Ilia Gusev
@persikbl.bsky.social
New Podo Stack 🍇
This week: Platform Engineering.
→ Why documentation is not a guardrail
→ Backstage: the most boring essential tool
→ Crossplane vs Terraform (real differences)
→ A Kyverno policy that saves your uptime
→ One-liner to check K8s EOL
podostack.com/p/guardrail... 🛠️
This week: Platform Engineering.
→ Why documentation is not a guardrail
→ Backstage: the most boring essential tool
→ Crossplane vs Terraform (real differences)
→ A Kyverno policy that saves your uptime
→ One-liner to check K8s EOL
podostack.com/p/guardrail... 🛠️
Golden Paths, Guardrails, and Why Every Platform Needs a Catalog
Platform Engineering Guardrails, Backstage, Crossplane vs Terraform, and a Kyverno PDB policy
podostack.com
February 10, 2026 at 2:06 PM
New Podo Stack 🍇
This week: Platform Engineering.
→ Why documentation is not a guardrail
→ Backstage: the most boring essential tool
→ Crossplane vs Terraform (real differences)
→ A Kyverno policy that saves your uptime
→ One-liner to check K8s EOL
podostack.com/p/guardrail... 🛠️
This week: Platform Engineering.
→ Why documentation is not a guardrail
→ Backstage: the most boring essential tool
→ Crossplane vs Terraform (real differences)
→ A Kyverno policy that saves your uptime
→ One-liner to check K8s EOL
podostack.com/p/guardrail... 🛠️
Most boring CNCF project. Most essential
Backstage doesn't autoscale your pods. Doesn't encrypt your traffic. Doesn't monitor anything.
It just tells you what you have. And somehow that's the hardest problem.
Backstage doesn't autoscale your pods. Doesn't encrypt your traffic. Doesn't monitor anything.
It just tells you what you have. And somehow that's the hardest problem.
February 10, 2026 at 8:57 AM
Most boring CNCF project. Most essential
Backstage doesn't autoscale your pods. Doesn't encrypt your traffic. Doesn't monitor anything.
It just tells you what you have. And somehow that's the hardest problem.
Backstage doesn't autoscale your pods. Doesn't encrypt your traffic. Doesn't monitor anything.
It just tells you what you have. And somehow that's the hardest problem.
Your documentation is not a guardrail.
Nobody reads the wiki before deploying. You know this. I know this.
So why do we keep pretending it works?
Nobody reads the wiki before deploying. You know this. I know this.
So why do we keep pretending it works?
February 9, 2026 at 1:59 PM
Your documentation is not a guardrail.
Nobody reads the wiki before deploying. You know this. I know this.
So why do we keep pretending it works?
Nobody reads the wiki before deploying. You know this. I know this.
So why do we keep pretending it works?
kube-proxy uses iptables.
1000 services = 1000s of rules.
Every packet walks the chain.
O(n) lookup. In 2025. In your kernel.
1000 services = 1000s of rules.
Every packet walks the chain.
O(n) lookup. In 2025. In your kernel.
February 5, 2026 at 11:37 AM
kube-proxy uses iptables.
1000 services = 1000s of rules.
Every packet walks the chain.
O(n) lookup. In 2025. In your kernel.
1000 services = 1000s of rules.
Every packet walks the chain.
O(n) lookup. In 2025. In your kernel.
Istio Sidecar vs Ambient.
Which one should you actually use in 2025?
A quick breakdown. 🧵
Which one should you actually use in 2025?
A quick breakdown. 🧵
February 4, 2026 at 1:26 PM
Istio Sidecar vs Ambient.
Which one should you actually use in 2025?
A quick breakdown. 🧵
Which one should you actually use in 2025?
A quick breakdown. 🧵
This week's Podo Stack:
→ Stargz: lazy image pulling (9x faster cold starts)
→ Karpenter vs Cluster Autoscaler
→ Cilium: eBPF replaces kube-proxy
podostack.substack.com/p/lazy-pull-smart-scale-ebpf-network 🍇
→ Stargz: lazy image pulling (9x faster cold starts)
→ Karpenter vs Cluster Autoscaler
→ Cilium: eBPF replaces kube-proxy
podostack.substack.com/p/lazy-pull-smart-scale-ebpf-network 🍇
Lazy Pull, Smart Scale, eBPF Network
Stargz Snapshotter, Karpenter vs Cluster Autoscaler, and Cilium kube-proxy replacement
podostack.substack.com
February 3, 2026 at 2:56 PM
This week's Podo Stack:
→ Stargz: lazy image pulling (9x faster cold starts)
→ Karpenter vs Cluster Autoscaler
→ Cilium: eBPF replaces kube-proxy
podostack.substack.com/p/lazy-pull-smart-scale-ebpf-network 🍇
→ Stargz: lazy image pulling (9x faster cold starts)
→ Karpenter vs Cluster Autoscaler
→ Cilium: eBPF replaces kube-proxy
podostack.substack.com/p/lazy-pull-smart-scale-ebpf-network 🍇
Your pod runs distroless.
No shell. No curl. No tcpdump. Nothing.
How do you debug it? 🧵
No shell. No curl. No tcpdump. Nothing.
How do you debug it? 🧵
February 2, 2026 at 2:48 PM
Your pod runs distroless.
No shell. No curl. No tcpdump. Nothing.
How do you debug it? 🧵
No shell. No curl. No tcpdump. Nothing.
How do you debug it? 🧵
Istio without sidecars.
Not a dream. Not a beta. GA since version 1.24.
Here's how Ambient Mesh actually works. 🧵
Not a dream. Not a beta. GA since version 1.24.
Here's how Ambient Mesh actually works. 🧵
January 31, 2026 at 6:55 AM
Istio without sidecars.
Not a dream. Not a beta. GA since version 1.24.
Here's how Ambient Mesh actually works. 🧵
Not a dream. Not a beta. GA since version 1.24.
Here's how Ambient Mesh actually works. 🧵
SLO monitoring shouldn't require a PhD in PromQL.
One YAML file. Full error budget tracking. Burn rate alerts. Grafana dashboards.
Here's sloth. 🧵
One YAML file. Full error budget tracking. Burn rate alerts. Grafana dashboards.
Here's sloth. 🧵
January 29, 2026 at 2:39 PM
SLO monitoring shouldn't require a PhD in PromQL.
One YAML file. Full error budget tracking. Burn rate alerts. Grafana dashboards.
Here's sloth. 🧵
One YAML file. Full error budget tracking. Burn rate alerts. Grafana dashboards.
Here's sloth. 🧵
50-100MB RAM per pod. That's what sidecars cost you.
Ambient Mesh: ~20MB per node.
Plus: SLO monitoring from a single YAML file, and why labels are contracts, not documentation.
podostack.substack.com/p/sidecar-free-mesh-slo-from-yaml-and 🍇
Ambient Mesh: ~20MB per node.
Plus: SLO monitoring from a single YAML file, and why labels are contracts, not documentation.
podostack.substack.com/p/sidecar-free-mesh-slo-from-yaml-and 🍇
Sidecar-Free Mesh, SLO from YAML, and Labels as Contracts
Istio Ambient, sloth, and Kyverno for platform teams
podostack.substack.com
January 27, 2026 at 4:26 PM
50-100MB RAM per pod. That's what sidecars cost you.
Ambient Mesh: ~20MB per node.
Plus: SLO monitoring from a single YAML file, and why labels are contracts, not documentation.
podostack.substack.com/p/sidecar-free-mesh-slo-from-yaml-and 🍇
Ambient Mesh: ~20MB per node.
Plus: SLO monitoring from a single YAML file, and why labels are contracts, not documentation.
podostack.substack.com/p/sidecar-free-mesh-slo-from-yaml-and 🍇
"What actually changes in my cluster if I merge this PR?"
kubectl diff doesn't understand Flux.
Helm diff doesn't handle Kustomizations.
flux diff does both. 🧵
kubectl diff doesn't understand Flux.
Helm diff doesn't handle Kustomizations.
flux diff does both. 🧵
January 25, 2026 at 9:33 AM
"What actually changes in my cluster if I merge this PR?"
kubectl diff doesn't understand Flux.
Helm diff doesn't handle Kustomizations.
flux diff does both. 🧵
kubectl diff doesn't understand Flux.
Helm diff doesn't handle Kustomizations.
flux diff does both. 🧵
`:latest` doesn't mean latest.
It means "whatever was built last time someone forgot to tag."
Here's why it will burn you. 🧵
It means "whatever was built last time someone forgot to tag."
Here's why it will burn you. 🧵
January 24, 2026 at 10:09 AM
`:latest` doesn't mean latest.
It means "whatever was built last time someone forgot to tag."
Here's why it will burn you. 🧵
It means "whatever was built last time someone forgot to tag."
Here's why it will burn you. 🧵
You can see decrypted TLS traffic in your cluster without touching a single line of code.
Not a proxy. Not a sidecar. eBPF magic. 🧵
Not a proxy. Not a sidecar. eBPF magic. 🧵
January 23, 2026 at 7:25 PM
You can see decrypted TLS traffic in your cluster without touching a single line of code.
Not a proxy. Not a sidecar. eBPF magic. 🧵
Not a proxy. Not a sidecar. eBPF magic. 🧵
Your cluster pulls the same image 50 times when you scale up.
Every node. Same image. Same egress bill.
There's a fix—and it's stateless. 🧵
Every node. Same image. Same egress bill.
There's a fix—and it's stateless. 🧵
January 22, 2026 at 2:58 PM
Your cluster pulls the same image 50 times when you scale up.
Every node. Same image. Same egress bill.
There's a fix—and it's stateless. 🧵
Every node. Same image. Same egress bill.
There's a fix—and it's stateless. 🧵