchas you'll hit in production.
AWS Managed Prefix Lists with Terraform - Stop Hardcoding CIDRs
How to use AWS Managed Prefix Lists to eliminate hardcoded CIDR blocks in security groups and route tables. Covers AWS-managed prefixes, customer-managed lists for data centres, and production Terraform patterns.
Building Production AMIs with Packer: CI Pipelines, Terraform Integration, and Security Best Practices
Complete guide to building immutable AMIs with Packer in production - CI/CD pipelines, Terraform ASG integration, rollback strategies, maintenance workflows, and security hardening.
Deploying Kafka on Kubernetes with Strimzi
A step-by-step guide to setting up a Kafka cluster on a local Kind cluster using the Strimzi operator, with optional Terraform provisioning.
Route 53 Deep Dive: Multi-Region Latency Routing with Health-Based Failover
A hands-on guide to configuring AWS Route 53 for latency-based routing across multiple regions, incorporating health checks for automatic failover.
How to Increase EBS Disk Size on EC2 (Without Downtime)
Online EBS volume resizing for running instances – the IaC way with Terraform and ASG instance refresh, plus the manual escape hatch when you need it now. No reboot required.
Securing APIs in AWS: Private API Gateway + VPC Endpoint Deep Dive
Learn how to deploy a secure, private-only API Gateway inside your VPC using interface endpoints, resource policies, and VPC integration.
AWS PrivateLink with Terraform
A hands-on technical guide to implementing AWS PrivateLink between VPCs using Terraform.
The Terraform State Chicken-and-Egg Problem – And Why Bootstrapping Is Just Physics
You can't use Terraform to create the S3 bucket that stores Terraform state. Here's how to bootstrap your remote backend properly, plus the philosophical reason this pattern exists everywhere in software.
#security 31 posts
Building an Automated Multi-Account AWS Architecture with Control Tower and Terraform
A hands-on walkthrough of enabling AWS Control Tower, designing an OU structure, automating account provisioning via Service Catalog, and deploying security baselines - from zero to fully automated account vending in production.
Identity Aware Proxy: Zero Trust Access for Internal Applications
Deep dive into Identity Aware Proxies - what they are, how they work, and how to implement them with GCP IAP, Pomerium, and OAuth2-Proxy. Includes Terraform and Kubernetes examples.
Running Clawdbot 24/7 on a Hetzner VPS – Terraform, Security Hardening, and the Bits the Docs Miss
A production-grade setup for Clawdbot on Hetzner Cloud with Terraform provisioning, proper SSH hardening, fail2ban, UFW, unattended-upgrades, and optional Tailscale – the stuff you actually need in prod.
Clawdbot Manual Setup – Step-by-Step VPS Configuration with WhatsApp Integration
A detailed walkthrough for setting up Clawdbot on a Hetzner VPS from scratch – SSH hardening, firewall configuration, Tailscale, and WhatsApp Business integration using a dedicated number.
GitHub Actions OIDC – Ditch the AWS Access Keys Forever
How to authenticate GitHub Actions to AWS without storing secrets. OIDC federation explained, IAM role setup, and the token claims that control access.
Kyverno vs OPA: Policy Engines Compared
Detailed comparison of Kyverno and OPA Gatekeeper for Kubernetes policy enforcement. Includes real examples, performance considerations, and migration guidance.
AWS PrivateLink Deep Dive: Private Connectivity Patterns
Master AWS PrivateLink for private API access, cross-account connectivity, and SaaS integrations. Includes Terraform examples and multi-region patterns.
Secretless Broker: Zero-Secret Applications
Remove secrets from your applications entirely with Secretless Broker. Inject database credentials, API keys, and certificates via sidecar without your app knowing they exist.
Container Image Signing with Cosign - A Practical Guide
Sign and verify container images without managing keys. A hands-on guide to Cosign, keyless signing, and enforcing signatures in Kubernetes.
OPA Gatekeeper: Policy as Code for Kubernetes
Implement admission control policies with OPA Gatekeeper. Enforce security standards, naming conventions, resource limits, and compliance requirements at the cluster level.
eBPF for Security: Kernel-Level Observability Without Agents
Deep dive into eBPF-based security tools - Cilium, Falco, and Tetragon. Learn how to implement runtime security, network policies, and threat detection at the kernel level.
SPIFFE and SPIRE: Zero Trust Workload Identity
Deep dive into SPIFFE and SPIRE for workload identity. Replace shared secrets with cryptographic identity for service-to-service authentication. Includes Kubernetes deployment and mTLS examples.
Terraform Best Practices (Part 2) - Testing, CI/CD, Security, and Team Workflows
Advanced Terraform practices covering testing strategies, CI/CD pipelines, security hardening, drift detection, and team collaboration patterns for infrastructure as code at scale.
Build a SOC Homelab with Docker - Elasticsearch, Cribl, and Log Simulation
Set up a Security Operations Center lab environment using Docker. Includes Elasticsearch, Kibana, Cribl Stream for log routing, and simulated log generators for hands-on security analysis practice.
NetworkPolicy Default Deny – The One Rule We Add to Every Namespace
Why your Kubernetes cluster is wide open by default, and the single NetworkPolicy that changes everything. Copy, paste, deploy, sleep better.
Software Supply Chain Security - Sigstore, SLSA, and Beyond
Your dependencies are an attack vector. Here's how to secure your software supply chain with Sigstore, SLSA frameworks, SBOMs, and admission policies that actually work.
Pod Security Standards Enforcement - The PSP Replacement That Actually Works
How to enforce Pod Security Standards using the built-in Pod Security Admission controller. Covers Privileged, Baseline, and Restricted profiles, migration from PSPs, namespace labeling, and exemptions.
External Secrets Operator with AWS Secrets Manager - Stop Mounting Secrets in ConfigMaps
How to use External Secrets Operator to sync AWS Secrets Manager secrets to Kubernetes. Covers SecretStore, ExternalSecret, IAM with IRSA, templating, and production patterns.
AWS VPC Endpoints - Keep Your Traffic Off the Internet
How to use VPC Endpoints to access AWS services without internet gateways or NAT. Covers Gateway vs Interface endpoints, PrivateLink, endpoint policies, cost optimization, and production Terraform patterns.
AWS Service Control Policies (SCPs) - Guardrails for Your Organization
How to use SCPs to set permission guardrails across your AWS Organization. Covers SCP evaluation logic, deny vs allow strategies, common patterns, and production-ready Terraform examples.
AWS Config Rules with Auto Remediation - Enforce Compliance Automatically
How to use AWS Config Rules to detect compliance violations and automatically remediate them using SSM Automation documents. Covers managed rules, custom rules, remediation actions, and complete Terraform examples.
Securing Your Clawdbot & Setting Up Powerful Integrations
A comprehensive guide to hardening your Clawdbot installation and integrating with Google Workspace, GitHub, and Notion – turning your AI assistant into a productivity powerhouse.
eBPF Deep Dive - Beyond Cilium
eBPF is transforming how we observe, secure, and network Linux systems. This guide covers the fundamentals, practical use cases beyond Cilium, and how to start writing your own eBPF programs.
AWS Managed Prefix Lists with Terraform - Stop Hardcoding CIDRs
How to use AWS Managed Prefix Lists to eliminate hardcoded CIDR blocks in security groups and route tables. Covers AWS-managed prefixes, customer-managed lists for data centres, and production Terraform patterns.
Building Production AMIs with Packer: CI Pipelines, Terraform Integration, and Security Best Practices
Complete guide to building immutable AMIs with Packer in production - CI/CD pipelines, Terraform ASG integration, rollback strategies, maintenance workflows, and security hardening.
Private API Gateway - Part 2: Secure Cross-VPC Access with PrivateLink and IAM Authentication
Extend your private API Gateway with secure access from other VPCs using PrivateLink and enforce IAM-based authentication.
Secure Gateways: Configuring Mutual TLS using Gateway API on GKE
In this blog, we configure mutual TLS (mTLS) using Gateway API on GKE, securing ingress traffic with client certificate validation.
Kubernetes DNS Spoofing: Exploiting NET_RAW and ARP
DNS spoofing in Kubernetes remains a critical threat, enabling attackers to redirect traffic, intercept data, or disrupt services. This article explores how such attacks occur and outlines strategies to prevent them.
mTLS with Traefik: Hands-On Setup with Step CA
A complete walkthrough of setting up mutual TLS with Traefik and Smallstep CA – from certificate generation to client authentication. Includes local DNS, ACME integration, and a working demo you can deploy.
Securing APIs in AWS: Private API Gateway + VPC Endpoint Deep Dive
Learn how to deploy a secure, private-only API Gateway inside your VPC using interface endpoints, resource policies, and VPC integration.
AWS PrivateLink with Terraform
A hands-on technical guide to implementing AWS PrivateLink between VPCs using Terraform.
#networking 25 posts
7 Years of Infrastructure Decisions: What I'd Do Again and What I Regret
Every infrastructure decision I'd make again – and the ones I wouldn't – after running production workloads across fintech, open-source, IoT, and beyond.
AWS PrivateLink Deep Dive: Private Connectivity Patterns
Master AWS PrivateLink for private API access, cross-account connectivity, and SaaS integrations. Includes Terraform examples and multi-region patterns.
Gateway API Advanced Patterns: Beyond Basic Ingress
Master Gateway API with traffic splitting, header-based routing, cross-namespace references, and TLS passthrough. The future of Kubernetes ingress.
Tailscale in Production: WireGuard Mesh for Hybrid Cloud
Deploy Tailscale for secure connectivity across clouds, offices, and Kubernetes clusters. Zero-config VPN mesh with SSO integration and ACLs.
Cilium Service Mesh: Sidecar-Free with eBPF
Deploy a service mesh without sidecars using Cilium. Get mTLS, traffic management, and observability powered by eBPF at the kernel level.
NetworkPolicy Default Deny – The One Rule We Add to Every Namespace
Why your Kubernetes cluster is wide open by default, and the single NetworkPolicy that changes everything. Copy, paste, deploy, sleep better.
The Kubernetes ndots:5 Problem – Why DNS Lookups Take 15 Seconds
A deep dive into why external DNS resolution in Kubernetes can be painfully slow, how the default ndots:5 setting causes unnecessary lookups, and practical fixes that actually work.
NAT Gateway Alternatives - Cutting Your AWS Bill Without Losing Sleep
NAT Gateways are the silent budget killer in AWS. Here's how to reduce costs with NAT instances, VPC endpoints, IPv6, and architectural changes - with real numbers and trade-offs.
EKS IP Exhaustion: Running out of IPs, one way to fix it
Running out of IP addresses in AWS EKS can be a subtle yet critical issue. It often manifests as pods stuck in a pending state or nodes failing to join the cluster, leading to deployment bottlenecks and potential downtime. Understanding the root cause and implementing effective solutions is essential for maintaining cluster health and scalability. Now, there are many ways to fix this, but this is one way.
AWS VPC Endpoints - Keep Your Traffic Off the Internet
How to use VPC Endpoints to access AWS services without internet gateways or NAT. Covers Gateway vs Interface endpoints, PrivateLink, endpoint policies, cost optimization, and production Terraform patterns.
Kubernetes Gateway API vs Ingress - When to Migrate and How
Gateway API is the successor to Ingress, bringing role-oriented design, native traffic splitting, and cross-namespace routing. This post compares both APIs, when to migrate, and practical migration patterns.
eBPF Deep Dive - Beyond Cilium
eBPF is transforming how we observe, secure, and network Linux systems. This guide covers the fundamentals, practical use cases beyond Cilium, and how to start writing your own eBPF programs.
Service Mesh Comparison - Istio vs Linkerd vs Cilium
Service meshes promise observability, security, and traffic management. But which one should you choose? A practical comparison based on running all three in production.
AWS Managed Prefix Lists with Terraform - Stop Hardcoding CIDRs
How to use AWS Managed Prefix Lists to eliminate hardcoded CIDR blocks in security groups and route tables. Covers AWS-managed prefixes, customer-managed lists for data centres, and production Terraform patterns.
DNS UDP Truncation: Why Your ECS Tasks Aren't Getting Traffic
How DNS UDP's 512-byte limit caps responses at ~8 A records, breaking service discovery for scaled ECS/CloudMap workloads – and the sidecar solution to bypass it.
Container Networking Deep Dive Part 1: Single Network Namespace on a VM
In the first part of our Container Networking Deep Dive, we explore how to set up a single network namespace inside a VM and connect it to the host using a veth pair.
Container Networking Deep Dive Part 2: Two Namespaces on the Same Host
In the second part of our Container Networking Deep Dive, we connect two network namespaces via a bridge on the same Linux host.
Deep Dive into EC2 Networking
Deep Dive into EC2 Networking: ENIs, IP Addressing and Deployment Architectures
EKS without VPC CNI: Deploying Calico with IPIP and BGP
AWS EKS defaults to the VPC CNI plugin, assigning VPC IPs to pods via ENIs. While straightforward, this setup limits pod density per node and consumes VPC IPs rapidly. To overcome these constraints, deploying Calico with IPIP or BGP offers a scalable alternative.
Private AKS Cluster with Twingate: Secure API Access Without a Public Endpoint
Running Kubernetes clusters privately is a growing best practice. In this blog, I'll walk you through deploying a private AKS cluster on Azure with no public API endpoint, and enabling secure access via Twingate VPN, which provides identity-based access without opening up your network.
Networking Tools
Networking Tools
Securing APIs in AWS: Private API Gateway + VPC Endpoint Deep Dive
Learn how to deploy a secure, private-only API Gateway inside your VPC using interface endpoints, resource policies, and VPC integration.
AWS PrivateLink with Terraform
A hands-on technical guide to implementing AWS PrivateLink between VPCs using Terraform.
Kubernetes Networking: A Deep Dive From First Principles
How packets actually flow in Kubernetes – from veth pairs to CNI plugins to kube-proxy modes. With AWS/EKS context throughout.
BGP in the Cloud – A Deep Dive into AWS Direct Connect, Routing Pathologies, and What Breaks in Production
A production-focused deep dive into how BGP actually behaves over AWS Direct Connect – route selection, failover, ASN design, MEDs, prepending, blackholing scenarios, and the real-world issues teams hit at scale.
#platform-engineering 15 posts
OpenTelemetry Changed How I Think About Observability
A practical, opinionated take on OpenTelemetry - why it matters, what it actually solves, and how to instrument across Kubernetes, Lambda, ECS, and EC2 without losing your mind.
AWS Control Tower Account Factory - The Gotchas Nobody Tells You
Real-world lessons from automating AWS account provisioning with Control Tower, Service Catalog, and Terraform. The silent failures, IAM traps, and StackSet timing issues that cost us days.
Building an Automated Multi-Account AWS Architecture with Control Tower and Terraform
A hands-on walkthrough of enabling AWS Control Tower, designing an OU structure, automating account provisioning via Service Catalog, and deploying security baselines - from zero to fully automated account vending in production.
Spacelift from Scratch: Automating Terraform at Scale with Spaces, Stacks, OPA Policies, and a Private Module Registry
A complete guide to setting up Spacelift for multi-team Terraform automation - from zero to production with spaces, dynamic stacks, OPA security policies in Rego, private module registry, and GitOps-driven infrastructure.
Platform Engineering in 2026 - It's About the Discipline, Not the Tools
Platform engineering has become the most misunderstood role in tech. Everyone's building 'platforms' but few understand what actually makes one successful. Here's what I've learned building platforms for teams of 10 to 500.
DORA Metrics Implementation - Measuring What Matters
DORA metrics are the industry standard for measuring DevOps performance. Here's how to implement them properly, avoid common pitfalls, and actually use them to improve your team's delivery.
7 Years of Infrastructure Decisions: What I'd Do Again and What I Regret
Every infrastructure decision I'd make again – and the ones I wouldn't – after running production workloads across fintech, open-source, IoT, and beyond.
MLOps for DevOps Engineers - What You Actually Need to Know
MLOps is becoming a critical skill for DevOps engineers. Here's what matters: the infrastructure patterns, tooling, and operational practices that make ML systems work in production - from someone who learned the hard way.
Port and Kratix: Internal Developer Platforms Beyond Backstage
Explore Port and Kratix for building internal developer platforms. Self-service infrastructure, developer workflows, and platform engineering patterns.
AWS Account Provisioning at Scale with Control Tower, Service Catalog, and Terraform
How to build an automated account vending machine using AWS Control Tower Account Factory, Service Catalog, CloudFormation StackSets, and Terraform – from request to fully provisioned account with SSO and IAM roles.
Backstage Plugins: Building Custom Developer Portal Features
Build custom Backstage plugins for your internal developer portal. Create frontend components, backend APIs, and integrate with your existing tools.
Crossplane Compositions: Build Your Own Cloud API
Create custom cloud APIs with Crossplane Compositions. Abstract away complexity and give developers self-service infrastructure with guardrails.
Backstage on AWS ECS - Production-Ready Deployment with RDS and Cognito
A comprehensive guide to deploying Spotify's Backstage developer portal on AWS ECS Fargate with PostgreSQL RDS, Cognito authentication, and proper production hardening.
Migrating Event Store Data from SQL Server and Oracle to DynamoDB with AWS DMS
How we used AWS DMS with database views, partitioned replication tasks, and Terraform to migrate event sourcing data from on-prem SQL Server and Oracle to DynamoDB – the architecture, the gotchas, and production Terraform you can reuse.
Building an Internal Developer Platform
A practical guide to building an IDP that developers actually want to use. Covers the build vs buy decision, Backstage implementation, and the organisational changes required for success.
#engineering-culture 13 posts
10 Rules for Negotiating Your Job Offer (From 7 Years of Engineering)
Most engineers massively undervalue themselves because no one taught them how to negotiate. Here's everything I've learned from negotiating salaries, contracts, titles, and more.
DORA Metrics Implementation - Measuring What Matters
DORA metrics are the industry standard for measuring DevOps performance. Here's how to implement them properly, avoid common pitfalls, and actually use them to improve your team's delivery.
The Real Difference Between Senior, Staff, and Principal Engineer
Everyone wants to know the difference between Senior, Staff, and Principal. After holding all three titles, I can tell you the real differences aren't what most people think. It's not about years - it's about scope.
The Principal Engineer Trap
The IC ladder looks appealing until you're at the top. Many senior engineers chase Principal titles without understanding what they're signing up for. Here's what nobody tells you.
Startup vs Scale-Up vs Enterprise: Where You'll Actually Learn the Most
After working across all three - tiny startups, hypergrowth scale-ups, and massive enterprises - I can tell you they're completely different jobs. Same title, same tech, completely different experience. Here's what each teaches you.
Blameless Culture is Harder Than You Think
Everyone claims to have a blameless culture. Few actually do. Here's what real blamelessness looks like and why it's so difficult to achieve.
Contract vs Perm: 4 Years of Both and What I'd Choose Now
I've done both. Multiple times. Here's the real trade-offs nobody talks about - the money, the time off problem, the boredom factor, and why your life situation matters more than you think.
Remote Work Won
The RTO push isn't about productivity. The data is clear: remote work works. What's really happening is a fight over control, real estate, and management inability to adapt.
Why Senior Engineers Should Write Docs
Documentation is often treated as junior work. That's backwards. The most impactful documentation comes from senior engineers, and writing it is a force multiplier for your expertise.
The 10x Engineer is a Myth
The idea of the 10x engineer has done more harm than good. What actually matters is team multipliers - engineers who make everyone around them better.
The Meeting That Should Have Been a Doc
Most meetings are information broadcasts disguised as collaboration. Learn when to meet, when to write, and how to save everyone's time.
Stop Chasing Certifications
Certifications have become a checkbox exercise. They don't prove competence, and they often distract from what actually matters: building things and solving real problems.
Standups Are Broken
Daily standups were meant to improve communication. Instead, they've become status meetings that waste time and interrupt deep work. There's a better way.
#career 11 posts
10 Rules for Negotiating Your Job Offer (From 7 Years of Engineering)
Most engineers massively undervalue themselves because no one taught them how to negotiate. Here's everything I've learned from negotiating salaries, contracts, titles, and more.
That Time I Gave Away £50k Worth of Consulting for Free (And What It Taught Me About the Industry)
On interview take-home tests that are suspiciously specific, contractors who get ghosted after detailed proposals, and learning to play the game without becoming bitter about it.
The Real Difference Between Senior, Staff, and Principal Engineer
Everyone wants to know the difference between Senior, Staff, and Principal. After holding all three titles, I can tell you the real differences aren't what most people think. It's not about years - it's about scope.
The Principal Engineer Trap
The IC ladder looks appealing until you're at the top. Many senior engineers chase Principal titles without understanding what they're signing up for. Here's what nobody tells you.
Startup vs Scale-Up vs Enterprise: Where You'll Actually Learn the Most
After working across all three - tiny startups, hypergrowth scale-ups, and massive enterprises - I can tell you they're completely different jobs. Same title, same tech, completely different experience. Here's what each teaches you.
Contract vs Perm: 4 Years of Both and What I'd Choose Now
I've done both. Multiple times. Here's the real trade-offs nobody talks about - the money, the time off problem, the boredom factor, and why your life situation matters more than you think.
Remote Work Won
The RTO push isn't about productivity. The data is clear: remote work works. What's really happening is a fight over control, real estate, and management inability to adapt.
Why Senior Engineers Should Write Docs
Documentation is often treated as junior work. That's backwards. The most impactful documentation comes from senior engineers, and writing it is a force multiplier for your expertise.
The 10x Engineer is a Myth
The idea of the 10x engineer has done more harm than good. What actually matters is team multipliers - engineers who make everyone around them better.
Common DevOps Interview Questions Candidates Fail
The questions that separate senior engineers from those who memorised tutorials. Real interview failures, what interviewers are actually looking for, and how to answer with depth.
Stop Chasing Certifications
Certifications have become a checkbox exercise. They don't prove competence, and they often distract from what actually matters: building things and solving real problems.
#containers 11 posts
Migrating a Java Application from EC2 to ECS Fargate: A Step-by-Step Guide
The complete journey of containerising a Java JAR running on EC2 and deploying it to ECS Fargate – from local testing to Dockerfile, task definitions, networking, secrets management, and achieving production parity.
Container Image Signing with Cosign - A Practical Guide
Sign and verify container images without managing keys. A hands-on guide to Cosign, keyless signing, and enforcing signatures in Kubernetes.
K3s Homelab Setup Guide - Running Kubernetes on Raspberry Pi 5
Build a lightweight Kubernetes cluster on three Raspberry Pi 5 devices. Step-by-step guide covering K3s installation, cluster configuration, and deployment testing.
Serverless Container Framework - Deploy Containers to Lambda and Fargate with Ease
Deploy containerised applications to AWS Lambda or Fargate with a simple YAML config. No infrastructure code required - just define your containers and deploy.
Ephemeral Containers for Production Debugging
Debug distroless and minimal containers in production without redeploying. Ephemeral containers let you attach debugging tools to running pods - here's how to use them effectively.
Kubernetes Sidecar Startup Order - Making Your Main App Wait
How to ensure sidecar containers are ready before your main app starts. Covers startupProbe, postStart hooks, and why readinessProbe doesn't do what you think.
Container Networking Deep Dive Part 1: Single Network Namespace on a VM
In the first part of our Container Networking Deep Dive, we explore how to set up a single network namespace inside a VM and connect it to the host using a veth pair.
Container Networking Deep Dive Part 2: Two Namespaces on the Same Host
In the second part of our Container Networking Deep Dive, we connect two network namespaces via a bridge on the same Linux host.
ECS Fargate Deep Dive Part 1: How Fargate Really Works
In the first part of our ECS Fargate Deep Dive, we break down what happens behind the scenes when you run a task on Fargate — Firecracker microVMs, ENIs, IAM and the hidden host fleet.
ECS Fargate Deep Dive Part 2: Firecracker in Action
In the second part of our ECS Fargate Deep Dive, we get hands-on with Firecracker — the lightweight VMM that powers Fargate — and simulate task isolation and networking locally.
The ever-changing landscape of modern applications
A look at the ever-changing landscape of modern applications
#eks 10 posts
Cloud Unit Economics for Multi-Tenant SaaS - Cost Per Customer, Not Per Service
How to calculate true cost-per-tenant in a shared infrastructure environment. Covers EKS with Karpenter, shared databases (Aurora, DynamoDB), and tools like OpenCost, CloudZero, and custom attribution approaches.
Spot Instance Patterns: Graceful Handling and Cost Savings
Master AWS Spot Instances in production. Handle interruptions gracefully, use mixed instance groups, and save 60-90% on compute costs.
Karpenter Deep Dive: Node Provisioning That Actually Works
Master Karpenter for Kubernetes node autoscaling. Replace Cluster Autoscaler with faster, smarter provisioning. Includes cost optimization patterns.
EKS IP Exhaustion: Running out of IPs, one way to fix it
Running out of IP addresses in AWS EKS can be a subtle yet critical issue. It often manifests as pods stuck in a pending state or nodes failing to join the cluster, leading to deployment bottlenecks and potential downtime. Understanding the root cause and implementing effective solutions is essential for maintaining cluster health and scalability. Now, there are many ways to fix this, but this is one way.
Kubernetes Cluster Upgrades: Production-Ready Guide
Technical guide for upgrading managed Kubernetes clusters across GKE, EKS, and AKS
Lessons From 5 Years of Kubernetes in Production – Cluster Crashes, Ditching Self-Managed, Cost Cuts, and the Tooling That Actually Works
Two major cluster crashes, migrating from kops to EKS, slashing compute costs with Karpenter, and the observability stack we rebuilt three times.
EKS Private Network with Twingate
How to setup a private network for your EKS cluster with Twingate
EKS without VPC CNI: Deploying Calico with IPIP and BGP
AWS EKS defaults to the VPC CNI plugin, assigning VPC IPs to pods via ENIs. While straightforward, this setup limits pod density per node and consumes VPC IPs rapidly. To overcome these constraints, deploying Calico with IPIP or BGP offers a scalable alternative.
Kubernetes Networking: A Deep Dive From First Principles
How packets actually flow in Kubernetes – from veth pairs to CNI plugins to kube-proxy modes. With AWS/EKS context throughout.
Serverless containers in Kubernetes with Fargate (Part 2) — Hands-on
A hands-on article on deploying an application on Kubernetes with Fargate.
#observability 10 posts
OpenTelemetry Changed How I Think About Observability
A practical, opinionated take on OpenTelemetry - why it matters, what it actually solves, and how to instrument across Kubernetes, Lambda, ECS, and EC2 without losing your mind.
ELK Stack Migration: From 6.x to 8.x - The Complete Guide
A comprehensive guide to migrating your Elasticsearch, Logstash, and Kibana stack from version 6.x to 8.x. Covers breaking changes, migration strategies, index compatibility, and zero-downtime approaches.
Elastic Cloud Setup Guide - From Zero to Production
A comprehensive guide to setting up Elastic Cloud (Elasticsearch Service), including deployment configuration, security setup, index lifecycle management, integrations, and cost optimization.
FinOps Automation: Kubecost, OpenCost, and Automated Rightsizing
Implement automated cloud cost optimization with Kubecost and OpenCost. Track costs per team, rightsize resources, and automate savings.
SLO-Based Alerting: Burn Rate Alerts vs Threshold Alerts
Implement SLO-based alerting with burn rate alerts. Move from noisy threshold alerts to meaningful reliability signals using error budgets.
OpenTelemetry Collector Pipelines: Transform, Filter, Route Telemetry
Master OpenTelemetry Collector configuration. Build pipelines to transform metrics, filter traces, route logs, and reduce telemetry costs.
OpenTelemetry from Scratch
OpenTelemetry unifies traces, metrics, and logs under one standard. This guide covers how to instrument your applications, set up collectors, and actually make sense of the data.
Lessons From 5 Years of Kubernetes in Production – Cluster Crashes, Ditching Self-Managed, Cost Cuts, and the Tooling That Actually Works
Two major cluster crashes, migrating from kops to EKS, slashing compute costs with Karpenter, and the observability stack we rebuilt three times.
eBPF Deep Dive - Beyond Cilium
eBPF is transforming how we observe, secure, and network Linux systems. This guide covers the fundamentals, practical use cases beyond Cilium, and how to start writing your own eBPF programs.
Managing Dynatrace Alerts at Scale with Custom Ansible Roles
How we automated Dynatrace alerting configuration using custom Ansible roles - covering alert profiles, problem notifications, metric events, and maintenance windows across multiple environments.
#docker 8 posts
Migrating a Java Application from EC2 to ECS Fargate: A Step-by-Step Guide
The complete journey of containerising a Java JAR running on EC2 and deploying it to ECS Fargate – from local testing to Dockerfile, task definitions, networking, secrets management, and achieving production parity.
LocalStack Deep Dive - AWS on Your Laptop
Run AWS services locally for faster development and testing. A practical guide to LocalStack covering S3, Lambda, DynamoDB, SQS, and integration testing patterns.
Backstage on AWS ECS - Production-Ready Deployment with RDS and Cognito
A comprehensive guide to deploying Spotify's Backstage developer portal on AWS ECS Fargate with PostgreSQL RDS, Cognito authentication, and proper production hardening.
Build an ETL Pipeline with Python, PostgreSQL, and Airflow
A practical guide to building an ETL pipeline that extracts weather data from OpenWeatherMap, transforms it with pandas, and loads it into PostgreSQL. Includes Airflow orchestration with email notifications.
Build a SOC Homelab with Docker - Elasticsearch, Cribl, and Log Simulation
Set up a Security Operations Center lab environment using Docker. Includes Elasticsearch, Kibana, Cribl Stream for log routing, and simulated log generators for hands-on security analysis practice.
Serverless Container Framework - Deploy Containers to Lambda and Fargate with Ease
Deploy containerised applications to AWS Lambda or Fargate with a simple YAML config. No infrastructure code required - just define your containers and deploy.
Creating a Lab Container
An end-to-end guide for creating a lab container for DevOps training.
The ever-changing landscape of modern applications
A look at the ever-changing landscape of modern applications
#vpc 7 posts
AWS PrivateLink Deep Dive: Private Connectivity Patterns
Master AWS PrivateLink for private API access, cross-account connectivity, and SaaS integrations. Includes Terraform examples and multi-region patterns.
NAT Gateway Alternatives - Cutting Your AWS Bill Without Losing Sleep
NAT Gateways are the silent budget killer in AWS. Here's how to reduce costs with NAT instances, VPC endpoints, IPv6, and architectural changes - with real numbers and trade-offs.
AWS VPC Endpoints - Keep Your Traffic Off the Internet
How to use VPC Endpoints to access AWS services without internet gateways or NAT. Covers Gateway vs Interface endpoints, PrivateLink, endpoint policies, cost optimization, and production Terraform patterns.
AWS Managed Prefix Lists with Terraform - Stop Hardcoding CIDRs
How to use AWS Managed Prefix Lists to eliminate hardcoded CIDR blocks in security groups and route tables. Covers AWS-managed prefixes, customer-managed lists for data centres, and production Terraform patterns.
Private API Gateway - Part 2: Secure Cross-VPC Access with PrivateLink and IAM Authentication
Extend your private API Gateway with secure access from other VPCs using PrivateLink and enforce IAM-based authentication.
Securing APIs in AWS: Private API Gateway + VPC Endpoint Deep Dive
Learn how to deploy a secure, private-only API Gateway inside your VPC using interface endpoints, resource policies, and VPC integration.
AWS PrivateLink with Terraform
A hands-on technical guide to implementing AWS PrivateLink between VPCs using Terraform.
#ecs 7 posts
7 Years of Infrastructure Decisions: What I'd Do Again and What I Regret
Every infrastructure decision I'd make again – and the ones I wouldn't – after running production workloads across fintech, open-source, IoT, and beyond.
Migrating a Java Application from EC2 to ECS Fargate: A Step-by-Step Guide
The complete journey of containerising a Java JAR running on EC2 and deploying it to ECS Fargate – from local testing to Dockerfile, task definitions, networking, secrets management, and achieving production parity.
Backstage on AWS ECS - Production-Ready Deployment with RDS and Cognito
A comprehensive guide to deploying Spotify's Backstage developer portal on AWS ECS Fargate with PostgreSQL RDS, Cognito authentication, and proper production hardening.
ECS Task Sets: Blue/Green Deployments Without CodeDeploy
How to use ECS external deployment controllers and task sets for manual blue/green deployments – the setup, the CLI commands, the Terraform, and an honest assessment of when it's worth the complexity.
DNS UDP Truncation: Why Your ECS Tasks Aren't Getting Traffic
How DNS UDP's 512-byte limit caps responses at ~8 A records, breaking service discovery for scaled ECS/CloudMap workloads – and the sidecar solution to bypass it.
ECS Fargate Deep Dive Part 1: How Fargate Really Works
In the first part of our ECS Fargate Deep Dive, we break down what happens behind the scenes when you run a task on Fargate — Firecracker microVMs, ENIs, IAM and the hidden host fleet.
ECS Fargate Deep Dive Part 2: Firecracker in Action
In the second part of our ECS Fargate Deep Dive, we get hands-on with Firecracker — the lightweight VMM that powers Fargate — and simulate task isolation and networking locally.
#migration 7 posts
Migrating ClickHouse From EC2 to ClickHouse Cloud - Every Approach We Tried and Why Most Failed
S3 backup/restore, direct connectivity, Parquet exports - none of them worked cleanly. Here's the full war story of migrating a production ClickHouse instance to Cloud, the version mismatch that broke everything, and the dumb-simple approach that actually got the job done.
ELK Stack Migration: From 6.x to 8.x - The Complete Guide
A comprehensive guide to migrating your Elasticsearch, Logstash, and Kibana stack from version 6.x to 8.x. Covers breaking changes, migration strategies, index compatibility, and zero-downtime approaches.
Terraform State Surgery - Splitting, Moving, and Refactoring Without Downtime
A practical guide to breaking up monolithic Terraform state files, moving resources between states, and refactoring infrastructure safely. Includes real examples, scripts, and the exact commands we use.
Terraform 0.11 to 1.11 Migration - The Full Journey
A detailed guide on migrating Terraform from 0.11 to 1.11, covering HCL2 syntax changes, the S3 bucket resource split, state manipulation, and ensuring zero-drift upgrades.
Migrating a Java Application from EC2 to ECS Fargate: A Step-by-Step Guide
The complete journey of containerising a Java JAR running on EC2 and deploying it to ECS Fargate – from local testing to Dockerfile, task definitions, networking, secrets management, and achieving production parity.
Migrating 30 Repos from Jenkins to GitHub Actions – The Complete Runbook
A battle-tested playbook for migrating CI/CD pipelines from Jenkins to GitHub Actions at scale. Covers OIDC authentication, parallel running, secrets migration, and the gotchas that will bite you.
Migrating Event Store Data from SQL Server and Oracle to DynamoDB with AWS DMS
How we used AWS DMS with database views, partitioned replication tasks, and Terraform to migrate event sourcing data from on-prem SQL Server and Oracle to DynamoDB – the architecture, the gotchas, and production Terraform you can reuse.
#leadership 6 posts
The Real Difference Between Senior, Staff, and Principal Engineer
Everyone wants to know the difference between Senior, Staff, and Principal. After holding all three titles, I can tell you the real differences aren't what most people think. It's not about years - it's about scope.
The Principal Engineer Trap
The IC ladder looks appealing until you're at the top. Many senior engineers chase Principal titles without understanding what they're signing up for. Here's what nobody tells you.
Startup vs Scale-Up vs Enterprise: Where You'll Actually Learn the Most
After working across all three - tiny startups, hypergrowth scale-ups, and massive enterprises - I can tell you they're completely different jobs. Same title, same tech, completely different experience. Here's what each teaches you.
Blameless Culture is Harder Than You Think
Everyone claims to have a blameless culture. Few actually do. Here's what real blamelessness looks like and why it's so difficult to achieve.
Why Senior Engineers Should Write Docs
Documentation is often treated as junior work. That's backwards. The most impactful documentation comes from senior engineers, and writing it is a force multiplier for your expertise.
The 10x Engineer is a Myth
The idea of the 10x engineer has done more harm than good. What actually matters is team multipliers - engineers who make everyone around them better.
#finops 6 posts
Cloud Unit Economics for Multi-Tenant SaaS - Cost Per Customer, Not Per Service
How to calculate true cost-per-tenant in a shared infrastructure environment. Covers EKS with Karpenter, shared databases (Aurora, DynamoDB), and tools like OpenCost, CloudZero, and custom attribution approaches.
FinOps Automation: Kubecost, OpenCost, and Automated Rightsizing
Implement automated cloud cost optimization with Kubecost and OpenCost. Track costs per team, rightsize resources, and automate savings.
Cloud Tagging Strategies That Actually Work
Tagging is the foundation of cloud governance, cost allocation, and automation. Here's how to implement tagging consistently across your infrastructure using context modules, policies, and automation.
FinOps for Engineering Teams - Making Cost Everyone's Problem
Cloud cost management isn't just for finance. Here's how engineering teams can build cost awareness into their workflow without slowing down delivery.
NAT Gateway Alternatives - Cutting Your AWS Bill Without Losing Sleep
NAT Gateways are the silent budget killer in AWS. Here's how to reduce costs with NAT instances, VPC endpoints, IPv6, and architectural changes - with real numbers and trade-offs.
Right-Sizing Kubernetes Workloads - Stop Burning Money
Most Kubernetes clusters waste 50-70% of their resources. Here's how to measure what you're actually using, fix the worst offenders, and automate the process - without breaking production.
#gitops 6 posts
Building a Production-Grade Homelab with K3s, Vault, and FluxCD
How I built a fully GitOps-managed Kubernetes homelab on a single mini PC - from unboxing to production. Proxmox bare metal install, K3s cluster, HashiCorp Vault secrets, full observability, and Cloudflare Tunnel.
Spacelift from Scratch: Automating Terraform at Scale with Spaces, Stacks, OPA Policies, and a Private Module Registry
A complete guide to setting up Spacelift for multi-team Terraform automation - from zero to production with spaces, dynamic stacks, OPA security policies in Rego, private module registry, and GitOps-driven infrastructure.
Progressive Delivery with Flagger: Automated Canary Deployments
Implement automated canary deployments with Flagger. Metrics-based promotion, automated rollback, and integration with Istio, Linkerd, and Gateway API.
Crossplane Compositions: Build Your Own Cloud API
Create custom cloud APIs with Crossplane Compositions. Abstract away complexity and give developers self-service infrastructure with guardrails.
External Secrets Operator with AWS Secrets Manager - Stop Mounting Secrets in ConfigMaps
How to use External Secrets Operator to sync AWS Secrets Manager secrets to Kubernetes. Covers SecretStore, ExternalSecret, IAM with IRSA, templating, and production patterns.
GitOps with ArgoCD - A Practical Setup Guide
A hands-on guide to implementing GitOps with ArgoCD. Covers installation, application management, sync strategies, secrets handling, and the patterns that actually work in production.
#cicd 6 posts
DORA Metrics Implementation - Measuring What Matters
DORA metrics are the industry standard for measuring DevOps performance. Here's how to implement them properly, avoid common pitfalls, and actually use them to improve your team's delivery.
GitHub Actions OIDC – Ditch the AWS Access Keys Forever
How to authenticate GitHub Actions to AWS without storing secrets. OIDC federation explained, IAM role setup, and the token claims that control access.
Migrating 30 Repos from Jenkins to GitHub Actions – The Complete Runbook
A battle-tested playbook for migrating CI/CD pipelines from Jenkins to GitHub Actions at scale. Covers OIDC authentication, parallel running, secrets migration, and the gotchas that will bite you.
Terraform Best Practices (Part 2) - Testing, CI/CD, Security, and Team Workflows
Advanced Terraform practices covering testing strategies, CI/CD pipelines, security hardening, drift detection, and team collaboration patterns for infrastructure as code at scale.
GitOps with ArgoCD - A Practical Setup Guide
A hands-on guide to implementing GitOps with ArgoCD. Covers installation, application management, sync strategies, secrets handling, and the patterns that actually work in production.
Helm Atomics: The Flag That Saves Your Production Deploys (And Its Hidden Gotchas)
Deep dive into Helm's --atomic, --wait, and --cleanup-on-fail flags. How they work, when to use them, the CI/CD pipeline trap that catches everyone, and production-ready deployment patterns.
#iac 6 posts
Spacelift from Scratch: Automating Terraform at Scale with Spaces, Stacks, OPA Policies, and a Private Module Registry
A complete guide to setting up Spacelift for multi-team Terraform automation - from zero to production with spaces, dynamic stacks, OPA security policies in Rego, private module registry, and GitOps-driven infrastructure.
Terraform State Surgery - Splitting, Moving, and Refactoring Without Downtime
A practical guide to breaking up monolithic Terraform state files, moving resources between states, and refactoring infrastructure safely. Includes real examples, scripts, and the exact commands we use.
Terraform 0.11 to 1.11 Migration - The Full Journey
A detailed guide on migrating Terraform from 0.11 to 1.11, covering HCL2 syntax changes, the S3 bucket resource split, state manipulation, and ensuring zero-drift upgrades.
Terraform Best Practices (Part 2) - Testing, CI/CD, Security, and Team Workflows
Advanced Terraform practices covering testing strategies, CI/CD pipelines, security hardening, drift detection, and team collaboration patterns for infrastructure as code at scale.
Terraform Best Practices (Part 1) - Project Structure, State, and Modules
A comprehensive guide to Terraform best practices covering project organisation, state management, module design, and foundational patterns for scalable infrastructure as code.
Managing Dynatrace Alerts at Scale with Custom Ansible Roles
How we automated Dynatrace alerting configuration using custom Ansible roles - covering alert profiles, problem notifications, metric events, and maintenance windows across multiple environments.
#fargate 6 posts
Migrating a Java Application from EC2 to ECS Fargate: A Step-by-Step Guide
The complete journey of containerising a Java JAR running on EC2 and deploying it to ECS Fargate – from local testing to Dockerfile, task definitions, networking, secrets management, and achieving production parity.
Serverless Container Framework - Deploy Containers to Lambda and Fargate with Ease
Deploy containerised applications to AWS Lambda or Fargate with a simple YAML config. No infrastructure code required - just define your containers and deploy.
ECS Task Sets: Blue/Green Deployments Without CodeDeploy
How to use ECS external deployment controllers and task sets for manual blue/green deployments – the setup, the CLI commands, the Terraform, and an honest assessment of when it's worth the complexity.
Serverless containers in Kubernetes with Fargate (Part 2) — Hands-on
A hands-on article on deploying an application on Kubernetes with Fargate.
ECS Fargate Deep Dive Part 1: How Fargate Really Works
In the first part of our ECS Fargate Deep Dive, we break down what happens behind the scenes when you run a task on Fargate — Firecracker microVMs, ENIs, IAM and the hidden host fleet.
ECS Fargate Deep Dive Part 2: Firecracker in Action
In the second part of our ECS Fargate Deep Dive, we get hands-on with Firecracker — the lightweight VMM that powers Fargate — and simulate task isolation and networking locally.
#cost-optimization 6 posts
FinOps Automation: Kubecost, OpenCost, and Automated Rightsizing
Implement automated cloud cost optimization with Kubecost and OpenCost. Track costs per team, rightsize resources, and automate savings.
Spot Instance Patterns: Graceful Handling and Cost Savings
Master AWS Spot Instances in production. Handle interruptions gracefully, use mixed instance groups, and save 60-90% on compute costs.
Karpenter Deep Dive: Node Provisioning That Actually Works
Master Karpenter for Kubernetes node autoscaling. Replace Cluster Autoscaler with faster, smarter provisioning. Includes cost optimization patterns.
FinOps for Engineering Teams - Making Cost Everyone's Problem
Cloud cost management isn't just for finance. Here's how engineering teams can build cost awareness into their workflow without slowing down delivery.
NAT Gateway Alternatives - Cutting Your AWS Bill Without Losing Sleep
NAT Gateways are the silent budget killer in AWS. Here's how to reduce costs with NAT instances, VPC endpoints, IPv6, and architectural changes - with real numbers and trade-offs.
Right-Sizing Kubernetes Workloads - Stop Burning Money
Most Kubernetes clusters waste 50-70% of their resources. Here's how to measure what you're actually using, fix the worst offenders, and automate the process - without breaking production.
#production 5 posts
Migrating ClickHouse From EC2 to ClickHouse Cloud - Every Approach We Tried and Why Most Failed
S3 backup/restore, direct connectivity, Parquet exports - none of them worked cleanly. Here's the full war story of migrating a production ClickHouse instance to Cloud, the version mismatch that broke everything, and the dumb-simple approach that actually got the job done.
Ephemeral Containers for Production Debugging
Debug distroless and minimal containers in production without redeploying. Ephemeral containers let you attach debugging tools to running pods - here's how to use them effectively.
Lessons From 5 Years of Kubernetes in Production – Cluster Crashes, Ditching Self-Managed, Cost Cuts, and the Tooling That Actually Works
Two major cluster crashes, migrating from kops to EKS, slashing compute costs with Karpenter, and the observability stack we rebuilt three times.
Production War Stories: The NGINX Log Rotation That Caused a P1
How a 'safe' AMI upgrade led to traffic drops, zombie log files, and disk exhaustion – and the debugging journey that followed. A real incident from on-call, with technical details and lessons learned.
BGP in the Cloud – A Deep Dive into AWS Direct Connect, Routing Pathologies, and What Breaks in Production
A production-focused deep dive into how BGP actually behaves over AWS Direct Connect – route selection, failover, ASN design, MEDs, prepending, blackholing scenarios, and the real-world issues teams hit at scale.
#infrastructure 5 posts
7 Years of Infrastructure Decisions: What I'd Do Again and What I Regret
Every infrastructure decision I'd make again – and the ones I wouldn't – after running production workloads across fintech, open-source, IoT, and beyond.
MLOps for DevOps Engineers - What You Actually Need to Know
MLOps is becoming a critical skill for DevOps engineers. Here's what matters: the infrastructure patterns, tooling, and operational practices that make ML systems work in production - from someone who learned the hard way.
Crossplane Compositions: Build Your Own Cloud API
Create custom cloud APIs with Crossplane Compositions. Abstract away complexity and give developers self-service infrastructure with guardrails.
Your Startup Doesn't Need Kubernetes
Kubernetes is an incredible technology that solves real problems. But for most startups, it's the wrong tool. Here's how to know when you're ready - and what to use instead.
The Terraform State Chicken-and-Egg Problem – And Why Bootstrapping Is Just Physics
You can't use Terraform to create the S3 bucket that stores Terraform state. Here's how to bootstrap your remote backend properly, plus the philosophical reason this pattern exists everywhere in software.
#automation 5 posts
Running Clawdbot 24/7 on a Hetzner VPS – Terraform, Security Hardening, and the Bits the Docs Miss
A production-grade setup for Clawdbot on Hetzner Cloud with Terraform provisioning, proper SSH hardening, fail2ban, UFW, unattended-upgrades, and optional Tailscale – the stuff you actually need in prod.
Test GitHub Actions Locally with Act
Stop pushing to test your workflows. Act lets you run GitHub Actions locally with instant feedback. Here's how to set it up and use it effectively.
AWS Config Rules with Auto Remediation - Enforce Compliance Automatically
How to use AWS Config Rules to detect compliance violations and automatically remediate them using SSM Automation documents. Covers managed rules, custom rules, remediation actions, and complete Terraform examples.
GitOps with ArgoCD - A Practical Setup Guide
A hands-on guide to implementing GitOps with ArgoCD. Covers installation, application management, sync strategies, secrets handling, and the patterns that actually work in production.
Managing Dynatrace Alerts at Scale with Custom Ansible Roles
How we automated Dynatrace alerting configuration using custom Ansible roles - covering alert profiles, problem notifications, metric events, and maintenance windows across multiple environments.
#github-actions 5 posts
GitHub Actions OIDC – Ditch the AWS Access Keys Forever
How to authenticate GitHub Actions to AWS without storing secrets. OIDC federation explained, IAM role setup, and the token claims that control access.
Test GitHub Actions Locally with Act
Stop pushing to test your workflows. Act lets you run GitHub Actions locally with instant feedback. Here's how to set it up and use it effectively.
Migrating 30 Repos from Jenkins to GitHub Actions – The Complete Runbook
A battle-tested playbook for migrating CI/CD pipelines from Jenkins to GitHub Actions at scale. Covers OIDC authentication, parallel running, secrets migration, and the gotchas that will bite you.
Building a Custom GitHub Action for Traefik Traffic Weighting
How I built a GitHub Action to manage blue/green and canary deployments by dynamically updating Traefik weighted services – with SigV4 authentication, YAML configuration, and a generator API.
Zero to Production: GitHub Actions CI/CD into GKE with Workload Identity
In this deep dive, we set up a secure, production-ready CI/CD pipeline from GitHub Actions to GKE using Workload Identity Federation—no secrets needed.
#sre 5 posts
SLO-Based Alerting: Burn Rate Alerts vs Threshold Alerts
Implement SLO-based alerting with burn rate alerts. Move from noisy threshold alerts to meaningful reliability signals using error budgets.
Chaos Engineering with Litmus: Controlled Failure Injection
Implement chaos engineering in Kubernetes with LitmusChaos. Run pod failures, network chaos, and stress tests to validate system resilience.
SRE for Small Teams
You don't need Google's budget to practice SRE. Here's how to implement Site Reliability Engineering principles with a small team and limited resources.
Common DevOps Interview Questions Candidates Fail
The questions that separate senior engineers from those who memorised tutorials. Real interview failures, what interviewers are actually looking for, and how to answer with depth.
Incident Management That Actually Works
Most incident processes are theatre. Here's how to build incident management that reduces downtime, prevents recurrence, and doesn't burn out your team.
#cilium 5 posts
Cilium Service Mesh: Sidecar-Free with eBPF
Deploy a service mesh without sidecars using Cilium. Get mTLS, traffic management, and observability powered by eBPF at the kernel level.
eBPF for Security: Kernel-Level Observability Without Agents
Deep dive into eBPF-based security tools - Cilium, Falco, and Tetragon. Learn how to implement runtime security, network policies, and threat detection at the kernel level.
Service Mesh Comparison - Istio vs Linkerd vs Cilium
Service meshes promise observability, security, and traffic management. But which one should you choose? A practical comparison based on running all three in production.
Cilium in Kubernetes
Hands-on with Cilium CNI on a local kind cluster — installation, eBPF datapath verification, network policies and Hubble observability.
Kubernetes Networking: A Deep Dive From First Principles
How packets actually flow in Kubernetes – from veth pairs to CNI plugins to kube-proxy modes. With AWS/EKS context throughout.
#linux 5 posts
Debugging JVM Thread Exhaustion on EC2: A Contractor War Story
How I diagnosed and fixed a Java application that kept crashing under load – from 'cannot create native thread' errors to properly tuned JVM settings, system limits, and right-sized EC2 instances.
eBPF Deep Dive - Beyond Cilium
eBPF is transforming how we observe, secure, and network Linux systems. This guide covers the fundamentals, practical use cases beyond Cilium, and how to start writing your own eBPF programs.
Production War Stories: The NGINX Log Rotation That Caused a P1
How a 'safe' AMI upgrade led to traffic drops, zombie log files, and disk exhaustion – and the debugging journey that followed. A real incident from on-call, with technical details and lessons learned.
Container Networking Deep Dive Part 1: Single Network Namespace on a VM
In the first part of our Container Networking Deep Dive, we explore how to set up a single network namespace inside a VM and connect it to the host using a veth pair.
Container Networking Deep Dive Part 2: Two Namespaces on the Same Host
In the second part of our Container Networking Deep Dive, we connect two network namespaces via a bridge on the same Linux host.
#dns 5 posts
The Kubernetes ndots:5 Problem – Why DNS Lookups Take 15 Seconds
A deep dive into why external DNS resolution in Kubernetes can be painfully slow, how the default ndots:5 setting causes unnecessary lookups, and practical fixes that actually work.
DNS UDP Truncation: Why Your ECS Tasks Aren't Getting Traffic
How DNS UDP's 512-byte limit caps responses at ~8 A records, breaking service discovery for scaled ECS/CloudMap workloads – and the sidecar solution to bypass it.
Using GKE DNS-based endpoints for Secure cluster access
Use GKE's DNS-based control plane endpoint to reach a private cluster without bastions or VPNs. IAM-gated kubectl access via Cloud DNS, fully private.
Route 53 Deep Dive: Multi-Region Latency Routing with Health-Based Failover
A hands-on guide to configuring AWS Route 53 for latency-based routing across multiple regions, incorporating health checks for automatic failover.
Kubernetes DNS Spoofing: Exploiting NET_RAW and ARP
DNS spoofing in Kubernetes remains a critical threat, enabling attackers to redirect traffic, intercept data, or disrupt services. This article explores how such attacks occur and outlines strategies to prevent them.
#gke 5 posts
Kubernetes Cluster Upgrades: Production-Ready Guide
Technical guide for upgrading managed Kubernetes clusters across GKE, EKS, and AKS
GKE Upgrade Guide and Rollback Strategy: A Production-Ready Approach
Comprehensive guide for safely upgrading GKE clusters with minimal downtime and robust rollback procedures
Using GKE DNS-based endpoints for Secure cluster access
Use GKE's DNS-based control plane endpoint to reach a private cluster without bastions or VPNs. IAM-gated kubectl access via Cloud DNS, fully private.
Secure Gateways: Configuring Mutual TLS using Gateway API on GKE
In this blog, we configure mutual TLS (mTLS) using Gateway API on GKE, securing ingress traffic with client certificate validation.
Zero to Production: GitHub Actions CI/CD into GKE with Workload Identity
In this deep dive, we set up a secure, production-ready CI/CD pipeline from GitHub Actions to GKE using Workload Identity Federation—no secrets needed.
#zero-trust 5 posts
Identity Aware Proxy: Zero Trust Access for Internal Applications
Deep dive into Identity Aware Proxies - what they are, how they work, and how to implement them with GCP IAP, Pomerium, and OAuth2-Proxy. Includes Terraform and Kubernetes examples.
Tailscale in Production: WireGuard Mesh for Hybrid Cloud
Deploy Tailscale for secure connectivity across clouds, offices, and Kubernetes clusters. Zero-config VPN mesh with SSO integration and ACLs.
Secretless Broker: Zero-Secret Applications
Remove secrets from your applications entirely with Secretless Broker. Inject database credentials, API keys, and certificates via sidecar without your app knowing they exist.
SPIFFE and SPIRE: Zero Trust Workload Identity
Deep dive into SPIFFE and SPIRE for workload identity. Replace shared secrets with cryptographic identity for service-to-service authentication. Includes Kubernetes deployment and mTLS examples.
NetworkPolicy Default Deny – The One Rule We Add to Every Namespace
Why your Kubernetes cluster is wide open by default, and the single NetworkPolicy that changes everything. Copy, paste, deploy, sleep better.
#productivity 4 posts
Remote Work Won
The RTO push isn't about productivity. The data is clear: remote work works. What's really happening is a fight over control, real estate, and management inability to adapt.
The 10x Engineer is a Myth
The idea of the 10x engineer has done more harm than good. What actually matters is team multipliers - engineers who make everyone around them better.
The Meeting That Should Have Been a Doc
Most meetings are information broadcasts disguised as collaboration. Learn when to meet, when to write, and how to save everyone's time.
Standups Are Broken
Daily standups were meant to improve communication. Instead, they've become status meetings that waste time and interrupt deep work. There's a better way.
#iam 4 posts
AWS Control Tower Account Factory - The Gotchas Nobody Tells You
Real-world lessons from automating AWS account provisioning with Control Tower, Service Catalog, and Terraform. The silent failures, IAM traps, and StackSet timing issues that cost us days.
GitHub Actions OIDC – Ditch the AWS Access Keys Forever
How to authenticate GitHub Actions to AWS without storing secrets. OIDC federation explained, IAM role setup, and the token claims that control access.
AWS Service Control Policies (SCPs) - Guardrails for Your Organization
How to use SCPs to set permission guardrails across your AWS Organization. Covers SCP evaluation logic, deny vs allow strategies, common patterns, and production-ready Terraform examples.
Private API Gateway - Part 2: Secure Cross-VPC Access with PrivateLink and IAM Authentication
Extend your private API Gateway with secure access from other VPCs using PrivateLink and enforce IAM-based authentication.
#ci-cd 4 posts
Test GitHub Actions Locally with Act
Stop pushing to test your workflows. Act lets you run GitHub Actions locally with instant feedback. Here's how to set it up and use it effectively.
Building Production AMIs with Packer: CI Pipelines, Terraform Integration, and Security Best Practices
Complete guide to building immutable AMIs with Packer in production - CI/CD pipelines, Terraform ASG integration, rollback strategies, maintenance workflows, and security hardening.
Building a Custom GitHub Action for Traefik Traffic Weighting
How I built a GitHub Action to manage blue/green and canary deployments by dynamically updating Traefik weighted services – with SigV4 authentication, YAML configuration, and a generator API.
Zero to Production: GitHub Actions CI/CD into GKE with Workload Identity
In this deep dive, we set up a secure, production-ready CI/CD pipeline from GitHub Actions to GKE using Workload Identity Federation—no secrets needed.
#testing 4 posts
Chaos Engineering with Litmus: Controlled Failure Injection
Implement chaos engineering in Kubernetes with LitmusChaos. Run pod failures, network chaos, and stress tests to validate system resilience.
LocalStack Deep Dive - AWS on Your Laptop
Run AWS services locally for faster development and testing. A practical guide to LocalStack covering S3, Lambda, DynamoDB, SQS, and integration testing patterns.
Test GitHub Actions Locally with Act
Stop pushing to test your workflows. Act lets you run GitHub Actions locally with instant feedback. Here's how to set it up and use it effectively.
Terraform Best Practices (Part 2) - Testing, CI/CD, Security, and Team Workflows
Advanced Terraform practices covering testing strategies, CI/CD pipelines, security hardening, drift detection, and team collaboration patterns for infrastructure as code at scale.
#privatelink 4 posts
AWS PrivateLink Deep Dive: Private Connectivity Patterns
Master AWS PrivateLink for private API access, cross-account connectivity, and SaaS integrations. Includes Terraform examples and multi-region patterns.
AWS VPC Endpoints - Keep Your Traffic Off the Internet
How to use VPC Endpoints to access AWS services without internet gateways or NAT. Covers Gateway vs Interface endpoints, PrivateLink, endpoint policies, cost optimization, and production Terraform patterns.
Private API Gateway - Part 2: Secure Cross-VPC Access with PrivateLink and IAM Authentication
Extend your private API Gateway with secure access from other VPCs using PrivateLink and enforce IAM-based authentication.
AWS PrivateLink with Terraform
A hands-on technical guide to implementing AWS PrivateLink between VPCs using Terraform.
#reliability 4 posts
Spot Instance Patterns: Graceful Handling and Cost Savings
Master AWS Spot Instances in production. Handle interruptions gracefully, use mixed instance groups, and save 60-90% on compute costs.
SLO-Based Alerting: Burn Rate Alerts vs Threshold Alerts
Implement SLO-based alerting with burn rate alerts. Move from noisy threshold alerts to meaningful reliability signals using error budgets.
Chaos Engineering with Litmus: Controlled Failure Injection
Implement chaos engineering in Kubernetes with LitmusChaos. Run pod failures, network chaos, and stress tests to validate system resilience.
SRE for Small Teams
You don't need Google's budget to practice SRE. Here's how to implement Site Reliability Engineering principles with a small team and limited resources.
#oidc 4 posts
GitHub Actions OIDC – Ditch the AWS Access Keys Forever
How to authenticate GitHub Actions to AWS without storing secrets. OIDC federation explained, IAM role setup, and the token claims that control access.
Migrating 30 Repos from Jenkins to GitHub Actions – The Complete Runbook
A battle-tested playbook for migrating CI/CD pipelines from Jenkins to GitHub Actions at scale. Covers OIDC authentication, parallel running, secrets migration, and the gotchas that will bite you.
Zero to Production: GitHub Actions CI/CD into GKE with Workload Identity
In this deep dive, we set up a secure, production-ready CI/CD pipeline from GitHub Actions to GKE using Workload Identity Federation—no secrets needed.
Solving the AWS OIDC Chicken-and-Egg Problem with GitHub Actions
Solving the AWS OIDC Chicken-and-Egg Problem with GitHub Actions
#mtls 4 posts
Cilium Service Mesh: Sidecar-Free with eBPF
Deploy a service mesh without sidecars using Cilium. Get mTLS, traffic management, and observability powered by eBPF at the kernel level.
SPIFFE and SPIRE: Zero Trust Workload Identity
Deep dive into SPIFFE and SPIRE for workload identity. Replace shared secrets with cryptographic identity for service-to-service authentication. Includes Kubernetes deployment and mTLS examples.
Secure Gateways: Configuring Mutual TLS using Gateway API on GKE
In this blog, we configure mutual TLS (mTLS) using Gateway API on GKE, securing ingress traffic with client certificate validation.
mTLS with Traefik: Hands-On Setup with Step CA
A complete walkthrough of setting up mutual TLS with Traefik and Smallstep CA – from certificate generation to client authentication. Includes local DNS, ACME integration, and a working demo you can deploy.
#database 4 posts
Migrating ClickHouse From EC2 to ClickHouse Cloud - Every Approach We Tried and Why Most Failed
S3 backup/restore, direct connectivity, Parquet exports - none of them worked cleanly. Here's the full war story of migrating a production ClickHouse instance to Cloud, the version mismatch that broke everything, and the dumb-simple approach that actually got the job done.
Dragonfly vs Redis: Modern In-Memory Store Comparison
Compare Dragonfly and Redis for caching and data storage. Dragonfly's multi-threaded architecture vs Redis single-threaded model.
Vitess for MySQL: Horizontal Sharding Done Right
Scale MySQL horizontally with Vitess. Automatic sharding, online schema changes, and Kubernetes-native deployment for massive scale.
Working with Databases in Kubernetes: Connections, Dumps and Data Extraction
A practical guide to connecting to PostgreSQL databases in Kubernetes – exec into pods, VPN access, SOCKS5 proxies, pg_dump, kubectl cp and getting data out when you need it.
#advice 4 posts
10 Rules for Negotiating Your Job Offer (From 7 Years of Engineering)
Most engineers massively undervalue themselves because no one taught them how to negotiate. Here's everything I've learned from negotiating salaries, contracts, titles, and more.
The Real Difference Between Senior, Staff, and Principal Engineer
Everyone wants to know the difference between Senior, Staff, and Principal. After holding all three titles, I can tell you the real differences aren't what most people think. It's not about years - it's about scope.
Startup vs Scale-Up vs Enterprise: Where You'll Actually Learn the Most
After working across all three - tiny startups, hypergrowth scale-ups, and massive enterprises - I can tell you they're completely different jobs. Same title, same tech, completely different experience. Here's what each teaches you.
Contract vs Perm: 4 Years of Both and What I'd Choose Now
I've done both. Multiple times. Here's the real trade-offs nobody talks about - the money, the time off problem, the boredom factor, and why your life situation matters more than you think.
#localstack 4 posts
The Fast Feedback Loop - Local Development with Kind, LocalStack, and Act
Combine Kind, LocalStack, and Act for a complete local development environment. Test Kubernetes, AWS services, and CI pipelines without leaving your laptop.
LocalStack Deep Dive - AWS on Your Laptop
Run AWS services locally for faster development and testing. A practical guide to LocalStack covering S3, Lambda, DynamoDB, SQS, and integration testing patterns.
Database Backup to S3 with Kubernetes CronJobs
Build a production-ready database backup system using Kubernetes CronJobs, PostgreSQL, and S3. Includes a complete local testing environment with KIND and LocalStack.
Crossplane and Localstack
Crossplane + LocalStack on kind: 100 % Local AWS Infrastructure-as-Code
#postgresql 4 posts
Database on Kubernetes - When It Makes Sense
Running databases on Kubernetes is controversial. Sometimes it's the right call, sometimes it's a disaster waiting to happen. Here's how to decide, and how to do it properly if you choose to proceed.
Database Backup to S3 with Kubernetes CronJobs
Build a production-ready database backup system using Kubernetes CronJobs, PostgreSQL, and S3. Includes a complete local testing environment with KIND and LocalStack.
Build an ETL Pipeline with Python, PostgreSQL, and Airflow
A practical guide to building an ETL pipeline that extracts weather data from OpenWeatherMap, transforms it with pandas, and loads it into PostgreSQL. Includes Airflow orchestration with email notifications.
Working with Databases in Kubernetes: Connections, Dumps and Data Extraction
A practical guide to connecting to PostgreSQL databases in Kubernetes – exec into pods, VPN access, SOCKS5 proxies, pg_dump, kubectl cp and getting data out when you need it.
#kind 4 posts
The Fast Feedback Loop - Local Development with Kind, LocalStack, and Act
Combine Kind, LocalStack, and Act for a complete local development environment. Test Kubernetes, AWS services, and CI pipelines without leaving your laptop.
Deploying Kafka on Kubernetes with Strimzi
A step-by-step guide to setting up a Kafka cluster on a local Kind cluster using the Strimzi operator, with optional Terraform provisioning.
Apache Pulsar Playground: Running Pulsar Locally on kind with Dashboards, Clients, and Admin Tools
In this blog, I'll walk you through setting up a full-featured Apache Pulsar playground using kind (Kubernetes in Docker). Whether you're testing Pulsar for learning or demoing a real pub/sub model with admin tools and monitoring, this setup gives you everything.
Falco on K8s (Kind)
Falco Kubernetes Lab: Runtime Threat Detection with Prometheus & Grafana
#performance 4 posts
Debugging JVM Thread Exhaustion on EC2: A Contractor War Story
How I diagnosed and fixed a Java application that kept crashing under load – from 'cannot create native thread' errors to properly tuned JVM settings, system limits, and right-sized EC2 instances.
Dragonfly vs Redis: Modern In-Memory Store Comparison
Compare Dragonfly and Redis for caching and data storage. Dragonfly's multi-threaded architecture vs Redis single-threaded model.
VPA + HPA Together: The Right Way to Autoscale Both
Use Vertical Pod Autoscaler and Horizontal Pod Autoscaler together without conflicts. Includes KEDA integration and best practices.
The Kubernetes ndots:5 Problem – Why DNS Lookups Take 15 Seconds
A deep dive into why external DNS resolution in Kubernetes can be painfully slow, how the default ndots:5 setting causes unnecessary lookups, and practical fixes that actually work.
#lambda 4 posts
Implementing Vertical Autoscaling for Aurora Databases Using Lambda Functions
AWS doesn't offer vertical autoscaling for Aurora – so we built it. CloudWatch Alarms, SNS, Lambda coordination, and the gotchas we hit in production.
7 Years of Infrastructure Decisions: What I'd Do Again and What I Regret
Every infrastructure decision I'd make again – and the ones I wouldn't – after running production workloads across fintech, open-source, IoT, and beyond.
Serverless Container Framework - Deploy Containers to Lambda and Fargate with Ease
Deploy containerised applications to AWS Lambda or Fargate with a simple YAML config. No infrastructure code required - just define your containers and deploy.
RDS Proxy for Lambda - Solving the Connection Exhaustion Problem
How to use Amazon RDS Proxy to handle database connections from Lambda functions at scale. Covers connection pooling, IAM authentication, Terraform setup, and the gotchas you'll hit in production.
#control-tower 3 posts
AWS Control Tower Account Factory - The Gotchas Nobody Tells You
Real-world lessons from automating AWS account provisioning with Control Tower, Service Catalog, and Terraform. The silent failures, IAM traps, and StackSet timing issues that cost us days.
Building an Automated Multi-Account AWS Architecture with Control Tower and Terraform
A hands-on walkthrough of enabling AWS Control Tower, designing an OU structure, automating account provisioning via Service Catalog, and deploying security baselines - from zero to fully automated account vending in production.
AWS Account Provisioning at Scale with Control Tower, Service Catalog, and Terraform
How to build an automated account vending machine using AWS Control Tower Account Factory, Service Catalog, CloudFormation StackSets, and Terraform – from request to fully provisioned account with SSO and IAM roles.
#service-catalog 3 posts
AWS Control Tower Account Factory - The Gotchas Nobody Tells You
Real-world lessons from automating AWS account provisioning with Control Tower, Service Catalog, and Terraform. The silent failures, IAM traps, and StackSet timing issues that cost us days.
Building an Automated Multi-Account AWS Architecture with Control Tower and Terraform
A hands-on walkthrough of enabling AWS Control Tower, designing an OU structure, automating account provisioning via Service Catalog, and deploying security baselines - from zero to fully automated account vending in production.
AWS Account Provisioning at Scale with Control Tower, Service Catalog, and Terraform
How to build an automated account vending machine using AWS Control Tower Account Factory, Service Catalog, CloudFormation StackSets, and Terraform – from request to fully provisioned account with SSO and IAM roles.
#organizations 3 posts
Building an Automated Multi-Account AWS Architecture with Control Tower and Terraform
A hands-on walkthrough of enabling AWS Control Tower, designing an OU structure, automating account provisioning via Service Catalog, and deploying security baselines - from zero to fully automated account vending in production.
AWS Account Provisioning at Scale with Control Tower, Service Catalog, and Terraform
How to build an automated account vending machine using AWS Control Tower Account Factory, Service Catalog, CloudFormation StackSets, and Terraform – from request to fully provisioned account with SSO and IAM roles.
AWS Service Control Policies (SCPs) - Guardrails for Your Organization
How to use SCPs to set permission guardrails across your AWS Organization. Covers SCP evaluation logic, deny vs allow strategies, common patterns, and production-ready Terraform examples.
#backstage 3 posts
Backstage Plugins: Building Custom Developer Portal Features
Build custom Backstage plugins for your internal developer portal. Create frontend components, backend APIs, and integrate with your existing tools.
Backstage on AWS ECS - Production-Ready Deployment with RDS and Cognito
A comprehensive guide to deploying Spotify's Backstage developer portal on AWS ECS Fargate with PostgreSQL RDS, Cognito authentication, and proper production hardening.
Building an Internal Developer Platform
A practical guide to building an IDP that developers actually want to use. Covers the build vs buy decision, Backstage implementation, and the organisational changes required for success.
#rds 3 posts
Implementing Vertical Autoscaling for Aurora Databases Using Lambda Functions
AWS doesn't offer vertical autoscaling for Aurora – so we built it. CloudWatch Alarms, SNS, Lambda coordination, and the gotchas we hit in production.
Backstage on AWS ECS - Production-Ready Deployment with RDS and Cognito
A comprehensive guide to deploying Spotify's Backstage developer portal on AWS ECS Fargate with PostgreSQL RDS, Cognito authentication, and proper production hardening.
RDS Proxy for Lambda - Solving the Connection Exhaustion Problem
How to use Amazon RDS Proxy to handle database connections from Lambda functions at scale. Covers connection pooling, IAM authentication, Terraform setup, and the gotchas you'll hit in production.
#incident-management 3 posts
Blameless Culture is Harder Than You Think
Everyone claims to have a blameless culture. Few actually do. Here's what real blamelessness looks like and why it's so difficult to achieve.
SRE for Small Teams
You don't need Google's budget to practice SRE. Here's how to implement Site Reliability Engineering principles with a small team and limited resources.
Incident Management That Actually Works
Most incident processes are theatre. Here's how to build incident management that reduces downtime, prevents recurrence, and doesn't burn out your team.
#developer-experience 3 posts
Platform Engineering in 2026 - It's About the Discipline, Not the Tools
Platform engineering has become the most misunderstood role in tech. Everyone's building 'platforms' but few understand what actually makes one successful. Here's what I've learned building platforms for teams of 10 to 500.
Port and Kratix: Internal Developer Platforms Beyond Backstage
Explore Port and Kratix for building internal developer platforms. Self-service infrastructure, developer workflows, and platform engineering patterns.
Building an Internal Developer Platform
A practical guide to building an IDP that developers actually want to use. Covers the build vs buy decision, Backstage implementation, and the organisational changes required for success.
#ebpf 3 posts
Cilium Service Mesh: Sidecar-Free with eBPF
Deploy a service mesh without sidecars using Cilium. Get mTLS, traffic management, and observability powered by eBPF at the kernel level.
eBPF for Security: Kernel-Level Observability Without Agents
Deep dive into eBPF-based security tools - Cilium, Falco, and Tetragon. Learn how to implement runtime security, network policies, and threat detection at the kernel level.
eBPF Deep Dive - Beyond Cilium
eBPF is transforming how we observe, secure, and network Linux systems. This guide covers the fundamentals, practical use cases beyond Cilium, and how to start writing your own eBPF programs.
#clawdbot 3 posts
Running Clawdbot 24/7 on a Hetzner VPS – Terraform, Security Hardening, and the Bits the Docs Miss
A production-grade setup for Clawdbot on Hetzner Cloud with Terraform provisioning, proper SSH hardening, fail2ban, UFW, unattended-upgrades, and optional Tailscale – the stuff you actually need in prod.
Clawdbot Manual Setup – Step-by-Step VPS Configuration with WhatsApp Integration
A detailed walkthrough for setting up Clawdbot on a Hetzner VPS from scratch – SSH hardening, firewall configuration, Tailscale, and WhatsApp Business integration using a dedicated number.
Securing Your Clawdbot & Setting Up Powerful Integrations
A comprehensive guide to hardening your Clawdbot installation and integrating with Google Workspace, GitHub, and Notion – turning your AI assistant into a productivity powerhouse.
#s3 3 posts
Terraform 0.11 to 1.11 Migration - The Full Journey
A detailed guide on migrating Terraform from 0.11 to 1.11, covering HCL2 syntax changes, the S3 bucket resource split, state manipulation, and ensuring zero-drift upgrades.
Database Backup to S3 with Kubernetes CronJobs
Build a production-ready database backup system using Kubernetes CronJobs, PostgreSQL, and S3. Includes a complete local testing environment with KIND and LocalStack.
The Terraform State Chicken-and-Egg Problem – And Why Bootstrapping Is Just Physics
You can't use Terraform to create the S3 bucket that stores Terraform state. Here's how to bootstrap your remote backend properly, plus the philosophical reason this pattern exists everywhere in software.
#databases 3 posts
Database on Kubernetes - When It Makes Sense
Running databases on Kubernetes is controversial. Sometimes it's the right call, sometimes it's a disaster waiting to happen. Here's how to decide, and how to do it properly if you choose to proceed.
Database Backup to S3 with Kubernetes CronJobs
Build a production-ready database backup system using Kubernetes CronJobs, PostgreSQL, and S3. Includes a complete local testing environment with KIND and LocalStack.
RDS Proxy for Lambda - Solving the Connection Exhaustion Problem
How to use Amazon RDS Proxy to handle database connections from Lambda functions at scale. Covers connection pooling, IAM authentication, Terraform setup, and the gotchas you'll hit in production.
#k8s 3 posts
Kubernetes Gateway API vs Ingress - When to Migrate and How
Gateway API is the successor to Ingress, bringing role-oriented design, native traffic splitting, and cross-namespace routing. This post compares both APIs, when to migrate, and practical migration patterns.
Deploying Kafka on Kubernetes with Strimzi
A step-by-step guide to setting up a Kafka cluster on a local Kind cluster using the Strimzi operator, with optional Terraform provisioning.
Using GKE DNS-based endpoints for Secure cluster access
Use GKE's DNS-based control plane endpoint to reach a private cluster without bastions or VPNs. IAM-gated kubectl access via Cloud DNS, fully private.
#traefik 3 posts
DNS UDP Truncation: Why Your ECS Tasks Aren't Getting Traffic
How DNS UDP's 512-byte limit caps responses at ~8 A records, breaking service discovery for scaled ECS/CloudMap workloads – and the sidecar solution to bypass it.
Building a Custom GitHub Action for Traefik Traffic Weighting
How I built a GitHub Action to manage blue/green and canary deployments by dynamically updating Traefik weighted services – with SigV4 authentication, YAML configuration, and a generator API.
mTLS with Traefik: Hands-On Setup with Step CA
A complete walkthrough of setting up mutual TLS with Traefik and Smallstep CA – from certificate generation to client authentication. Includes local DNS, ACME integration, and a working demo you can deploy.
#metrics 3 posts
DORA Metrics Implementation - Measuring What Matters
DORA metrics are the industry standard for measuring DevOps performance. Here's how to implement them properly, avoid common pitfalls, and actually use them to improve your team's delivery.
OpenTelemetry Collector Pipelines: Transform, Filter, Route Telemetry
Master OpenTelemetry Collector configuration. Build pipelines to transform metrics, filter traces, route logs, and reduce telemetry costs.
OpenTelemetry from Scratch
OpenTelemetry unifies traces, metrics, and logs under one standard. This guide covers how to instrument your applications, set up collectors, and actually make sense of the data.
#monitoring 3 posts
OpenTelemetry Changed How I Think About Observability
A practical, opinionated take on OpenTelemetry - why it matters, what it actually solves, and how to instrument across Kubernetes, Lambda, ECS, and EC2 without losing your mind.
SRE for Small Teams
You don't need Google's budget to practice SRE. Here's how to implement Site Reliability Engineering principles with a small team and limited resources.
Managing Dynatrace Alerts at Scale with Custom Ansible Roles
How we automated Dynatrace alerting configuration using custom Ansible roles - covering alert profiles, problem notifications, metric events, and maintenance windows across multiple environments.
#ec2 3 posts
Debugging JVM Thread Exhaustion on EC2: A Contractor War Story
How I diagnosed and fixed a Java application that kept crashing under load – from 'cannot create native thread' errors to properly tuned JVM settings, system limits, and right-sized EC2 instances.
Deep Dive into EC2 Networking
Deep Dive into EC2 Networking: ENIs, IP Addressing and Deployment Architectures
How to Increase EBS Disk Size on EC2 (Without Downtime)
Online EBS volume resizing for running instances – the IaC way with Terraform and ASG instance refresh, plus the manual escape hatch when you need it now. No reboot required.
#deployment 3 posts
Progressive Delivery with Flagger: Automated Canary Deployments
Implement automated canary deployments with Flagger. Metrics-based promotion, automated rollback, and integration with Istio, Linkerd, and Gateway API.
GitOps with ArgoCD - A Practical Setup Guide
A hands-on guide to implementing GitOps with ArgoCD. Covers installation, application management, sync strategies, secrets handling, and the patterns that actually work in production.
Deep Dive into EC2 Networking
Deep Dive into EC2 Networking: ENIs, IP Addressing and Deployment Architectures
#deployments 3 posts
ECS Task Sets: Blue/Green Deployments Without CodeDeploy
How to use ECS external deployment controllers and task sets for manual blue/green deployments – the setup, the CLI commands, the Terraform, and an honest assessment of when it's worth the complexity.
Building a Custom GitHub Action for Traefik Traffic Weighting
How I built a GitHub Action to manage blue/green and canary deployments by dynamically updating Traefik weighted services – with SigV4 authentication, YAML configuration, and a generator API.
Helm Atomics: The Flag That Saves Your Production Deploys (And Its Hidden Gotchas)
Deep dive into Helm's --atomic, --wait, and --cleanup-on-fail flags. How they work, when to use them, the CI/CD pipeline trap that catches everyone, and production-ready deployment patterns.
#cni 3 posts
EKS IP Exhaustion: Running out of IPs, one way to fix it
Running out of IP addresses in AWS EKS can be a subtle yet critical issue. It often manifests as pods stuck in a pending state or nodes failing to join the cluster, leading to deployment bottlenecks and potential downtime. Understanding the root cause and implementing effective solutions is essential for maintaining cluster health and scalability. Now, there are many ways to fix this, but this is one way.
EKS without VPC CNI: Deploying Calico with IPIP and BGP
AWS EKS defaults to the VPC CNI plugin, assigning VPC IPs to pods via ENIs. While straightforward, this setup limits pod density per node and consumes VPC IPs rapidly. To overcome these constraints, deploying Calico with IPIP or BGP offers a scalable alternative.
Kubernetes Networking: A Deep Dive From First Principles
How packets actually flow in Kubernetes – from veth pairs to CNI plugins to kube-proxy modes. With AWS/EKS context throughout.
#elasticsearch 3 posts
ELK Stack Migration: From 6.x to 8.x - The Complete Guide
A comprehensive guide to migrating your Elasticsearch, Logstash, and Kibana stack from version 6.x to 8.x. Covers breaking changes, migration strategies, index compatibility, and zero-downtime approaches.
Elastic Cloud Setup Guide - From Zero to Production
A comprehensive guide to setting up Elastic Cloud (Elasticsearch Service), including deployment configuration, security setup, index lifecycle management, integrations, and cost optimization.
Build a SOC Homelab with Docker - Elasticsearch, Cribl, and Log Simulation
Set up a Security Operations Center lab environment using Docker. Includes Elasticsearch, Kibana, Cribl Stream for log routing, and simulated log generators for hands-on security analysis practice.
#debugging 3 posts
Debugging JVM Thread Exhaustion on EC2: A Contractor War Story
How I diagnosed and fixed a Java application that kept crashing under load – from 'cannot create native thread' errors to properly tuned JVM settings, system limits, and right-sized EC2 instances.
Ephemeral Containers for Production Debugging
Debug distroless and minimal containers in production without redeploying. Ephemeral containers let you attach debugging tools to running pods - here's how to use them effectively.
The Kubernetes ndots:5 Problem – Why DNS Lookups Take 15 Seconds
A deep dive into why external DNS resolution in Kubernetes can be painfully slow, how the default ndots:5 setting causes unnecessary lookups, and practical fixes that actually work.
#kubectl 3 posts
Ephemeral Containers for Production Debugging
Debug distroless and minimal containers in production without redeploying. Ephemeral containers let you attach debugging tools to running pods - here's how to use them effectively.
Working with Databases in Kubernetes: Connections, Dumps and Data Extraction
A practical guide to connecting to PostgreSQL databases in Kubernetes – exec into pods, VPN access, SOCKS5 proxies, pg_dump, kubectl cp and getting data out when you need it.
What Actually Happens When You kubectl apply – The Full Chain From YAML to Running Pod
The complete journey: client-side vs server-side apply, admission controllers, etcd persistence, controller reconciliation, scheduler binding, and kubelet container creation. Every step traced.
#gateway-api 3 posts
Gateway API Advanced Patterns: Beyond Basic Ingress
Master Gateway API with traffic splitting, header-based routing, cross-namespace references, and TLS passthrough. The future of Kubernetes ingress.
Kubernetes Gateway API vs Ingress - When to Migrate and How
Gateway API is the successor to Ingress, bringing role-oriented design, native traffic splitting, and cross-namespace routing. This post compares both APIs, when to migrate, and practical migration patterns.
Secure Gateways: Configuring Mutual TLS using Gateway API on GKE
In this blog, we configure mutual TLS (mTLS) using Gateway API on GKE, securing ingress traffic with client certificate validation.
#helm 3 posts
Self-Hosted GitLab on Kubernetes - A Startup's Journey
A detailed guide on deploying GitLab on AKS using Helm charts, with Azure SQL as the database backend. Covers architecture decisions, configuration, lessons learned, and the gotchas we hit in production.
Apache Pulsar Playground: Running Pulsar Locally on kind with Dashboards, Clients, and Admin Tools
In this blog, I'll walk you through setting up a full-featured Apache Pulsar playground using kind (Kubernetes in Docker). Whether you're testing Pulsar for learning or demoing a real pub/sub model with admin tools and monitoring, this setup gives you everything.
Helm Atomics: The Flag That Saves Your Production Deploys (And Its Hidden Gotchas)
Deep dive into Helm's --atomic, --wait, and --cleanup-on-fail flags. How they work, when to use them, the CI/CD pipeline trap that catches everyone, and production-ready deployment patterns.
#homelab 3 posts
Building a Production-Grade Homelab with K3s, Vault, and FluxCD
How I built a fully GitOps-managed Kubernetes homelab on a single mini PC - from unboxing to production. Proxmox bare metal install, K3s cluster, HashiCorp Vault secrets, full observability, and Cloudflare Tunnel.
Build a SOC Homelab with Docker - Elasticsearch, Cribl, and Log Simulation
Set up a Security Operations Center lab environment using Docker. Includes Elasticsearch, Kibana, Cribl Stream for log routing, and simulated log generators for hands-on security analysis practice.
K3s Homelab Setup Guide - Running Kubernetes on Raspberry Pi 5
Build a lightweight Kubernetes cluster on three Raspberry Pi 5 devices. Step-by-step guide covering K3s installation, cluster configuration, and deployment testing.
#on-call 3 posts
SRE for Small Teams
You don't need Google's budget to practice SRE. Here's how to implement Site Reliability Engineering principles with a small team and limited resources.
Incident Management That Actually Works
Most incident processes are theatre. Here's how to build incident management that reduces downtime, prevents recurrence, and doesn't burn out your team.
Production War Stories: The NGINX Log Rotation That Caused a P1
How a 'safe' AMI upgrade led to traffic drops, zombie log files, and disk exhaustion – and the debugging journey that followed. A real incident from on-call, with technical details and lessons learned.
#aks 3 posts
Self-Hosted GitLab on Kubernetes - A Startup's Journey
A detailed guide on deploying GitLab on AKS using Helm charts, with Azure SQL as the database backend. Covers architecture decisions, configuration, lessons learned, and the gotchas we hit in production.
Kubernetes Cluster Upgrades: Production-Ready Guide
Technical guide for upgrading managed Kubernetes clusters across GKE, EKS, and AKS
Private AKS Cluster with Twingate: Secure API Access Without a Public Endpoint
Running Kubernetes clusters privately is a growing best practice. In this blog, I'll walk you through deploying a private AKS cluster on Azure with no public API endpoint, and enabling secure access via Twingate VPN, which provides identity-based access without opening up your network.
#autoscaling 3 posts
Implementing Vertical Autoscaling for Aurora Databases Using Lambda Functions
AWS doesn't offer vertical autoscaling for Aurora – so we built it. CloudWatch Alarms, SNS, Lambda coordination, and the gotchas we hit in production.
VPA + HPA Together: The Right Way to Autoscale Both
Use Vertical Pod Autoscaler and Horizontal Pod Autoscaler together without conflicts. Includes KEDA integration and best practices.
Karpenter Deep Dive: Node Provisioning That Actually Works
Master Karpenter for Kubernetes node autoscaling. Replace Cluster Autoscaler with faster, smarter provisioning. Includes cost optimization patterns.
#opa 3 posts
Spacelift from Scratch: Automating Terraform at Scale with Spaces, Stacks, OPA Policies, and a Private Module Registry
A complete guide to setting up Spacelift for multi-team Terraform automation - from zero to production with spaces, dynamic stacks, OPA security policies in Rego, private module registry, and GitOps-driven infrastructure.
Kyverno vs OPA: Policy Engines Compared
Detailed comparison of Kyverno and OPA Gatekeeper for Kubernetes policy enforcement. Includes real examples, performance considerations, and migration guidance.
OPA Gatekeeper: Policy as Code for Kubernetes
Implement admission control policies with OPA Gatekeeper. Enforce security standards, naming conventions, resource limits, and compliance requirements at the cluster level.
#remote-work 3 posts
Remote Work Won
The RTO push isn't about productivity. The data is clear: remote work works. What's really happening is a fight over control, real estate, and management inability to adapt.
The Meeting That Should Have Been a Doc
Most meetings are information broadcasts disguised as collaboration. Learn when to meet, when to write, and how to save everyone's time.
Standups Are Broken
Daily standups were meant to improve communication. Instead, they've become status meetings that waste time and interrupt deep work. There's a better way.
#opentelemetry 3 posts
OpenTelemetry Changed How I Think About Observability
A practical, opinionated take on OpenTelemetry - why it matters, what it actually solves, and how to instrument across Kubernetes, Lambda, ECS, and EC2 without losing your mind.
OpenTelemetry Collector Pipelines: Transform, Filter, Route Telemetry
Master OpenTelemetry Collector configuration. Build pipelines to transform metrics, filter traces, route logs, and reduce telemetry costs.
OpenTelemetry from Scratch
OpenTelemetry unifies traces, metrics, and logs under one standard. This guide covers how to instrument your applications, set up collectors, and actually make sense of the data.
#serverless 3 posts
Implementing Vertical Autoscaling for Aurora Databases Using Lambda Functions
AWS doesn't offer vertical autoscaling for Aurora – so we built it. CloudWatch Alarms, SNS, Lambda coordination, and the gotchas we hit in production.
Serverless Container Framework - Deploy Containers to Lambda and Fargate with Ease
Deploy containerised applications to AWS Lambda or Fargate with a simple YAML config. No infrastructure code required - just define your containers and deploy.
RDS Proxy for Lambda - Solving the Connection Exhaustion Problem
How to use Amazon RDS Proxy to handle database connections from Lambda functions at scale. Covers connection pooling, IAM authentication, Terraform setup, and the gotchas you'll hit in production.
#karpenter 2 posts
Karpenter Deep Dive: Node Provisioning That Actually Works
Master Karpenter for Kubernetes node autoscaling. Replace Cluster Autoscaler with faster, smarter provisioning. Includes cost optimization patterns.
Lessons From 5 Years of Kubernetes in Production – Cluster Crashes, Ditching Self-Managed, Cost Cuts, and the Tooling That Actually Works
Two major cluster crashes, migrating from kops to EKS, slashing compute costs with Karpenter, and the observability stack we rebuilt three times.
#sso 2 posts
Building an Automated Multi-Account AWS Architecture with Control Tower and Terraform
A hands-on walkthrough of enabling AWS Control Tower, designing an OU structure, automating account provisioning via Service Catalog, and deploying security baselines - from zero to fully automated account vending in production.
AWS Account Provisioning at Scale with Control Tower, Service Catalog, and Terraform
How to build an automated account vending machine using AWS Control Tower Account Factory, Service Catalog, CloudFormation StackSets, and Terraform – from request to fully provisioned account with SSO and IAM roles.
#multi-account 2 posts
AWS Control Tower Account Factory - The Gotchas Nobody Tells You
Real-world lessons from automating AWS account provisioning with Control Tower, Service Catalog, and Terraform. The silent failures, IAM traps, and StackSet timing issues that cost us days.
Building an Automated Multi-Account AWS Architecture with Control Tower and Terraform
A hands-on walkthrough of enabling AWS Control Tower, designing an OU structure, automating account provisioning via Service Catalog, and deploying security baselines - from zero to fully automated account vending in production.
#scps 2 posts
Building an Automated Multi-Account AWS Architecture with Control Tower and Terraform
A hands-on walkthrough of enabling AWS Control Tower, designing an OU structure, automating account provisioning via Service Catalog, and deploying security baselines - from zero to fully automated account vending in production.
AWS Service Control Policies (SCPs) - Guardrails for Your Organization
How to use SCPs to set permission guardrails across your AWS Organization. Covers SCP evaluation logic, deny vs allow strategies, common patterns, and production-ready Terraform examples.
#spacelift 2 posts
Building an Automated Multi-Account AWS Architecture with Control Tower and Terraform
A hands-on walkthrough of enabling AWS Control Tower, designing an OU structure, automating account provisioning via Service Catalog, and deploying security baselines - from zero to fully automated account vending in production.
Spacelift from Scratch: Automating Terraform at Scale with Spaces, Stacks, OPA Policies, and a Private Module Registry
A complete guide to setting up Spacelift for multi-team Terraform automation - from zero to production with spaces, dynamic stacks, OPA security policies in Rego, private module registry, and GitOps-driven infrastructure.
#act 2 posts
The Fast Feedback Loop - Local Development with Kind, LocalStack, and Act
Combine Kind, LocalStack, and Act for a complete local development environment. Test Kubernetes, AWS services, and CI pipelines without leaving your laptop.
Test GitHub Actions Locally with Act
Stop pushing to test your workflows. Act lets you run GitHub Actions locally with instant feedback. Here's how to set it up and use it effectively.
#governance 2 posts
Cloud Tagging Strategies That Actually Work
Tagging is the foundation of cloud governance, cost allocation, and automation. Here's how to implement tagging consistently across your infrastructure using context modules, policies, and automation.
AWS Service Control Policies (SCPs) - Guardrails for Your Organization
How to use SCPs to set permission guardrails across your AWS Organization. Covers SCP evaluation logic, deny vs allow strategies, common patterns, and production-ready Terraform examples.
#bgp 2 posts
EKS without VPC CNI: Deploying Calico with IPIP and BGP
AWS EKS defaults to the VPC CNI plugin, assigning VPC IPs to pods via ENIs. While straightforward, this setup limits pod density per node and consumes VPC IPs rapidly. To overcome these constraints, deploying Calico with IPIP or BGP offers a scalable alternative.
BGP in the Cloud – A Deep Dive into AWS Direct Connect, Routing Pathologies, and What Breaks in Production
A production-focused deep dive into how BGP actually behaves over AWS Direct Connect – route selection, failover, ASN design, MEDs, prepending, blackholing scenarios, and the real-world issues teams hit at scale.
#hybrid-cloud 2 posts
Tailscale in Production: WireGuard Mesh for Hybrid Cloud
Deploy Tailscale for secure connectivity across clouds, offices, and Kubernetes clusters. Zero-config VPN mesh with SSO integration and ACLs.
BGP in the Cloud – A Deep Dive into AWS Direct Connect, Routing Pathologies, and What Breaks in Production
A production-focused deep dive into how BGP actually behaves over AWS Direct Connect – route selection, failover, ASN design, MEDs, prepending, blackholing scenarios, and the real-world issues teams hit at scale.
#post-mortems 2 posts
Blameless Culture is Harder Than You Think
Everyone claims to have a blameless culture. Few actually do. Here's what real blamelessness looks like and why it's so difficult to achieve.
Incident Management That Actually Works
Most incident processes are theatre. Here's how to build incident management that reduces downtime, prevents recurrence, and doesn't burn out your team.
#idp 2 posts
Platform Engineering in 2026 - It's About the Discipline, Not the Tools
Platform engineering has become the most misunderstood role in tech. Everyone's building 'platforms' but few understand what actually makes one successful. Here's what I've learned building platforms for teams of 10 to 500.
Building an Internal Developer Platform
A practical guide to building an IDP that developers actually want to use. Covers the build vs buy decision, Backstage implementation, and the organisational changes required for success.
#github 2 posts
Securing Your Clawdbot & Setting Up Powerful Integrations
A comprehensive guide to hardening your Clawdbot installation and integrating with Google Workspace, GitHub, and Notion – turning your AI assistant into a productivity powerhouse.
Solving the AWS OIDC Chicken-and-Egg Problem with GitHub Actions
Solving the AWS OIDC Chicken-and-Egg Problem with GitHub Actions
#service-mesh 2 posts
Cilium Service Mesh: Sidecar-Free with eBPF
Deploy a service mesh without sidecars using Cilium. Get mTLS, traffic management, and observability powered by eBPF at the kernel level.
Service Mesh Comparison - Istio vs Linkerd vs Cilium
Service meshes promise observability, security, and traffic management. But which one should you choose? A practical comparison based on running all three in production.
#hetzner 2 posts
Running Clawdbot 24/7 on a Hetzner VPS – Terraform, Security Hardening, and the Bits the Docs Miss
A production-grade setup for Clawdbot on Hetzner Cloud with Terraform provisioning, proper SSH hardening, fail2ban, UFW, unattended-upgrades, and optional Tailscale – the stuff you actually need in prod.
Clawdbot Manual Setup – Step-by-Step VPS Configuration with WhatsApp Integration
A detailed walkthrough for setting up Clawdbot on a Hetzner VPS from scratch – SSH hardening, firewall configuration, Tailscale, and WhatsApp Business integration using a dedicated number.
#vps 2 posts
Running Clawdbot 24/7 on a Hetzner VPS – Terraform, Security Hardening, and the Bits the Docs Miss
A production-grade setup for Clawdbot on Hetzner Cloud with Terraform provisioning, proper SSH hardening, fail2ban, UFW, unattended-upgrades, and optional Tailscale – the stuff you actually need in prod.
Clawdbot Manual Setup – Step-by-Step VPS Configuration with WhatsApp Integration
A detailed walkthrough for setting up Clawdbot on a Hetzner VPS from scratch – SSH hardening, firewall configuration, Tailscale, and WhatsApp Business integration using a dedicated number.
#tutorial 2 posts
Clawdbot Manual Setup – Step-by-Step VPS Configuration with WhatsApp Integration
A detailed walkthrough for setting up Clawdbot on a Hetzner VPS from scratch – SSH hardening, firewall configuration, Tailscale, and WhatsApp Business integration using a dedicated number.
Securing Your Clawdbot & Setting Up Powerful Integrations
A comprehensive guide to hardening your Clawdbot installation and integrating with Google Workspace, GitHub, and Notion – turning your AI assistant into a productivity powerhouse.
#saas 2 posts
Elastic Cloud Setup Guide - From Zero to Production
A comprehensive guide to setting up Elastic Cloud (Elasticsearch Service), including deployment configuration, security setup, index lifecycle management, integrations, and cost optimization.
Cloud Unit Economics for Multi-Tenant SaaS - Cost Per Customer, Not Per Service
How to calculate true cost-per-tenant in a shared infrastructure environment. Covers EKS with Karpenter, shared databases (Aurora, DynamoDB), and tools like OpenCost, CloudZero, and custom attribution approaches.
#sigstore 2 posts
Container Image Signing with Cosign - A Practical Guide
Sign and verify container images without managing keys. A hands-on guide to Cosign, keyless signing, and enforcing signatures in Kubernetes.
Software Supply Chain Security - Sigstore, SLSA, and Beyond
Your dependencies are an attack vector. Here's how to secure your software supply chain with Sigstore, SLSA frameworks, SBOMs, and admission policies that actually work.
#contracting 2 posts
That Time I Gave Away £50k Worth of Consulting for Free (And What It Taught Me About the Industry)
On interview take-home tests that are suspiciously specific, contractors who get ghosted after detailed proposals, and learning to play the game without becoming bitter about it.
Contract vs Perm: 4 Years of Both and What I'd Choose Now
I've done both. Multiple times. Here's the real trade-offs nobody talks about - the money, the time off problem, the boredom factor, and why your life situation matters more than you think.
#salary 2 posts
10 Rules for Negotiating Your Job Offer (From 7 Years of Engineering)
Most engineers massively undervalue themselves because no one taught them how to negotiate. Here's everything I've learned from negotiating salaries, contracts, titles, and more.
Contract vs Perm: 4 Years of Both and What I'd Choose Now
I've done both. Multiple times. Here's the real trade-offs nobody talks about - the money, the time off problem, the boredom factor, and why your life situation matters more than you think.
#crossplane 2 posts
Crossplane Compositions: Build Your Own Cloud API
Create custom cloud APIs with Crossplane Compositions. Abstract away complexity and give developers self-service infrastructure with guardrails.
Crossplane and Localstack
Crossplane + LocalStack on kind: 100 % Local AWS Infrastructure-as-Code
#storage 2 posts
Database on Kubernetes - When It Makes Sense
Running databases on Kubernetes is controversial. Sometimes it's the right call, sometimes it's a disaster waiting to happen. Here's how to decide, and how to do it properly if you choose to proceed.
How to Increase EBS Disk Size on EC2 (Without Downtime)
Online EBS volume resizing for running instances – the IaC way with Terraform and ASG instance refresh, plus the manual escape hatch when you need it now. No reboot required.
#kafka 2 posts
Deploying Kafka on Kubernetes with Strimzi
A step-by-step guide to setting up a Kafka cluster on a local Kind cluster using the Strimzi operator, with optional Terraform provisioning.
Pulsar vs Kafka in K8s: Battle of Event Streams
Pulsar vs Kafka
#interviews 2 posts
That Time I Gave Away £50k Worth of Consulting for Free (And What It Taught Me About the Industry)
On interview take-home tests that are suspiciously specific, contractors who get ghosted after detailed proposals, and learning to play the game without becoming bitter about it.
Common DevOps Interview Questions Candidates Fail
The questions that separate senior engineers from those who memorised tutorials. Real interview failures, what interviewers are actually looking for, and how to answer with depth.
#engineering 2 posts
FinOps for Engineering Teams - Making Cost Everyone's Problem
Cloud cost management isn't just for finance. Here's how engineering teams can build cost awareness into their workflow without slowing down delivery.
The Ultimate Pathway to DevOps Revamped
A practical roadmap into DevOps for engineers starting out — what to learn, in what order, and where the genuine value is vs the hype.
#alerting 2 posts
SLO-Based Alerting: Burn Rate Alerts vs Threshold Alerts
Implement SLO-based alerting with burn rate alerts. Move from noisy threshold alerts to meaningful reliability signals using error budgets.
Managing Dynatrace Alerts at Scale with Custom Ansible Roles
How we automated Dynatrace alerting configuration using custom Ansible roles - covering alert profiles, problem notifications, metric events, and maintenance windows across multiple environments.
#falco 2 posts
eBPF for Security: Kernel-Level Observability Without Agents
Deep dive into eBPF-based security tools - Cilium, Falco, and Tetragon. Learn how to implement runtime security, network policies, and threat detection at the kernel level.
Falco on K8s (Kind)
Falco Kubernetes Lab: Runtime Threat Detection with Prometheus & Grafana
#architecture 2 posts
Your Startup Doesn't Need Kubernetes
Kubernetes is an incredible technology that solves real problems. But for most startups, it's the wrong tool. Here's how to know when you're ready - and what to use instead.
Deep Dive into EC2 Networking
Deep Dive into EC2 Networking: ENIs, IP Addressing and Deployment Architectures
#java 2 posts
Debugging JVM Thread Exhaustion on EC2: A Contractor War Story
How I diagnosed and fixed a Java application that kept crashing under load – from 'cannot create native thread' errors to properly tuned JVM settings, system limits, and right-sized EC2 instances.
Migrating a Java Application from EC2 to ECS Fargate: A Step-by-Step Guide
The complete journey of containerising a Java JAR running on EC2 and deploying it to ECS Fargate – from local testing to Dockerfile, task definitions, networking, secrets management, and achieving production parity.
#blue-green 2 posts
ECS Task Sets: Blue/Green Deployments Without CodeDeploy
How to use ECS external deployment controllers and task sets for manual blue/green deployments – the setup, the CLI commands, the Terraform, and an honest assessment of when it's worth the complexity.
Building a Custom GitHub Action for Traefik Traffic Weighting
How I built a GitHub Action to manage blue/green and canary deployments by dynamically updating Traefik weighted services – with SigV4 authentication, YAML configuration, and a generator API.
#dynamodb 2 posts
Migrating Event Store Data from SQL Server and Oracle to DynamoDB with AWS DMS
How we used AWS DMS with database views, partitioned replication tasks, and Terraform to migrate event sourcing data from on-prem SQL Server and Oracle to DynamoDB – the architecture, the gotchas, and production Terraform you can reuse.
The Terraform State Chicken-and-Egg Problem – And Why Bootstrapping Is Just Physics
You can't use Terraform to create the S3 bucket that stores Terraform state. Here's how to bootstrap your remote backend properly, plus the philosophical reason this pattern exists everywhere in software.
#state-management 2 posts
Terraform 0.11 to 1.11 Migration - The Full Journey
A detailed guide on migrating Terraform from 0.11 to 1.11, covering HCL2 syntax changes, the S3 bucket resource split, state manipulation, and ensuring zero-drift upgrades.
The Terraform State Chicken-and-Egg Problem – And Why Bootstrapping Is Just Physics
You can't use Terraform to create the S3 bucket that stores Terraform state. Here's how to bootstrap your remote backend properly, plus the philosophical reason this pattern exists everywhere in software.
#twingate 2 posts
EKS Private Network with Twingate
How to setup a private network for your EKS cluster with Twingate
Private AKS Cluster with Twingate: Secure API Access Without a Public Endpoint
Running Kubernetes clusters privately is a growing best practice. In this blog, I'll walk you through deploying a private AKS cluster on Azure with no public API endpoint, and enabling secure access via Twingate VPN, which provides identity-based access without opening up your network.
#private 2 posts
EKS Private Network with Twingate
How to setup a private network for your EKS cluster with Twingate
Using GKE DNS-based endpoints for Secure cluster access
Use GKE's DNS-based control plane endpoint to reach a private cluster without bastions or VPNs. IAM-gated kubectl access via Cloud DNS, fully private.
#calico 2 posts
EKS without VPC CNI: Deploying Calico with IPIP and BGP
AWS EKS defaults to the VPC CNI plugin, assigning VPC IPs to pods via ENIs. While straightforward, this setup limits pod density per node and consumes VPC IPs rapidly. To overcome these constraints, deploying Calico with IPIP or BGP offers a scalable alternative.
Kubernetes Networking: A Deep Dive From First Principles
How packets actually flow in Kubernetes – from veth pairs to CNI plugins to kube-proxy modes. With AWS/EKS context throughout.
#logging 2 posts
Elastic Cloud Setup Guide - From Zero to Production
A comprehensive guide to setting up Elastic Cloud (Elasticsearch Service), including deployment configuration, security setup, index lifecycle management, integrations, and cost optimization.
OpenTelemetry from Scratch
OpenTelemetry unifies traces, metrics, and logs under one standard. This guide covers how to instrument your applications, set up collectors, and actually make sense of the data.
#prometheus 2 posts
SLO-Based Alerting: Burn Rate Alerts vs Threshold Alerts
Implement SLO-based alerting with burn rate alerts. Move from noisy threshold alerts to meaningful reliability signals using error budgets.
Falco on K8s (Kind)
Falco Kubernetes Lab: Runtime Threat Detection with Prometheus & Grafana
#development 2 posts
The Fast Feedback Loop - Local Development with Kind, LocalStack, and Act
Combine Kind, LocalStack, and Act for a complete local development environment. Test Kubernetes, AWS services, and CI pipelines without leaving your laptop.
LocalStack Deep Dive - AWS on Your Laptop
Run AWS services locally for faster development and testing. A practical guide to LocalStack covering S3, Lambda, DynamoDB, SQS, and integration testing patterns.
#cloud 2 posts
FinOps for Engineering Teams - Making Cost Everyone's Problem
Cloud cost management isn't just for finance. Here's how engineering teams can build cost awareness into their workflow without slowing down delivery.
Right-Sizing Kubernetes Workloads - Stop Burning Money
Most Kubernetes clusters waste 50-70% of their resources. Here's how to measure what you're actually using, fix the worst offenders, and automate the process - without breaking production.
#ingress 2 posts
Gateway API Advanced Patterns: Beyond Basic Ingress
Master Gateway API with traffic splitting, header-based routing, cross-namespace references, and TLS passthrough. The future of Kubernetes ingress.
Kubernetes Gateway API vs Ingress - When to Migrate and How
Gateway API is the successor to Ingress, bringing role-oriented design, native traffic splitting, and cross-namespace routing. This post compares both APIs, when to migrate, and practical migration patterns.
#traffic-management 2 posts
Gateway API Advanced Patterns: Beyond Basic Ingress
Master Gateway API with traffic splitting, header-based routing, cross-namespace references, and TLS passthrough. The future of Kubernetes ingress.
Kubernetes Gateway API vs Ingress - When to Migrate and How
Gateway API is the successor to Ingress, bringing role-oriented design, native traffic splitting, and cross-namespace routing. This post compares both APIs, when to migrate, and practical migration patterns.
#cluster-management 2 posts
Kubernetes Cluster Upgrades: Production-Ready Guide
Technical guide for upgrading managed Kubernetes clusters across GKE, EKS, and AKS
GKE Upgrade Guide and Rollback Strategy: A Production-Ready Approach
Comprehensive guide for safely upgrading GKE clusters with minimal downtime and robust rollback procedures
#k3s 2 posts
Building a Production-Grade Homelab with K3s, Vault, and FluxCD
How I built a fully GitOps-managed Kubernetes homelab on a single mini PC - from unboxing to production. Proxmox bare metal install, K3s cluster, HashiCorp Vault secrets, full observability, and Cloudflare Tunnel.
K3s Homelab Setup Guide - Running Kubernetes on Raspberry Pi 5
Build a lightweight Kubernetes cluster on three Raspberry Pi 5 devices. Step-by-step guide covering K3s installation, cluster configuration, and deployment testing.
#coredns 2 posts
The Kubernetes ndots:5 Problem – Why DNS Lookups Take 15 Seconds
A deep dive into why external DNS resolution in Kubernetes can be painfully slow, how the default ndots:5 setting causes unnecessary lookups, and practical fixes that actually work.
Kubernetes DNS Spoofing: Exploiting NET_RAW and ARP
DNS spoofing in Kubernetes remains a critical threat, enabling attackers to redirect traffic, intercept data, or disrupt services. This article explores how such attacks occur and outlines strategies to prevent them.
#pods 2 posts
Pod Topology Spread Constraints - Distributing Workloads Intelligently
Control how pods spread across nodes, zones, and regions. A deep dive into topology spread constraints for high availability and efficient resource utilization.
Kubernetes Sidecar Startup Order - Making Your Main App Wait
How to ensure sidecar containers are ready before your main app starts. Covers startupProbe, postStart hooks, and why readinessProbe doesn't do what you think.
#gatekeeper 2 posts
Kyverno vs OPA: Policy Engines Compared
Detailed comparison of Kyverno and OPA Gatekeeper for Kubernetes policy enforcement. Includes real examples, performance considerations, and migration guidance.
OPA Gatekeeper: Policy as Code for Kubernetes
Implement admission control policies with OPA Gatekeeper. Enforce security standards, naming conventions, resource limits, and compliance requirements at the cluster level.
#documentation 2 posts
Why Senior Engineers Should Write Docs
Documentation is often treated as junior work. That's backwards. The most impactful documentation comes from senior engineers, and writing it is a force multiplier for your expertise.
The Meeting That Should Have Been a Doc
Most meetings are information broadcasts disguised as collaboration. Learn when to meet, when to write, and how to save everyone's time.
#nat 2 posts
Why I replaced AWS NAT Gateway with a NAT Instance - and saved 20$ of dollar per month
AWS offers NAT Gateways as the default, fully managed solution for letting private subnet resources reach the internet. However, NAT Gateways can be pricey: Hourly cost: ~₹3.75/hour (varies by region) Data transfer cost: Additional ₹3.75/GB on top of standard data transfer For small dev/test environments or personal labs, these costs can add up quickly. In contrast, a NAT Instance is just a normal EC2 instance configured to perform IP forwarding and NAT. It’s typically much cheaper to run a small instance (`t3.micro`) than a NAT Gateway, especially if your traffic volume is modest.
NAT Gateway Alternatives - Cutting Your AWS Bill Without Losing Sleep
NAT Gateways are the silent budget killer in AWS. Here's how to reduce costs with NAT instances, VPC endpoints, IPv6, and architectural changes - with real numbers and trade-offs.
#messaging 2 posts
NATS JetStream: Lightweight Alternative to Kafka
Deploy NATS JetStream for messaging and streaming. Simpler than Kafka, faster than RabbitMQ, with persistence and exactly-once delivery.
Apache Pulsar Playground: Running Pulsar Locally on kind with Dashboards, Clients, and Admin Tools
In this blog, I'll walk you through setting up a full-featured Apache Pulsar playground using kind (Kubernetes in Docker). Whether you're testing Pulsar for learning or demoing a real pub/sub model with admin tools and monitoring, this setup gives you everything.
#policy-as-code 2 posts
Spacelift from Scratch: Automating Terraform at Scale with Spaces, Stacks, OPA Policies, and a Private Module Registry
A complete guide to setting up Spacelift for multi-team Terraform automation - from zero to production with spaces, dynamic stacks, OPA security policies in Rego, private module registry, and GitOps-driven infrastructure.
OPA Gatekeeper: Policy as Code for Kubernetes
Implement admission control policies with OPA Gatekeeper. Enforce security standards, naming conventions, resource limits, and compliance requirements at the cluster level.
#packer 2 posts
Building Production AMIs with Packer: CI Pipelines, Terraform Integration, and Security Best Practices
Complete guide to building immutable AMIs with Packer in production - CI/CD pipelines, Terraform ASG integration, rollback strategies, maintenance workflows, and security hardening.
Deploying Vault with a Custom AMI
An end-to-end guide for baking a Vault AMI using Packer and deploying a Vault EC2 instance on AWS.
#ami 2 posts
Building Production AMIs with Packer: CI Pipelines, Terraform Integration, and Security Best Practices
Complete guide to building immutable AMIs with Packer in production - CI/CD pipelines, Terraform ASG integration, rollback strategies, maintenance workflows, and security hardening.
Deploying Vault with a Custom AMI
An end-to-end guide for baking a Vault AMI using Packer and deploying a Vault EC2 instance on AWS.
#principal-engineer 2 posts
The Real Difference Between Senior, Staff, and Principal Engineer
Everyone wants to know the difference between Senior, Staff, and Principal. After holding all three titles, I can tell you the real differences aren't what most people think. It's not about years - it's about scope.
The Principal Engineer Trap
The IC ladder looks appealing until you're at the top. Many senior engineers chase Principal titles without understanding what they're signing up for. Here's what nobody tells you.
#api-gateway 2 posts
Private API Gateway - Part 2: Secure Cross-VPC Access with PrivateLink and IAM Authentication
Extend your private API Gateway with secure access from other VPCs using PrivateLink and enforce IAM-based authentication.
Securing APIs in AWS: Private API Gateway + VPC Endpoint Deep Dive
Learn how to deploy a secure, private-only API Gateway inside your VPC using interface endpoints, resource policies, and VPC integration.
#azure 2 posts
Self-Hosted GitLab on Kubernetes - A Startup's Journey
A detailed guide on deploying GitLab on AKS using Helm charts, with Azure SQL as the database backend. Covers architecture decisions, configuration, lessons learned, and the gotchas we hit in production.
Private AKS Cluster with Twingate: Secure API Access Without a Public Endpoint
Running Kubernetes clusters privately is a growing best practice. In this blog, I'll walk you through deploying a private AKS cluster on Azure with no public API endpoint, and enabling secure access via Twingate VPN, which provides identity-based access without opening up your network.
#vpn 2 posts
Tailscale in Production: WireGuard Mesh for Hybrid Cloud
Deploy Tailscale for secure connectivity across clouds, offices, and Kubernetes clusters. Zero-config VPN mesh with SSO integration and ACLs.
Private AKS Cluster with Twingate: Secure API Access Without a Public Endpoint
Running Kubernetes clusters privately is a growing best practice. In this blog, I'll walk you through deploying a private AKS cluster on Azure with no public API endpoint, and enabling secure access via Twingate VPN, which provides identity-based access without opening up your network.
#canary 2 posts
Progressive Delivery with Flagger: Automated Canary Deployments
Implement automated canary deployments with Flagger. Metrics-based promotion, automated rollback, and integration with Istio, Linkerd, and Gateway API.
Building a Custom GitHub Action for Traefik Traffic Weighting
How I built a GitHub Action to manage blue/green and canary deployments by dynamically updating Traefik weighted services – with SigV4 authentication, YAML configuration, and a generator API.
#spiffe 2 posts
SPIFFE and SPIRE: Zero Trust Workload Identity
Deep dive into SPIFFE and SPIRE for workload identity. Replace shared secrets with cryptographic identity for service-to-service authentication. Includes Kubernetes deployment and mTLS examples.
SPIFFE and SPIRE in Kubernetes
Secure Your Kubernetes with SPIFFE + SPIRE: Zero-Trust Identity for Workloads
#spire 2 posts
SPIFFE and SPIRE: Zero Trust Workload Identity
Deep dive into SPIFFE and SPIRE for workload identity. Replace shared secrets with cryptographic identity for service-to-service authentication. Includes Kubernetes deployment and mTLS examples.
SPIFFE and SPIRE in Kubernetes
Secure Your Kubernetes with SPIFFE + SPIRE: Zero-Trust Identity for Workloads
#startups 2 posts
Startup vs Scale-Up vs Enterprise: Where You'll Actually Learn the Most
After working across all three - tiny startups, hypergrowth scale-ups, and massive enterprises - I can tell you they're completely different jobs. Same title, same tech, completely different experience. Here's what each teaches you.
Your Startup Doesn't Need Kubernetes
Kubernetes is an incredible technology that solves real problems. But for most startups, it's the wrong tool. Here's how to know when you're ready - and what to use instead.
#teams 1 post
The 10x Engineer is a Myth
The idea of the 10x engineer has done more harm than good. What actually matters is team multipliers - engineers who make everyone around them better.
#account-factory 1 post
AWS Account Provisioning at Scale with Control Tower, Service Catalog, and Terraform
How to build an automated account vending machine using AWS Control Tower Account Factory, Service Catalog, CloudFormation StackSets, and Terraform – from request to fully provisioned account with SSO and IAM roles.
#ack 1 post
AWS Controllers for Kubernetes
Manage AWS resources from Kubernetes manifests using AWS Controllers for Kubernetes (ACK). End-to-end demo on kind covering setup, RDS provisioning and the trade-offs vs Terraform.
#prefix-lists 1 post
AWS Managed Prefix Lists with Terraform - Stop Hardcoding CIDRs
How to use AWS Managed Prefix Lists to eliminate hardcoded CIDR blocks in security groups and route tables. Covers AWS-managed prefixes, customer-managed lists for data centres, and production Terraform patterns.
#security-groups 1 post
AWS Managed Prefix Lists with Terraform - Stop Hardcoding CIDRs
How to use AWS Managed Prefix Lists to eliminate hardcoded CIDR blocks in security groups and route tables. Covers AWS-managed prefixes, customer-managed lists for data centres, and production Terraform patterns.
#mlops 1 post
MLOps for DevOps Engineers - What You Actually Need to Know
MLOps is becoming a critical skill for DevOps engineers. Here's what matters: the infrastructure patterns, tooling, and operational practices that make ML systems work in production - from someone who learned the hard way.
#machine-learning 1 post
MLOps for DevOps Engineers - What You Actually Need to Know
MLOps is becoming a critical skill for DevOps engineers. Here's what matters: the infrastructure patterns, tooling, and operational practices that make ML systems work in production - from someone who learned the hard way.
#aws-config 1 post
AWS Config Rules with Auto Remediation - Enforce Compliance Automatically
How to use AWS Config Rules to detect compliance violations and automatically remediate them using SSM Automation documents. Covers managed rules, custom rules, remediation actions, and complete Terraform examples.
#compliance 1 post
AWS Config Rules with Auto Remediation - Enforce Compliance Automatically
How to use AWS Config Rules to detect compliance violations and automatically remediate them using SSM Automation documents. Covers managed rules, custom rules, remediation actions, and complete Terraform examples.
#ssm 1 post
AWS Config Rules with Auto Remediation - Enforce Compliance Automatically
How to use AWS Config Rules to detect compliance violations and automatically remediate them using SSM Automation documents. Covers managed rules, custom rules, remediation actions, and complete Terraform examples.
#iam-identity-center 1 post
Building an Automated Multi-Account AWS Architecture with Control Tower and Terraform
A hands-on walkthrough of enabling AWS Control Tower, designing an OU structure, automating account provisioning via Service Catalog, and deploying security baselines - from zero to fully automated account vending in production.
#endpoints 1 post
AWS VPC Endpoints - Keep Your Traffic Off the Internet
How to use VPC Endpoints to access AWS services without internet gateways or NAT. Covers Gateway vs Interface endpoints, PrivateLink, endpoint policies, cost optimization, and production Terraform patterns.
#cognito 1 post
Backstage on AWS ECS - Production-Ready Deployment with RDS and Cognito
A comprehensive guide to deploying Spotify's Backstage developer portal on AWS ECS Fargate with PostgreSQL RDS, Cognito authentication, and proper production hardening.
#developer-portal 1 post
Backstage Plugins: Building Custom Developer Portal Features
Build custom Backstage plugins for your internal developer portal. Create frontend components, backend APIs, and integrate with your existing tools.
#react 1 post
Backstage Plugins: Building Custom Developer Portal Features
Build custom Backstage plugins for your internal developer portal. Create frontend components, backend APIs, and integrate with your existing tools.
#typescript 1 post
Backstage Plugins: Building Custom Developer Portal Features
Build custom Backstage plugins for your internal developer portal. Create frontend components, backend APIs, and integrate with your existing tools.
#direct-connect 1 post
BGP in the Cloud – A Deep Dive into AWS Direct Connect, Routing Pathologies, and What Breaks in Production
A production-focused deep dive into how BGP actually behaves over AWS Direct Connect – route selection, failover, ASN design, MEDs, prepending, blackholing scenarios, and the real-world issues teams hit at scale.
#routing 1 post
BGP in the Cloud – A Deep Dive into AWS Direct Connect, Routing Pathologies, and What Breaks in Production
A production-focused deep dive into how BGP actually behaves over AWS Direct Connect – route selection, failover, ASN design, MEDs, prepending, blackholing scenarios, and the real-world issues teams hit at scale.
#psychological-safety 1 post
Blameless Culture is Harder Than You Think
Everyone claims to have a blameless culture. Few actually do. Here's what real blamelessness looks like and why it's so difficult to achieve.
#cdn 1 post
How we migrated our CDN to AWS CloudFront at Trainline
Migrating the Trainline CDN to AWS CloudFront — traffic shaping with Lambda@Edge, the cache-hit ratio we landed on, and the production gotchas behind the cutover.
#cloudfront 1 post
How we migrated our CDN to AWS CloudFront at Trainline
Migrating the Trainline CDN to AWS CloudFront — traffic shaping with Lambda@Edge, the cache-hit ratio we landed on, and the production gotchas behind the cutover.
#trainline 1 post
How we migrated our CDN to AWS CloudFront at Trainline
Migrating the Trainline CDN to AWS CloudFront — traffic shaping with Lambda@Edge, the cache-hit ratio we landed on, and the production gotchas behind the cutover.
#chaos-engineering 1 post
Chaos Engineering with Litmus: Controlled Failure Injection
Implement chaos engineering in Kubernetes with LitmusChaos. Run pod failures, network chaos, and stress tests to validate system resilience.
#litmus 1 post
Chaos Engineering with Litmus: Controlled Failure Injection
Implement chaos engineering in Kubernetes with LitmusChaos. Run pod failures, network chaos, and stress tests to validate system resilience.
#google-workspace 1 post
Securing Your Clawdbot & Setting Up Powerful Integrations
A comprehensive guide to hardening your Clawdbot installation and integrating with Google Workspace, GitHub, and Notion – turning your AI assistant into a productivity powerhouse.
#notion 1 post
Securing Your Clawdbot & Setting Up Powerful Integrations
A comprehensive guide to hardening your Clawdbot installation and integrating with Google Workspace, GitHub, and Notion – turning your AI assistant into a productivity powerhouse.
#integrations 1 post
Securing Your Clawdbot & Setting Up Powerful Integrations
A comprehensive guide to hardening your Clawdbot installation and integrating with Google Workspace, GitHub, and Notion – turning your AI assistant into a productivity powerhouse.
#oauth 1 post
Securing Your Clawdbot & Setting Up Powerful Integrations
A comprehensive guide to hardening your Clawdbot installation and integrating with Google Workspace, GitHub, and Notion – turning your AI assistant into a productivity powerhouse.
#whatsapp 1 post
Clawdbot Manual Setup – Step-by-Step VPS Configuration with WhatsApp Integration
A detailed walkthrough for setting up Clawdbot on a Hetzner VPS from scratch – SSH hardening, firewall configuration, Tailscale, and WhatsApp Business integration using a dedicated number.
#clickhouse 1 post
Migrating ClickHouse From EC2 to ClickHouse Cloud - Every Approach We Tried and Why Most Failed
S3 backup/restore, direct connectivity, Parquet exports - none of them worked cleanly. Here's the full war story of migrating a production ClickHouse instance to Cloud, the version mismatch that broke everything, and the dumb-simple approach that actually got the job done.
#tagging 1 post
Cloud Tagging Strategies That Actually Work
Tagging is the foundation of cloud governance, cost allocation, and automation. Here's how to implement tagging consistently across your infrastructure using context modules, policies, and automation.
#cloud-costs 1 post
Cloud Unit Economics for Multi-Tenant SaaS - Cost Per Customer, Not Per Service
How to calculate true cost-per-tenant in a shared infrastructure environment. Covers EKS with Karpenter, shared databases (Aurora, DynamoDB), and tools like OpenCost, CloudZero, and custom attribution approaches.
#multi-tenant 1 post
Cloud Unit Economics for Multi-Tenant SaaS - Cost Per Customer, Not Per Service
How to calculate true cost-per-tenant in a shared infrastructure environment. Covers EKS with Karpenter, shared databases (Aurora, DynamoDB), and tools like OpenCost, CloudZero, and custom attribution approaches.
#unit-economics 1 post
Cloud Unit Economics for Multi-Tenant SaaS - Cost Per Customer, Not Per Service
How to calculate true cost-per-tenant in a shared infrastructure environment. Covers EKS with Karpenter, shared databases (Aurora, DynamoDB), and tools like OpenCost, CloudZero, and custom attribution approaches.
#namespaces 1 post
Container Networking Deep Dive Part 1: Single Network Namespace on a VM
In the first part of our Container Networking Deep Dive, we explore how to set up a single network namespace inside a VM and connect it to the host using a veth pair.
#netns 1 post
Container Networking Deep Dive Part 2: Two Namespaces on the Same Host
In the second part of our Container Networking Deep Dive, we connect two network namespaces via a bridge on the same Linux host.
#bridge 1 post
Container Networking Deep Dive Part 2: Two Namespaces on the Same Host
In the second part of our Container Networking Deep Dive, we connect two network namespaces via a bridge on the same Linux host.
#cosign 1 post
Container Image Signing with Cosign - A Practical Guide
Sign and verify container images without managing keys. A hands-on guide to Cosign, keyless signing, and enforcing signatures in Kubernetes.
#backup 1 post
Database Backup to S3 with Kubernetes CronJobs
Build a production-ready database backup system using Kubernetes CronJobs, PostgreSQL, and S3. Includes a complete local testing environment with KIND and LocalStack.
#cronjob 1 post
Database Backup to S3 with Kubernetes CronJobs
Build a production-ready database backup system using Kubernetes CronJobs, PostgreSQL, and S3. Includes a complete local testing environment with KIND and LocalStack.
#stateful 1 post
Database on Kubernetes - When It Makes Sense
Running databases on Kubernetes is controversial. Sometimes it's the right call, sometimes it's a disaster waiting to happen. Here's how to decide, and how to do it properly if you choose to proceed.
#operators 1 post
Database on Kubernetes - When It Makes Sense
Running databases on Kubernetes is controversial. Sometimes it's the right call, sometimes it's a disaster waiting to happen. Here's how to decide, and how to do it properly if you choose to proceed.
#strimzi 1 post
Deploying Kafka on Kubernetes with Strimzi
A step-by-step guide to setting up a Kafka cluster on a local Kind cluster using the Strimzi operator, with optional Terraform provisioning.
#operator 1 post
Deploying Kafka on Kubernetes with Strimzi
A step-by-step guide to setting up a Kafka cluster on a local Kind cluster using the Strimzi operator, with optional Terraform provisioning.
#roadmap 1 post
The Ultimate Pathway to DevOps Revamped
A practical roadmap into DevOps for engineers starting out — what to learn, in what order, and where the genuine value is vs the hype.
#platform 1 post
The Ultimate Pathway to DevOps Revamped
A practical roadmap into DevOps for engineers starting out — what to learn, in what order, and where the genuine value is vs the hype.
#udp 1 post
DNS UDP Truncation: Why Your ECS Tasks Aren't Getting Traffic
How DNS UDP's 512-byte limit caps responses at ~8 A records, breaking service discovery for scaled ECS/CloudMap workloads – and the sidecar solution to bypass it.
#cloudmap 1 post
DNS UDP Truncation: Why Your ECS Tasks Aren't Getting Traffic
How DNS UDP's 512-byte limit caps responses at ~8 A records, breaking service discovery for scaled ECS/CloudMap workloads – and the sidecar solution to bypass it.
#service-discovery 1 post
DNS UDP Truncation: Why Your ECS Tasks Aren't Getting Traffic
How DNS UDP's 512-byte limit caps responses at ~8 A records, breaking service discovery for scaled ECS/CloudMap workloads – and the sidecar solution to bypass it.
#dora 1 post
DORA Metrics Implementation - Measuring What Matters
DORA metrics are the industry standard for measuring DevOps performance. Here's how to implement them properly, avoid common pitfalls, and actually use them to improve your team's delivery.
#dragonfly 1 post
Dragonfly vs Redis: Modern In-Memory Store Comparison
Compare Dragonfly and Redis for caching and data storage. Dragonfly's multi-threaded architecture vs Redis single-threaded model.
#redis 1 post
Dragonfly vs Redis: Modern In-Memory Store Comparison
Compare Dragonfly and Redis for caching and data storage. Dragonfly's multi-threaded architecture vs Redis single-threaded model.
#caching 1 post
Dragonfly vs Redis: Modern In-Memory Store Comparison
Compare Dragonfly and Redis for caching and data storage. Dragonfly's multi-threaded architecture vs Redis single-threaded model.
#dynatrace 1 post
Managing Dynatrace Alerts at Scale with Custom Ansible Roles
How we automated Dynatrace alerting configuration using custom Ansible roles - covering alert profiles, problem notifications, metric events, and maintenance windows across multiple environments.
#ansible 1 post
Managing Dynatrace Alerts at Scale with Custom Ansible Roles
How we automated Dynatrace alerting configuration using custom Ansible roles - covering alert profiles, problem notifications, metric events, and maintenance windows across multiple environments.
#kernel 1 post
eBPF Deep Dive - Beyond Cilium
eBPF is transforming how we observe, secure, and network Linux systems. This guide covers the fundamentals, practical use cases beyond Cilium, and how to start writing your own eBPF programs.
#tetragon 1 post
eBPF for Security: Kernel-Level Observability Without Agents
Deep dive into eBPF-based security tools - Cilium, Falco, and Tetragon. Learn how to implement runtime security, network policies, and threat detection at the kernel level.
#eni 1 post
Deep Dive into EC2 Networking
Deep Dive into EC2 Networking: ENIs, IP Addressing and Deployment Architectures
#ip 1 post
Deep Dive into EC2 Networking
Deep Dive into EC2 Networking: ENIs, IP Addressing and Deployment Architectures
#task-sets 1 post
ECS Task Sets: Blue/Green Deployments Without CodeDeploy
How to use ECS external deployment controllers and task sets for manual blue/green deployments – the setup, the CLI commands, the Terraform, and an honest assessment of when it's worth the complexity.
#network 1 post
EKS Private Network with Twingate
How to setup a private network for your EKS cluster with Twingate
#ip-exhaustion 1 post
EKS IP Exhaustion: Running out of IPs, one way to fix it
Running out of IP addresses in AWS EKS can be a subtle yet critical issue. It often manifests as pods stuck in a pending state or nodes failing to join the cluster, leading to deployment bottlenecks and potential downtime. Understanding the root cause and implementing effective solutions is essential for maintaining cluster health and scalability. Now, there are many ways to fix this, but this is one way.
#prefix-delegation 1 post
EKS IP Exhaustion: Running out of IPs, one way to fix it
Running out of IP addresses in AWS EKS can be a subtle yet critical issue. It often manifests as pods stuck in a pending state or nodes failing to join the cluster, leading to deployment bottlenecks and potential downtime. Understanding the root cause and implementing effective solutions is essential for maintaining cluster health and scalability. Now, there are many ways to fix this, but this is one way.
#ipip 1 post
EKS without VPC CNI: Deploying Calico with IPIP and BGP
AWS EKS defaults to the VPC CNI plugin, assigning VPC IPs to pods via ENIs. While straightforward, this setup limits pod density per node and consumes VPC IPs rapidly. To overcome these constraints, deploying Calico with IPIP or BGP offers a scalable alternative.
#elastic-cloud 1 post
Elastic Cloud Setup Guide - From Zero to Production
A comprehensive guide to setting up Elastic Cloud (Elasticsearch Service), including deployment configuration, security setup, index lifecycle management, integrations, and cost optimization.
#managed-services 1 post
Elastic Cloud Setup Guide - From Zero to Production
A comprehensive guide to setting up Elastic Cloud (Elasticsearch Service), including deployment configuration, security setup, index lifecycle management, integrations, and cost optimization.
#elk 1 post
ELK Stack Migration: From 6.x to 8.x - The Complete Guide
A comprehensive guide to migrating your Elasticsearch, Logstash, and Kibana stack from version 6.x to 8.x. Covers breaking changes, migration strategies, index compatibility, and zero-downtime approaches.
#kibana 1 post
ELK Stack Migration: From 6.x to 8.x - The Complete Guide
A comprehensive guide to migrating your Elasticsearch, Logstash, and Kibana stack from version 6.x to 8.x. Covers breaking changes, migration strategies, index compatibility, and zero-downtime approaches.
#logstash 1 post
ELK Stack Migration: From 6.x to 8.x - The Complete Guide
A comprehensive guide to migrating your Elasticsearch, Logstash, and Kibana stack from version 6.x to 8.x. Covers breaking changes, migration strategies, index compatibility, and zero-downtime approaches.
#etl 1 post
Build an ETL Pipeline with Python, PostgreSQL, and Airflow
A practical guide to building an ETL pipeline that extracts weather data from OpenWeatherMap, transforms it with pandas, and loads it into PostgreSQL. Includes Airflow orchestration with email notifications.
#python 1 post
Build an ETL Pipeline with Python, PostgreSQL, and Airflow
A practical guide to building an ETL pipeline that extracts weather data from OpenWeatherMap, transforms it with pandas, and loads it into PostgreSQL. Includes Airflow orchestration with email notifications.
#airflow 1 post
Build an ETL Pipeline with Python, PostgreSQL, and Airflow
A practical guide to building an ETL pipeline that extracts weather data from OpenWeatherMap, transforms it with pandas, and loads it into PostgreSQL. Includes Airflow orchestration with email notifications.
#data-engineering 1 post
Build an ETL Pipeline with Python, PostgreSQL, and Airflow
A practical guide to building an ETL pipeline that extracts weather data from OpenWeatherMap, transforms it with pandas, and loads it into PostgreSQL. Includes Airflow orchestration with email notifications.
#external-secrets 1 post
External Secrets Operator with AWS Secrets Manager - Stop Mounting Secrets in ConfigMaps
How to use External Secrets Operator to sync AWS Secrets Manager secrets to Kubernetes. Covers SecretStore, ExternalSecret, IAM with IRSA, templating, and production patterns.
#secrets-manager 1 post
External Secrets Operator with AWS Secrets Manager - Stop Mounting Secrets in ConfigMaps
How to use External Secrets Operator to sync AWS Secrets Manager secrets to Kubernetes. Covers SecretStore, ExternalSecret, IAM with IRSA, templating, and production patterns.
#grafana 1 post
Falco on K8s (Kind)
Falco Kubernetes Lab: Runtime Threat Detection with Prometheus & Grafana
#firecracker 1 post
ECS Fargate Deep Dive Part 2: Firecracker in Action
In the second part of our ECS Fargate Deep Dive, we get hands-on with Firecracker — the lightweight VMM that powers Fargate — and simulate task isolation and networking locally.
#kubecost 1 post
FinOps Automation: Kubecost, OpenCost, and Automated Rightsizing
Implement automated cloud cost optimization with Kubecost and OpenCost. Track costs per team, rightsize resources, and automate savings.
#opencost 1 post
FinOps Automation: Kubecost, OpenCost, and Automated Rightsizing
Implement automated cloud cost optimization with Kubecost and OpenCost. Track costs per team, rightsize resources, and automate savings.
#consulting 1 post
That Time I Gave Away £50k Worth of Consulting for Free (And What It Taught Me About the Industry)
On interview take-home tests that are suspiciously specific, contractors who get ghosted after detailed proposals, and learning to play the game without becoming bitter about it.
#tech-industry 1 post
That Time I Gave Away £50k Worth of Consulting for Free (And What It Taught Me About the Industry)
On interview take-home tests that are suspiciously specific, contractors who get ghosted after detailed proposals, and learning to play the game without becoming bitter about it.
#lessons-learned 1 post
That Time I Gave Away £50k Worth of Consulting for Free (And What It Taught Me About the Industry)
On interview take-home tests that are suspiciously specific, contractors who get ghosted after detailed proposals, and learning to play the game without becoming bitter about it.
#argocd 1 post
GitOps with ArgoCD - A Practical Setup Guide
A hands-on guide to implementing GitOps with ArgoCD. Covers installation, application management, sync strategies, secrets handling, and the patterns that actually work in production.
#cluster 1 post
#access 1 post
#google-cloud 1 post
GKE Upgrade Guide and Rollback Strategy: A Production-Ready Approach
Comprehensive guide for safely upgrading GKE clusters with minimal downtime and robust rollback procedures
#workload-identity 1 post
Zero to Production: GitHub Actions CI/CD into GKE with Workload Identity
In this deep dive, we set up a secure, production-ready CI/CD pipeline from GitHub Actions to GKE using Workload Identity Federation—no secrets needed.
#rollback 1 post
Helm Atomics: The Flag That Saves Your Production Deploys (And Its Hidden Gotchas)
Deep dive into Helm's --atomic, --wait, and --cleanup-on-fail flags. How they work, when to use them, the CI/CD pipeline trap that catches everyone, and production-ready deployment patterns.
#fluxcd 1 post
Building a Production-Grade Homelab with K3s, Vault, and FluxCD
How I built a fully GitOps-managed Kubernetes homelab on a single mini PC - from unboxing to production. Proxmox bare metal install, K3s cluster, HashiCorp Vault secrets, full observability, and Cloudflare Tunnel.
#hashicorp-vault 1 post
Building a Production-Grade Homelab with K3s, Vault, and FluxCD
How I built a fully GitOps-managed Kubernetes homelab on a single mini PC - from unboxing to production. Proxmox bare metal install, K3s cluster, HashiCorp Vault secrets, full observability, and Cloudflare Tunnel.
#identity-aware-proxy 1 post
Identity Aware Proxy: Zero Trust Access for Internal Applications
Deep dive into Identity Aware Proxies - what they are, how they work, and how to implement them with GCP IAP, Pomerium, and OAuth2-Proxy. Includes Terraform and Kubernetes examples.
#oauth2 1 post
Identity Aware Proxy: Zero Trust Access for Internal Applications
Deep dive into Identity Aware Proxies - what they are, how they work, and how to implement them with GCP IAP, Pomerium, and OAuth2-Proxy. Includes Terraform and Kubernetes examples.
#ebs 1 post
How to Increase EBS Disk Size on EC2 (Without Downtime)
Online EBS volume resizing for running instances – the IaC way with Terraform and ASG instance refresh, plus the manual escape hatch when you need it now. No reboot required.
#disk 1 post
How to Increase EBS Disk Size on EC2 (Without Downtime)
Online EBS volume resizing for running instances – the IaC way with Terraform and ASG instance refresh, plus the manual escape hatch when you need it now. No reboot required.
#port 1 post
Port and Kratix: Internal Developer Platforms Beyond Backstage
Explore Port and Kratix for building internal developer platforms. Self-service infrastructure, developer workflows, and platform engineering patterns.
#kratix 1 post
Port and Kratix: Internal Developer Platforms Beyond Backstage
Explore Port and Kratix for building internal developer platforms. Self-service infrastructure, developer workflows, and platform engineering patterns.
#self-service 1 post
Port and Kratix: Internal Developer Platforms Beyond Backstage
Explore Port and Kratix for building internal developer platforms. Self-service infrastructure, developer workflows, and platform engineering patterns.
#jenkins 1 post
Migrating 30 Repos from Jenkins to GitHub Actions – The Complete Runbook
A battle-tested playbook for migrating CI/CD pipelines from Jenkins to GitHub Actions at scale. Covers OIDC authentication, parallel running, secrets migration, and the gotchas that will bite you.
#jvm 1 post
Debugging JVM Thread Exhaustion on EC2: A Contractor War Story
How I diagnosed and fixed a Java application that kept crashing under load – from 'cannot create native thread' errors to properly tuned JVM settings, system limits, and right-sized EC2 instances.
#memory 1 post
Debugging JVM Thread Exhaustion on EC2: A Contractor War Story
How I diagnosed and fixed a Java application that kept crashing under load – from 'cannot create native thread' errors to properly tuned JVM settings, system limits, and right-sized EC2 instances.
#threads 1 post
Debugging JVM Thread Exhaustion on EC2: A Contractor War Story
How I diagnosed and fixed a Java application that kept crashing under load – from 'cannot create native thread' errors to properly tuned JVM settings, system limits, and right-sized EC2 instances.
#raspberry-pi 1 post
K3s Homelab Setup Guide - Running Kubernetes on Raspberry Pi 5
Build a lightweight Kubernetes cluster on three Raspberry Pi 5 devices. Step-by-step guide covering K3s installation, cluster configuration, and deployment testing.
#socks5 1 post
Working with Databases in Kubernetes: Connections, Dumps and Data Extraction
A practical guide to connecting to PostgreSQL databases in Kubernetes – exec into pods, VPN access, SOCKS5 proxies, pg_dump, kubectl cp and getting data out when you need it.
#pg_dump 1 post
Working with Databases in Kubernetes: Connections, Dumps and Data Extraction
A practical guide to connecting to PostgreSQL databases in Kubernetes – exec into pods, VPN access, SOCKS5 proxies, pg_dump, kubectl cp and getting data out when you need it.
#arp 1 post
Kubernetes DNS Spoofing: Exploiting NET_RAW and ARP
DNS spoofing in Kubernetes remains a critical threat, enabling attackers to redirect traffic, intercept data, or disrupt services. This article explores how such attacks occur and outlines strategies to prevent them.
#net_raw 1 post
Kubernetes DNS Spoofing: Exploiting NET_RAW and ARP
DNS spoofing in Kubernetes remains a critical threat, enabling attackers to redirect traffic, intercept data, or disrupt services. This article explores how such attacks occur and outlines strategies to prevent them.
#mitm 1 post
Kubernetes DNS Spoofing: Exploiting NET_RAW and ARP
DNS spoofing in Kubernetes remains a critical threat, enabling attackers to redirect traffic, intercept data, or disrupt services. This article explores how such attacks occur and outlines strategies to prevent them.
#networkpolicy 1 post
NetworkPolicy Default Deny – The One Rule We Add to Every Namespace
Why your Kubernetes cluster is wide open by default, and the single NetworkPolicy that changes everything. Copy, paste, deploy, sleep better.
#sidecars 1 post
Kubernetes Sidecar Startup Order - Making Your Main App Wait
How to ensure sidecar containers are ready before your main app starts. Covers startupProbe, postStart hooks, and why readinessProbe doesn't do what you think.
#kyverno 1 post
Kyverno vs OPA: Policy Engines Compared
Detailed comparison of Kyverno and OPA Gatekeeper for Kubernetes policy enforcement. Includes real examples, performance considerations, and migration guidance.
#policy 1 post
Kyverno vs OPA: Policy Engines Compared
Detailed comparison of Kyverno and OPA Gatekeeper for Kubernetes policy enforcement. Includes real examples, performance considerations, and migration guidance.
#lab 1 post
Creating a Lab Container
An end-to-end guide for creating a lab container for DevOps training.
#container 1 post
Creating a Lab Container
An end-to-end guide for creating a lab container for DevOps training.
#meetings 1 post
The Meeting That Should Have Been a Doc
Most meetings are information broadcasts disguised as collaboration. Learn when to meet, when to write, and how to save everyone's time.
#gateway 1 post
Why I replaced AWS NAT Gateway with a NAT Instance - and saved 20$ of dollar per month
AWS offers NAT Gateways as the default, fully managed solution for letting private subnet resources reach the internet. However, NAT Gateways can be pricey: Hourly cost: ~₹3.75/hour (varies by region) Data transfer cost: Additional ₹3.75/GB on top of standard data transfer For small dev/test environments or personal labs, these costs can add up quickly. In contrast, a NAT Instance is just a normal EC2 instance configured to perform IP forwarding and NAT. It’s typically much cheaper to run a small instance (`t3.micro`) than a NAT Gateway, especially if your traffic volume is modest.
#instance 1 post
Why I replaced AWS NAT Gateway with a NAT Instance - and saved 20$ of dollar per month
AWS offers NAT Gateways as the default, fully managed solution for letting private subnet resources reach the internet. However, NAT Gateways can be pricey: Hourly cost: ~₹3.75/hour (varies by region) Data transfer cost: Additional ₹3.75/GB on top of standard data transfer For small dev/test environments or personal labs, these costs can add up quickly. In contrast, a NAT Instance is just a normal EC2 instance configured to perform IP forwarding and NAT. It’s typically much cheaper to run a small instance (`t3.micro`) than a NAT Gateway, especially if your traffic volume is modest.
#cost 1 post
Why I replaced AWS NAT Gateway with a NAT Instance - and saved 20$ of dollar per month
AWS offers NAT Gateways as the default, fully managed solution for letting private subnet resources reach the internet. However, NAT Gateways can be pricey: Hourly cost: ~₹3.75/hour (varies by region) Data transfer cost: Additional ₹3.75/GB on top of standard data transfer For small dev/test environments or personal labs, these costs can add up quickly. In contrast, a NAT Instance is just a normal EC2 instance configured to perform IP forwarding and NAT. It’s typically much cheaper to run a small instance (`t3.micro`) than a NAT Gateway, especially if your traffic volume is modest.
#savings 1 post
Why I replaced AWS NAT Gateway with a NAT Instance - and saved 20$ of dollar per month
AWS offers NAT Gateways as the default, fully managed solution for letting private subnet resources reach the internet. However, NAT Gateways can be pricey: Hourly cost: ~₹3.75/hour (varies by region) Data transfer cost: Additional ₹3.75/GB on top of standard data transfer For small dev/test environments or personal labs, these costs can add up quickly. In contrast, a NAT Instance is just a normal EC2 instance configured to perform IP forwarding and NAT. It’s typically much cheaper to run a small instance (`t3.micro`) than a NAT Gateway, especially if your traffic volume is modest.
#nats 1 post
NATS JetStream: Lightweight Alternative to Kafka
Deploy NATS JetStream for messaging and streaming. Simpler than Kafka, faster than RabbitMQ, with persistence and exactly-once delivery.
#jetstream 1 post
NATS JetStream: Lightweight Alternative to Kafka
Deploy NATS JetStream for messaging and streaming. Simpler than Kafka, faster than RabbitMQ, with persistence and exactly-once delivery.
#streaming 1 post
NATS JetStream: Lightweight Alternative to Kafka
Deploy NATS JetStream for messaging and streaming. Simpler than Kafka, faster than RabbitMQ, with persistence and exactly-once delivery.
#microservices 1 post
NATS JetStream: Lightweight Alternative to Kafka
Deploy NATS JetStream for messaging and streaming. Simpler than Kafka, faster than RabbitMQ, with persistence and exactly-once delivery.
#negotiation 1 post
10 Rules for Negotiating Your Job Offer (From 7 Years of Engineering)
Most engineers massively undervalue themselves because no one taught them how to negotiate. Here's everything I've learned from negotiating salaries, contracts, titles, and more.
#tools 1 post
Networking Tools
Networking Tools
#nginx 1 post
Production War Stories: The NGINX Log Rotation That Caused a P1
How a 'safe' AMI upgrade led to traffic drops, zombie log files, and disk exhaustion – and the debugging journey that followed. A real incident from on-call, with technical details and lessons learned.
#incident 1 post
Production War Stories: The NGINX Log Rotation That Caused a P1
How a 'safe' AMI upgrade led to traffic drops, zombie log files, and disk exhaustion – and the debugging journey that followed. A real incident from on-call, with technical details and lessons learned.
#log-rotation 1 post
Production War Stories: The NGINX Log Rotation That Caused a P1
How a 'safe' AMI upgrade led to traffic drops, zombie log files, and disk exhaustion – and the debugging journey that followed. A real incident from on-call, with technical details and lessons learned.
#war-stories 1 post
Production War Stories: The NGINX Log Rotation That Caused a P1
How a 'safe' AMI upgrade led to traffic drops, zombie log files, and disk exhaustion – and the debugging journey that followed. A real incident from on-call, with technical details and lessons learned.
#admission-control 1 post
OPA Gatekeeper: Policy as Code for Kubernetes
Implement admission control policies with OPA Gatekeeper. Enforce security standards, naming conventions, resource limits, and compliance requirements at the cluster level.
#traces 1 post
OpenTelemetry Collector Pipelines: Transform, Filter, Route Telemetry
Master OpenTelemetry Collector configuration. Build pipelines to transform metrics, filter traces, route logs, and reduce telemetry costs.
#logs 1 post
OpenTelemetry Collector Pipelines: Transform, Filter, Route Telemetry
Master OpenTelemetry Collector configuration. Build pipelines to transform metrics, filter traces, route logs, and reduce telemetry costs.
#collector 1 post
OpenTelemetry Collector Pipelines: Transform, Filter, Route Telemetry
Master OpenTelemetry Collector configuration. Build pipelines to transform metrics, filter traces, route logs, and reduce telemetry costs.
#tracing 1 post
OpenTelemetry from Scratch
OpenTelemetry unifies traces, metrics, and logs under one standard. This guide covers how to instrument your applications, set up collectors, and actually make sense of the data.
#immutable-infrastructure 1 post
Building Production AMIs with Packer: CI Pipelines, Terraform Integration, and Security Best Practices
Complete guide to building immutable AMIs with Packer in production - CI/CD pipelines, Terraform ASG integration, rollback strategies, maintenance workflows, and security hardening.
#internal-platforms 1 post
Platform Engineering in 2026 - It's About the Discipline, Not the Tools
Platform engineering has become the most misunderstood role in tech. Everyone's building 'platforms' but few understand what actually makes one successful. Here's what I've learned building platforms for teams of 10 to 500.
#pod-security 1 post
Pod Security Standards Enforcement - The PSP Replacement That Actually Works
How to enforce Pod Security Standards using the built-in Pod Security Admission controller. Covers Privileged, Baseline, and Restricted profiles, migration from PSPs, namespace labeling, and exemptions.
#psp 1 post
Pod Security Standards Enforcement - The PSP Replacement That Actually Works
How to enforce Pod Security Standards using the built-in Pod Security Admission controller. Covers Privileged, Baseline, and Restricted profiles, migration from PSPs, namespace labeling, and exemptions.
#admission-controller 1 post
Pod Security Standards Enforcement - The PSP Replacement That Actually Works
How to enforce Pod Security Standards using the built-in Pod Security Admission controller. Covers Privileged, Baseline, and Restricted profiles, migration from PSPs, namespace labeling, and exemptions.
#hardening 1 post
Pod Security Standards Enforcement - The PSP Replacement That Actually Works
How to enforce Pod Security Standards using the built-in Pod Security Admission controller. Covers Privileged, Baseline, and Restricted profiles, migration from PSPs, namespace labeling, and exemptions.
#scheduling 1 post
Pod Topology Spread Constraints - Distributing Workloads Intelligently
Control how pods spread across nodes, zones, and regions. A deep dive into topology spread constraints for high availability and efficient resource utilization.
#high-availability 1 post
Pod Topology Spread Constraints - Distributing Workloads Intelligently
Control how pods spread across nodes, zones, and regions. A deep dive into topology spread constraints for high availability and efficient resource utilization.
#private-cluster 1 post
Private AKS Cluster with Twingate: Secure API Access Without a Public Endpoint
Running Kubernetes clusters privately is a growing best practice. In this blog, I'll walk you through deploying a private AKS cluster on Azure with no public API endpoint, and enabling secure access via Twingate VPN, which provides identity-based access without opening up your network.
#flagger 1 post
Progressive Delivery with Flagger: Automated Canary Deployments
Implement automated canary deployments with Flagger. Metrics-based promotion, automated rollback, and integration with Istio, Linkerd, and Gateway API.
#progressive-delivery 1 post
Progressive Delivery with Flagger: Automated Canary Deployments
Implement automated canary deployments with Flagger. Metrics-based promotion, automated rollback, and integration with Istio, Linkerd, and Gateway API.
#apache-pulsar 1 post
Apache Pulsar Playground: Running Pulsar Locally on kind with Dashboards, Clients, and Admin Tools
In this blog, I'll walk you through setting up a full-featured Apache Pulsar playground using kind (Kubernetes in Docker). Whether you're testing Pulsar for learning or demoing a real pub/sub model with admin tools and monitoring, this setup gives you everything.
#pubsub 1 post
Apache Pulsar Playground: Running Pulsar Locally on kind with Dashboards, Clients, and Admin Tools
In this blog, I'll walk you through setting up a full-featured Apache Pulsar playground using kind (Kubernetes in Docker). Whether you're testing Pulsar for learning or demoing a real pub/sub model with admin tools and monitoring, this setup gives you everything.
#devtools 1 post
Apache Pulsar Playground: Running Pulsar Locally on kind with Dashboards, Clients, and Admin Tools
In this blog, I'll walk you through setting up a full-featured Apache Pulsar playground using kind (Kubernetes in Docker). Whether you're testing Pulsar for learning or demoing a real pub/sub model with admin tools and monitoring, this setup gives you everything.
#pulsar 1 post
Pulsar vs Kafka in K8s: Battle of Event Streams
Pulsar vs Kafka
#rds-proxy 1 post
RDS Proxy for Lambda - Solving the Connection Exhaustion Problem
How to use Amazon RDS Proxy to handle database connections from Lambda functions at scale. Covers connection pooling, IAM authentication, Terraform setup, and the gotchas you'll hit in production.
#connection-pooling 1 post
RDS Proxy for Lambda - Solving the Connection Exhaustion Problem
How to use Amazon RDS Proxy to handle database connections from Lambda functions at scale. Covers connection pooling, IAM authentication, Terraform setup, and the gotchas you'll hit in production.
#management 1 post
Remote Work Won
The RTO push isn't about productivity. The data is clear: remote work works. What's really happening is a fight over control, real estate, and management inability to adapt.
#resource-management 1 post
Right-Sizing Kubernetes Workloads - Stop Burning Money
Most Kubernetes clusters waste 50-70% of their resources. Here's how to measure what you're actually using, fix the worst offenders, and automate the process - without breaking production.
#route53 1 post
Route 53 Deep Dive: Multi-Region Latency Routing with Health-Based Failover
A hands-on guide to configuring AWS Route 53 for latency-based routing across multiple regions, incorporating health checks for automatic failover.
#failover 1 post
Route 53 Deep Dive: Multi-Region Latency Routing with Health-Based Failover
A hands-on guide to configuring AWS Route 53 for latency-based routing across multiple regions, incorporating health checks for automatic failover.
#latency-routing 1 post
Route 53 Deep Dive: Multi-Region Latency Routing with Health-Based Failover
A hands-on guide to configuring AWS Route 53 for latency-based routing across multiple regions, incorporating health checks for automatic failover.
#secretless 1 post
Secretless Broker: Zero-Secret Applications
Remove secrets from your applications entirely with Secretless Broker. Inject database credentials, API keys, and certificates via sidecar without your app knowing they exist.
#secrets-management 1 post
Secretless Broker: Zero-Secret Applications
Remove secrets from your applications entirely with Secretless Broker. Inject database credentials, API keys, and certificates via sidecar without your app knowing they exist.
#sidecar 1 post
Secretless Broker: Zero-Secret Applications
Remove secrets from your applications entirely with Secretless Broker. Inject database credentials, API keys, and certificates via sidecar without your app knowing they exist.
#gitlab 1 post
Self-Hosted GitLab on Kubernetes - A Startup's Journey
A detailed guide on deploying GitLab on AKS using Helm charts, with Azure SQL as the database backend. Covers architecture decisions, configuration, lessons learned, and the gotchas we hit in production.
#self-hosted 1 post
Self-Hosted GitLab on Kubernetes - A Startup's Journey
A detailed guide on deploying GitLab on AKS using Helm charts, with Azure SQL as the database backend. Covers architecture decisions, configuration, lessons learned, and the gotchas we hit in production.
#startup 1 post
Self-Hosted GitLab on Kubernetes - A Startup's Journey
A detailed guide on deploying GitLab on AKS using Helm charts, with Azure SQL as the database backend. Covers architecture decisions, configuration, lessons learned, and the gotchas we hit in production.
#technical-writing 1 post
Why Senior Engineers Should Write Docs
Documentation is often treated as junior work. That's backwards. The most impactful documentation comes from senior engineers, and writing it is a force multiplier for your expertise.
#istio 1 post
Service Mesh Comparison - Istio vs Linkerd vs Cilium
Service meshes promise observability, security, and traffic management. But which one should you choose? A practical comparison based on running all three in production.
#linkerd 1 post
Service Mesh Comparison - Istio vs Linkerd vs Cilium
Service meshes promise observability, security, and traffic management. But which one should you choose? A practical comparison based on running all three in production.
#slo 1 post
SLO-Based Alerting: Burn Rate Alerts vs Threshold Alerts
Implement SLO-based alerting with burn rate alerts. Move from noisy threshold alerts to meaningful reliability signals using error budgets.
#soc 1 post
Build a SOC Homelab with Docker - Elasticsearch, Cribl, and Log Simulation
Set up a Security Operations Center lab environment using Docker. Includes Elasticsearch, Kibana, Cribl Stream for log routing, and simulated log generators for hands-on security analysis practice.
#cribl 1 post
Build a SOC Homelab with Docker - Elasticsearch, Cribl, and Log Simulation
Set up a Security Operations Center lab environment using Docker. Includes Elasticsearch, Kibana, Cribl Stream for log routing, and simulated log generators for hands-on security analysis practice.
#siem 1 post
Build a SOC Homelab with Docker - Elasticsearch, Cribl, and Log Simulation
Set up a Security Operations Center lab environment using Docker. Includes Elasticsearch, Kibana, Cribl Stream for log routing, and simulated log generators for hands-on security analysis practice.
#rego 1 post
Spacelift from Scratch: Automating Terraform at Scale with Spaces, Stacks, OPA Policies, and a Private Module Registry
A complete guide to setting up Spacelift for multi-team Terraform automation - from zero to production with spaces, dynamic stacks, OPA security policies in Rego, private module registry, and GitOps-driven infrastructure.
#modules 1 post
Spacelift from Scratch: Automating Terraform at Scale with Spaces, Stacks, OPA Policies, and a Private Module Registry
A complete guide to setting up Spacelift for multi-team Terraform automation - from zero to production with spaces, dynamic stacks, OPA security policies in Rego, private module registry, and GitOps-driven infrastructure.
#spot-instances 1 post
Spot Instance Patterns: Graceful Handling and Cost Savings
Master AWS Spot Instances in production. Handle interruptions gracefully, use mixed instance groups, and save 60-90% on compute costs.
#sql-server 1 post
Migrating Event Store Data from SQL Server and Oracle to DynamoDB with AWS DMS
How we used AWS DMS with database views, partitioned replication tasks, and Terraform to migrate event sourcing data from on-prem SQL Server and Oracle to DynamoDB – the architecture, the gotchas, and production Terraform you can reuse.
#oracle 1 post
Migrating Event Store Data from SQL Server and Oracle to DynamoDB with AWS DMS
How we used AWS DMS with database views, partitioned replication tasks, and Terraform to migrate event sourcing data from on-prem SQL Server and Oracle to DynamoDB – the architecture, the gotchas, and production Terraform you can reuse.
#dms 1 post
Migrating Event Store Data from SQL Server and Oracle to DynamoDB with AWS DMS
How we used AWS DMS with database views, partitioned replication tasks, and Terraform to migrate event sourcing data from on-prem SQL Server and Oracle to DynamoDB – the architecture, the gotchas, and production Terraform you can reuse.
#event-sourcing 1 post
Migrating Event Store Data from SQL Server and Oracle to DynamoDB with AWS DMS
How we used AWS DMS with database views, partitioned replication tasks, and Terraform to migrate event sourcing data from on-prem SQL Server and Oracle to DynamoDB – the architecture, the gotchas, and production Terraform you can reuse.
#agile 1 post
Standups Are Broken
Daily standups were meant to improve communication. Instead, they've become status meetings that waste time and interrupt deep work. There's a better way.
#team-management 1 post
Standups Are Broken
Daily standups were meant to improve communication. Instead, they've become status meetings that waste time and interrupt deep work. There's a better way.
#certifications 1 post
Stop Chasing Certifications
Certifications have become a checkbox exercise. They don't prove competence, and they often distract from what actually matters: building things and solving real problems.
#learning 1 post
Stop Chasing Certifications
Certifications have become a checkbox exercise. They don't prove competence, and they often distract from what actually matters: building things and solving real problems.
#supply-chain 1 post
Software Supply Chain Security - Sigstore, SLSA, and Beyond
Your dependencies are an attack vector. Here's how to secure your software supply chain with Sigstore, SLSA frameworks, SBOMs, and admission policies that actually work.
#slsa 1 post
Software Supply Chain Security - Sigstore, SLSA, and Beyond
Your dependencies are an attack vector. Here's how to secure your software supply chain with Sigstore, SLSA frameworks, SBOMs, and admission policies that actually work.
#sbom 1 post
Software Supply Chain Security - Sigstore, SLSA, and Beyond
Your dependencies are an attack vector. Here's how to secure your software supply chain with Sigstore, SLSA frameworks, SBOMs, and admission policies that actually work.
#tailscale 1 post
Tailscale in Production: WireGuard Mesh for Hybrid Cloud
Deploy Tailscale for secure connectivity across clouds, offices, and Kubernetes clusters. Zero-config VPN mesh with SSO integration and ACLs.
#wireguard 1 post
Tailscale in Production: WireGuard Mesh for Hybrid Cloud
Deploy Tailscale for secure connectivity across clouds, offices, and Kubernetes clusters. Zero-config VPN mesh with SSO integration and ACLs.
#hcl2 1 post
Terraform 0.11 to 1.11 Migration - The Full Journey
A detailed guide on migrating Terraform from 0.11 to 1.11, covering HCL2 syntax changes, the S3 bucket resource split, state manipulation, and ensuring zero-drift upgrades.
#best-practices 1 post
Terraform Best Practices (Part 1) - Project Structure, State, and Modules
A comprehensive guide to Terraform best practices covering project organisation, state management, module design, and foundational patterns for scalable infrastructure as code.
#state 1 post
Terraform State Surgery - Splitting, Moving, and Refactoring Without Downtime
A practical guide to breaking up monolithic Terraform state files, moving resources between states, and refactoring infrastructure safely. Includes real examples, scripts, and the exact commands we use.
#refactoring 1 post
Terraform State Surgery - Splitting, Moving, and Refactoring Without Downtime
A practical guide to breaking up monolithic Terraform state files, moving resources between states, and refactoring infrastructure safely. Includes real examples, scripts, and the exact commands we use.
#sigv4 1 post
Building a Custom GitHub Action for Traefik Traffic Weighting
How I built a GitHub Action to manage blue/green and canary deployments by dynamically updating Traefik weighted services – with SigV4 authentication, YAML configuration, and a generator API.
#tls 1 post
mTLS with Traefik: Hands-On Setup with Step CA
A complete walkthrough of setting up mutual TLS with Traefik and Smallstep CA – from certificate generation to client authentication. Includes local DNS, ACME integration, and a working demo you can deploy.
#certificates 1 post
mTLS with Traefik: Hands-On Setup with Step CA
A complete walkthrough of setting up mutual TLS with Traefik and Smallstep CA – from certificate generation to client authentication. Includes local DNS, ACME integration, and a working demo you can deploy.
#smallstep 1 post
mTLS with Traefik: Hands-On Setup with Step CA
A complete walkthrough of setting up mutual TLS with Traefik and Smallstep CA – from certificate generation to client authentication. Includes local DNS, ACME integration, and a working demo you can deploy.
#pki 1 post
mTLS with Traefik: Hands-On Setup with Step CA
A complete walkthrough of setting up mutual TLS with Traefik and Smallstep CA – from certificate generation to client authentication. Includes local DNS, ACME integration, and a working demo you can deploy.
#vault 1 post
Deploying Vault with a Custom AMI
An end-to-end guide for baking a Vault AMI using Packer and deploying a Vault EC2 instance on AWS.
#aurora 1 post
Implementing Vertical Autoscaling for Aurora Databases Using Lambda Functions
AWS doesn't offer vertical autoscaling for Aurora – so we built it. CloudWatch Alarms, SNS, Lambda coordination, and the gotchas we hit in production.
#vitess 1 post
Vitess for MySQL: Horizontal Sharding Done Right
Scale MySQL horizontally with Vitess. Automatic sharding, online schema changes, and Kubernetes-native deployment for massive scale.
#mysql 1 post
Vitess for MySQL: Horizontal Sharding Done Right
Scale MySQL horizontally with Vitess. Automatic sharding, online schema changes, and Kubernetes-native deployment for massive scale.
#sharding 1 post
Vitess for MySQL: Horizontal Sharding Done Right
Scale MySQL horizontally with Vitess. Automatic sharding, online schema changes, and Kubernetes-native deployment for massive scale.
#scaling 1 post
Vitess for MySQL: Horizontal Sharding Done Right
Scale MySQL horizontally with Vitess. Automatic sharding, online schema changes, and Kubernetes-native deployment for massive scale.
#vpa 1 post
VPA + HPA Together: The Right Way to Autoscale Both
Use Vertical Pod Autoscaler and Horizontal Pod Autoscaler together without conflicts. Includes KEDA integration and best practices.
#hpa 1 post
VPA + HPA Together: The Right Way to Autoscale Both
Use Vertical Pod Autoscaler and Horizontal Pod Autoscaler together without conflicts. Includes KEDA integration and best practices.
#keda 1 post
VPA + HPA Together: The Right Way to Autoscale Both
Use Vertical Pod Autoscaler and Horizontal Pod Autoscaler together without conflicts. Includes KEDA integration and best practices.
#api-server 1 post
What Actually Happens When You kubectl apply – The Full Chain From YAML to Running Pod
The complete journey: client-side vs server-side apply, admission controllers, etcd persistence, controller reconciliation, scheduler binding, and kubelet container creation. Every step traced.
#etcd 1 post
What Actually Happens When You kubectl apply – The Full Chain From YAML to Running Pod
The complete journey: client-side vs server-side apply, admission controllers, etcd persistence, controller reconciliation, scheduler binding, and kubelet container creation. Every step traced.
#controllers 1 post
What Actually Happens When You kubectl apply – The Full Chain From YAML to Running Pod
The complete journey: client-side vs server-side apply, admission controllers, etcd persistence, controller reconciliation, scheduler binding, and kubelet container creation. Every step traced.
#scheduler 1 post
What Actually Happens When You kubectl apply – The Full Chain From YAML to Running Pod
The complete journey: client-side vs server-side apply, admission controllers, etcd persistence, controller reconciliation, scheduler binding, and kubelet container creation. Every step traced.
#kubelet 1 post
What Actually Happens When You kubectl apply – The Full Chain From YAML to Running Pod
The complete journey: client-side vs server-side apply, admission controllers, etcd persistence, controller reconciliation, scheduler binding, and kubelet container creation. Every step traced.
#hot-takes 1 post
Your Startup Doesn't Need Kubernetes
Kubernetes is an incredible technology that solves real problems. But for most startups, it's the wrong tool. Here's how to know when you're ready - and what to use instead.