Ilia Gusev
@persikbl.bsky.social
Honestly, plenty of teams run both. Terraform for the foundation, Crossplane for the self-service layer on top.
No holy wars needed.
Full comparison with examples in Podo Stack:
podostack.com 🛠️
No holy wars needed.
Full comparison with examples in Podo Stack:
podostack.com 🛠️
Podo Stack | Ilia Gusev | Substack
Tools that survived production. Weekly curation. Click to read Podo Stack, by Ilia Gusev, a Substack publication. Launched 21 days ago.
podostack.com
February 11, 2026 at 1:58 PM
Honestly, plenty of teams run both. Terraform for the foundation, Crossplane for the self-service layer on top.
No holy wars needed.
Full comparison with examples in Podo Stack:
podostack.com 🛠️
No holy wars needed.
Full comparison with examples in Podo Stack:
podostack.com 🛠️
So when do you pick which?
Terraform: your team knows HCL, you don't run Kubernetes everywhere, you want mature providers and a huge ecosystem.
Crossplane: you're building a platform, you want self-service infra, you already live in Kubernetes, you need drift detection.
It's a maturity question
Terraform: your team knows HCL, you don't run Kubernetes everywhere, you want mature providers and a huge ecosystem.
Crossplane: you're building a platform, you want self-service infra, you already live in Kubernetes, you need drift detection.
It's a maturity question
February 11, 2026 at 1:58 PM
So when do you pick which?
Terraform: your team knows HCL, you don't run Kubernetes everywhere, you want mature providers and a huge ecosystem.
Crossplane: you're building a platform, you want self-service infra, you already live in Kubernetes, you need drift detection.
It's a maturity question
Terraform: your team knows HCL, you don't run Kubernetes everywhere, you want mature providers and a huge ecosystem.
Crossplane: you're building a platform, you want self-service infra, you already live in Kubernetes, you need drift detection.
It's a maturity question
The real power of Crossplane: Composite Resources (XRs).
You define an abstraction — say, "Database" — that bundles an RDS instance, security group, IAM role, and parameter group.
Your dev writes 10 lines of YAML. The platform handles the rest.
That's a golden path for infrastructure.
You define an abstraction — say, "Database" — that bundles an RDS instance, security group, IAM role, and parameter group.
Your dev writes 10 lines of YAML. The platform handles the rest.
That's a golden path for infrastructure.
February 11, 2026 at 1:58 PM
The real power of Crossplane: Composite Resources (XRs).
You define an abstraction — say, "Database" — that bundles an RDS instance, security group, IAM role, and parameter group.
Your dev writes 10 lines of YAML. The platform handles the rest.
That's a golden path for infrastructure.
You define an abstraction — say, "Database" — that bundles an RDS instance, security group, IAM role, and parameter group.
Your dev writes 10 lines of YAML. The platform handles the rest.
That's a golden path for infrastructure.
Crossplane works like Kubernetes itself.
You declare desired state in YAML. A controller reconciles continuously. If someone deletes the S3 bucket from the console — Crossplane recreates it. Automatically.
It's not plan-apply. It's declare-and-forget.
You declare desired state in YAML. A controller reconciles continuously. If someone deletes the S3 bucket from the console — Crossplane recreates it. Automatically.
It's not plan-apply. It's declare-and-forget.
February 11, 2026 at 1:58 PM
Crossplane works like Kubernetes itself.
You declare desired state in YAML. A controller reconciles continuously. If someone deletes the S3 bucket from the console — Crossplane recreates it. Automatically.
It's not plan-apply. It's declare-and-forget.
You declare desired state in YAML. A controller reconciles continuously. If someone deletes the S3 bucket from the console — Crossplane recreates it. Automatically.
It's not plan-apply. It's declare-and-forget.
Terraform's model is simple and battle-tested:
Write HCL. Run plan. Review the diff. Run apply. Done.
But between applies? Nothing watches. Someone changes the resource manually in the console — Terraform doesn't know until your next plan.
It's imperative dressed up as declarative.
Write HCL. Run plan. Review the diff. Run apply. Done.
But between applies? Nothing watches. Someone changes the resource manually in the console — Terraform doesn't know until your next plan.
It's imperative dressed up as declarative.
February 11, 2026 at 1:58 PM
Terraform's model is simple and battle-tested:
Write HCL. Run plan. Review the diff. Run apply. Done.
But between applies? Nothing watches. Someone changes the resource manually in the console — Terraform doesn't know until your next plan.
It's imperative dressed up as declarative.
Write HCL. Run plan. Review the diff. Run apply. Done.
But between applies? Nothing watches. Someone changes the resource manually in the console — Terraform doesn't know until your next plan.
It's imperative dressed up as declarative.
Backstage won't make your platform cool. It'll make your platform usable.
And honestly? That matters more.
Full breakdown on catalogs, golden paths, and guardrails in Podo Stack:
podostack.com 🛠️
And honestly? That matters more.
Full breakdown on catalogs, golden paths, and guardrails in Podo Stack:
podostack.com 🛠️
Podo Stack | Ilia Gusev | Substack
Tools that survived production. Weekly curation. Click to read Podo Stack, by Ilia Gusev, a Substack publication. Launched 20 days ago.
podostack.com
February 10, 2026 at 8:57 AM
Backstage won't make your platform cool. It'll make your platform usable.
And honestly? That matters more.
Full breakdown on catalogs, golden paths, and guardrails in Podo Stack:
podostack.com 🛠️
And honestly? That matters more.
Full breakdown on catalogs, golden paths, and guardrails in Podo Stack:
podostack.com 🛠️
But the catalog is just the foundation.
The real magic is the Scaffolder. Golden Path templates that spin up a new service with:
- Repo created
- CI pipeline configured
- Monitoring wired
- catalog-info.yaml already there
Day one, your service exists in the catalog. Not day thirty.
The real magic is the Scaffolder. Golden Path templates that spin up a new service with:
- Repo created
- CI pipeline configured
- Monitoring wired
- catalog-info.yaml already there
Day one, your service exists in the catalog. Not day thirty.
February 10, 2026 at 8:57 AM
But the catalog is just the foundation.
The real magic is the Scaffolder. Golden Path templates that spin up a new service with:
- Repo created
- CI pipeline configured
- Monitoring wired
- catalog-info.yaml already there
Day one, your service exists in the catalog. Not day thirty.
The real magic is the Scaffolder. Golden Path templates that spin up a new service with:
- Repo created
- CI pipeline configured
- Monitoring wired
- catalog-info.yaml already there
Day one, your service exists in the catalog. Not day thirty.
Backstage flips the model. Instead of a central team maintaining a catalog — the service owners do.
One file: catalog-info.yaml. Lives in your repo. Right next to the code.
You change the service, you update the metadata. It's version-controlled. It's reviewable. It's real.
Metadata-as-code
One file: catalog-info.yaml. Lives in your repo. Right next to the code.
You change the service, you update the metadata. It's version-controlled. It's reviewable. It's real.
Metadata-as-code
February 10, 2026 at 8:57 AM
Backstage flips the model. Instead of a central team maintaining a catalog — the service owners do.
One file: catalog-info.yaml. Lives in your repo. Right next to the code.
You change the service, you update the metadata. It's version-controlled. It's reviewable. It's real.
Metadata-as-code
One file: catalog-info.yaml. Lives in your repo. Right next to the code.
You change the service, you update the metadata. It's version-controlled. It's reviewable. It's real.
Metadata-as-code
Every company tries the same thing first:
"Let's put it in Confluence"
"Let's build a spreadsheet"
"Let's tag everything in our CMDB"
6 months later: 40% of entries are outdated, nobody trusts the data, and on-call still asks "who owns this?"
Sound familiar?
"Let's put it in Confluence"
"Let's build a spreadsheet"
"Let's tag everything in our CMDB"
6 months later: 40% of entries are outdated, nobody trusts the data, and on-call still asks "who owns this?"
Sound familiar?
February 10, 2026 at 8:57 AM
Every company tries the same thing first:
"Let's put it in Confluence"
"Let's build a spreadsheet"
"Let's tag everything in our CMDB"
6 months later: 40% of entries are outdated, nobody trusts the data, and on-call still asks "who owns this?"
Sound familiar?
"Let's put it in Confluence"
"Let's build a spreadsheet"
"Let's tag everything in our CMDB"
6 months later: 40% of entries are outdated, nobody trusts the data, and on-call still asks "who owns this?"
Sound familiar?
Guardrails aren't about control. They're about trust.
"I trust you to ship fast because the platform won't let you break prod."
Full breakdown with policies and examples in this week's Podo Stack:
podostack.com 🛠️
"I trust you to ship fast because the platform won't let you break prod."
Full breakdown with policies and examples in this week's Podo Stack:
podostack.com 🛠️
Podo Stack | Ilia Gusev | Substack
Tools that survived production. Weekly curation. Click to read Podo Stack, by Ilia Gusev, a Substack publication. Launched 19 days ago.
podostack.com
February 9, 2026 at 1:59 PM
Guardrails aren't about control. They're about trust.
"I trust you to ship fast because the platform won't let you break prod."
Full breakdown with policies and examples in this week's Podo Stack:
podostack.com 🛠️
"I trust you to ship fast because the platform won't let you break prod."
Full breakdown with policies and examples in this week's Podo Stack:
podostack.com 🛠️
Here's the trick nobody tells you:
Start with 80% soft guardrails. Audit mode. Warnings. Slack notifications.
Then watch what people actually do wrong. THEN enforce.
Going straight to hard blocks on day one? That's how you get a revolt and a shadow platform next door.
Start with 80% soft guardrails. Audit mode. Warnings. Slack notifications.
Then watch what people actually do wrong. THEN enforce.
Going straight to hard blocks on day one? That's how you get a revolt and a shadow platform next door.
February 9, 2026 at 1:59 PM
Here's the trick nobody tells you:
Start with 80% soft guardrails. Audit mode. Warnings. Slack notifications.
Then watch what people actually do wrong. THEN enforce.
Going straight to hard blocks on day one? That's how you get a revolt and a shadow platform next door.
Start with 80% soft guardrails. Audit mode. Warnings. Slack notifications.
Then watch what people actually do wrong. THEN enforce.
Going straight to hard blocks on day one? That's how you get a revolt and a shadow platform next door.
Three layers where guardrails actually work:
Design Time — IDE flags the mistake before you even commit
Deploy Time — CI + OPA reject the bad config at the pipeline
Runtime — Kyverno catches what slipped through at the API server
Stack them. Don't pick one.
Design Time — IDE flags the mistake before you even commit
Deploy Time — CI + OPA reject the bad config at the pipeline
Runtime — Kyverno catches what slipped through at the API server
Stack them. Don't pick one.
February 9, 2026 at 1:59 PM
Three layers where guardrails actually work:
Design Time — IDE flags the mistake before you even commit
Deploy Time — CI + OPA reject the bad config at the pipeline
Runtime — Kyverno catches what slipped through at the API server
Stack them. Don't pick one.
Design Time — IDE flags the mistake before you even commit
Deploy Time — CI + OPA reject the bad config at the pipeline
Runtime — Kyverno catches what slipped through at the API server
Stack them. Don't pick one.
Think about a highway.
A PDF that says "don't drive off the cliff" is documentation.
A metal barrier on the edge is a guardrail.
Gates stop you and ask for permission.
Guardrails let you move fast — but won't let you fall off.
That's the difference in platform engineering too.
A PDF that says "don't drive off the cliff" is documentation.
A metal barrier on the edge is a guardrail.
Gates stop you and ask for permission.
Guardrails let you move fast — but won't let you fall off.
That's the difference in platform engineering too.
February 9, 2026 at 1:59 PM
Think about a highway.
A PDF that says "don't drive off the cliff" is documentation.
A metal barrier on the edge is a guardrail.
Gates stop you and ask for permission.
Guardrails let you move fast — but won't let you fall off.
That's the difference in platform engineering too.
A PDF that says "don't drive off the cliff" is documentation.
A metal barrier on the edge is a guardrail.
Gates stop you and ask for permission.
Guardrails let you move fast — but won't let you fall off.
That's the difference in platform engineering too.
eBPF is eating Kubernetes:
- kube-proxy → Cilium
- Sidecars → Cilium/Ambient
- Observability → Pixie
- Security → Falco
The kernel is the new platform.
Full issue: podostack.substack.com/p/lazy-pull-smart-scale-ebpf-network
- kube-proxy → Cilium
- Sidecars → Cilium/Ambient
- Observability → Pixie
- Security → Falco
The kernel is the new platform.
Full issue: podostack.substack.com/p/lazy-pull-smart-scale-ebpf-network
Lazy Pull, Smart Scale, eBPF Network
Stargz Snapshotter, Karpenter vs Cluster Autoscaler, and Cilium kube-proxy replacement
podostack.substack.com
February 5, 2026 at 11:37 AM
eBPF is eating Kubernetes:
- kube-proxy → Cilium
- Sidecars → Cilium/Ambient
- Observability → Pixie
- Security → Falco
The kernel is the new platform.
Full issue: podostack.substack.com/p/lazy-pull-smart-scale-ebpf-network
- kube-proxy → Cilium
- Sidecars → Cilium/Ambient
- Observability → Pixie
- Security → Falco
The kernel is the new platform.
Full issue: podostack.substack.com/p/lazy-pull-smart-scale-ebpf-network
Cilium replaces all of this with eBPF.
Instead of walking chains:
- Hash map lookup: O(1)
- Direct packet steering
- No iptables touch
One flag:
--set kubeProxyReplacement=true
Instead of walking chains:
- Hash map lookup: O(1)
- Direct packet steering
- No iptables touch
One flag:
--set kubeProxyReplacement=true
February 5, 2026 at 11:37 AM
Cilium replaces all of this with eBPF.
Instead of walking chains:
- Hash map lookup: O(1)
- Direct packet steering
- No iptables touch
One flag:
--set kubeProxyReplacement=true
Instead of walking chains:
- Hash map lookup: O(1)
- Direct packet steering
- No iptables touch
One flag:
--set kubeProxyReplacement=true
iptables was designed in 1998.
It's a firewall, not a load balancer.
kube-proxy hacks it into one.
Result: CPU spikes during updates, latency at scale, lost source IPs.
It's a firewall, not a load balancer.
kube-proxy hacks it into one.
Result: CPU spikes during updates, latency at scale, lost source IPs.
February 5, 2026 at 11:37 AM
iptables was designed in 1998.
It's a firewall, not a load balancer.
kube-proxy hacks it into one.
Result: CPU spikes during updates, latency at scale, lost source IPs.
It's a firewall, not a load balancer.
kube-proxy hacks it into one.
Result: CPU spikes during updates, latency at scale, lost source IPs.
My take: for new deployments in 2026+, ambient is the default.
The sidecar tax was always the biggest complaint. Now it's optional.
Full comparison in Podo Stack 👇
podostack.substack.com 🛠️
The sidecar tax was always the biggest complaint. Now it's optional.
Full comparison in Podo Stack 👇
podostack.substack.com 🛠️
Podo Stack | Ilia Gusev | Substack
Tools that survived production. Weekly curation. Click to read Podo Stack, by Ilia Gusev, a Substack publication. Launched 15 days ago.
podostack.substack.com
February 4, 2026 at 1:26 PM
My take: for new deployments in 2026+, ambient is the default.
The sidecar tax was always the biggest complaint. Now it's optional.
Full comparison in Podo Stack 👇
podostack.substack.com 🛠️
The sidecar tax was always the biggest complaint. Now it's optional.
Full comparison in Podo Stack 👇
podostack.substack.com 🛠️
When to pick sidecar:
- You need L7 control on every pod
- Your team knows the debugging patterns
- You're already running it successfully
When to pick ambient:
- Memory is tight
- You're starting fresh
- You want gradual migration
- You need L7 control on every pod
- Your team knows the debugging patterns
- You're already running it successfully
When to pick ambient:
- Memory is tight
- You're starting fresh
- You want gradual migration
February 4, 2026 at 1:26 PM
When to pick sidecar:
- You need L7 control on every pod
- Your team knows the debugging patterns
- You're already running it successfully
When to pick ambient:
- Memory is tight
- You're starting fresh
- You want gradual migration
- You need L7 control on every pod
- Your team knows the debugging patterns
- You're already running it successfully
When to pick ambient:
- Memory is tight
- You're starting fresh
- You want gradual migration
The ambient model (Istio 1.24+):
ztunnel: L4 proxy, one per node (~20MB)
Waypoint: L7 proxy, on-demand
You get mTLS everywhere.
You pay for L7 only where you need it.
"Service mesh à la carte."
ztunnel: L4 proxy, one per node (~20MB)
Waypoint: L7 proxy, on-demand
You get mTLS everywhere.
You pay for L7 only where you need it.
"Service mesh à la carte."
February 4, 2026 at 1:26 PM
The ambient model (Istio 1.24+):
ztunnel: L4 proxy, one per node (~20MB)
Waypoint: L7 proxy, on-demand
You get mTLS everywhere.
You pay for L7 only where you need it.
"Service mesh à la carte."
ztunnel: L4 proxy, one per node (~20MB)
Waypoint: L7 proxy, on-demand
You get mTLS everywhere.
You pay for L7 only where you need it.
"Service mesh à la carte."
The sidecar model (classic Istio):
Every pod gets an Envoy proxy.
Full L7 control everywhere.
50-100MB RAM overhead per pod.
Startup latency: sidecar must init first.
It works. It's proven. It's expensive.
Every pod gets an Envoy proxy.
Full L7 control everywhere.
50-100MB RAM overhead per pod.
Startup latency: sidecar must init first.
It works. It's proven. It's expensive.
February 4, 2026 at 1:26 PM
The sidecar model (classic Istio):
Every pod gets an Envoy proxy.
Full L7 control everywhere.
50-100MB RAM overhead per pod.
Startup latency: sidecar must init first.
It works. It's proven. It's expensive.
Every pod gets an Envoy proxy.
Full L7 control everywhere.
50-100MB RAM overhead per pod.
Startup latency: sidecar must init first.
It works. It's proven. It's expensive.