Configuration as Data, GitOps, and Controllers: it’s not simple for multi-cluster

One big benefit of using a declarative configuration approach, or “configuration as data” as Kelsey Hightower says, is understanding the intent of the desired end state of a system. Declarative configuration becomes a contract between users/tools and makes it easy to understand whether the system is in the desired state or not. Kubernetes is an […]

Christian Posta | September 14, 2021
Read More

Challenges of running Istio distroless images

At, we work with customers running Istio at massive scale, in secure environments, and in highly-regulated environments (FIPS/FedRAMP, PCI, etc). Our Gloo Mesh builds of Istio are based on the upstream builds with LTS (N-3) and enterprise Severity-1 response times (ie, security patching, production break/fix, feature backporting,  etc). Unlike other Istio distributions, we do […]

Christian Posta | April 28, 2021
Read More

Distroless FIPS-compliant Istio

At, we work with a lot of customers or software providers that provide products to their customers that have compliance obligations around FIPS (Federal Information Processing Standards). These are typically customers in the US Government, but not exclusively. FIPS is a set of rules about how cryptographic modules are implemented and apply to any […]

Christian Posta | February 23, 2021
Read More

Configuring CORS and JWT in Istio for secure, cross-origin requests

As more and more organizations leveraging Istio service mesh turn to for production support, FIPS compliance, and architecture/operations best practices, we start to see patterns emerge and common questions arise. When we see enough of those questions, we try to share when we have a few moments to write. In this blog post, I’ll show […]

Christian Posta | February 2, 2021
Read More

[Tutorial] Rewriting Express Routes with Gloo Edge

Rewriting Express Routes with Gloo Edge During this tutorial we are going to leverage Gloo Edge as an API Gateway and Kubernetes Ingress Controller to rewrite the routes of a simple Express app. You can clone the source code from here. The repository itself is packed with Scenarios that show off more features of Gloo […]

Christian Posta | December 30, 2020
Read More

Multi-cluster Istio on EKS-D and AWS EKS

AWS recently announced EKS Distro which allows you to run self-managed and on-premises Kubernetes clusters using the same Kubernetes binaries that run on AWS EKS. With this consistent foundation for running containers comes the need for a consistent foundation for automating the networking of those containers, specifically the security, traffic, and extensibility policies. Istio is a […]

Christian Posta | December 7, 2020
Read More

The evolution of VM support in Istio 1.8 (with video)

Istio releases a new minor version every quarter, and most recently the community released 1.8.0. VM support for Istio has been progressing along across the last few releases. For example, in  Istio 1.6 the WorkloadEntry resource was introduced. This allowed the mesh operator to specify VM instances and their IPs as part of the mesh. […]

Christian Posta | November 25, 2020
Read More

Hoot: What’s new in Istio 1.8

Watch the Discussion   Don’t miss XXX Watch a recording of Yuval at the  Hoot on Dec 8th where he dove into the recently announced HashiCorp Waypoint and check out the repo here of all the demo code, presentations, and topics from past Hoots.  Subscribe to our Youtube Channel to be notified of upcoming livestreams and new videos.

Christian Posta | November 2, 2020
Read More

Step by Step: Datastax Cassandra with Istio and SNI routing

Cassandra is a very popular “NoSQL” database. Cassandra is a highly distributed document database that can be tolerant to certain types of failures and scaled for data-intensive microservices. As Kubernetes has become the defacto container deployment platform for microservices, running stateful workloads like Cassandra is a common choice. There are quite a few guides showing […]

Christian Posta | October 12, 2020
Read More

Istio 1.7’s improved VM support, step-by-step

In the recently released Istio 1.7, support for running workloads in the service mesh on VMs has been improved. In 1.6, Istio added the WorkloadEntry resource which gives VMs first-class support in the service mesh, while Istio 1.7 adds the ability to securely bootstrap the identity of the running service in a VM as well […]

Christian Posta | August 22, 2020
Read More

Open Service Mesh ingress with Gloo API Gateway (w/ Video!)

Last week, Microsoft Azure announced a new open-source project called Open Service Mesh. OSM is a new service-mesh implementation based on Envoy Proxy (yay!) that implements the Service Mesh Interface (SMI). SMI, as you’ll recall, is heavily inspired from our service-mesh abstraction vision that we predicted back in November 2018. Service Mesh Hub is […]

Christian Posta | August 11, 2020
Read More

Securing Kiali in Istio 1.7

At we work with our customers to be successful with Envoy-based technology including supporting service mesh. With Istio support, we run into interesting questions that is sometime useful to share with the community. Some asked recently about securing Kiali, and upon investigation, we found some changes in Istio 1.7 (and Kiali) that we want […]

Christian Posta | August 7, 2020
Read More