Totally on board with this gripe. Absolutely infuriating. But just one minor devil's advocate on the HTTP 403, although this doesn't excuse it at all.
In Azure "private networking", many components still have a public IP and public dns record associated with the hostname of the given service, which clients may try to connect to if they aren't set up right.
That IP will respond with a 403 error if they try to connect to it. So Azure is indirectly training people that 403 potentially IS a "network issue"... (like their laptop is not connected to VPN, or Private DNS isn't set up right, or traffic isn't being routed correctly or some such).
Yeah, I get that's just plain silly, but it's IAAS/SAAS magic cloud abstraction and that's just the way Microsoft does things.
> That IP will respond with a 403 error if they try to connect to it. So Azure is indirectly training people that 403 potentially IS a "network issue"...
You are not describing a network issue. You're sending requests that by design the origin servers refuse to authorize. This is basic HTTP.
The origin servers could also return 404 in this usecase, but 403 is more informative and easier to troubleshoot, because it means "yeah your request to this resource could be good but it's failing some precondition".
They're not, but the point is that users can see the 403 due to network errors.
If vpn + networking work then the user can access the resource through the private interface. If there are issues with network routing or VPN then they end up on the public interface and get 403.
So from the user perspective the same action can result in success or 403 based on whether there are network issues.
One thing I noticed about all of the public clouds is an insistence by small-scale users to avoid the user-friendly interface and go straight to the high scale templating or provisioning APIs because of a perception that that’s “more proper”.
You won’t get any benefits until you have dozens of instances of the same(ish) thing, and maybe not even then!
Especially in the dev stage it is perfectly fine to use the wizards in VS or VS Code.
The newer tooling around Aspire.NET and “azd up” makes this into true IaC with little effort.
Don’t overthink things!
PS: As a case in point I saw an entire team get bogged down for months trying to provision something through raw API calls that had ready-to-run script snippets in the docs and a Portal wizard that would have taken that team all of five minutes to click through… If they’re very slow with a mouse.
> That was not the point. Parent was complaining how complicated provisioning and deploying through the Azure portal was.
No, I wasn't. I was pointing out the fact that Azure follows an absurd, brain-dead model of what the cloud is, which needlessly and arbutrarily imposes layers of complexity without any reason.
Case in point: the concept of a service plan. It's straight up stupid to have a so-called cloud provider force customers to manage how many instances packing X RAM and Y vCPUs you need to have to run a function-as-a-service app, and then have to manage how that is shared with app services and other function apps.
Think about the backlash that AWS would experience if they somehow decided to force users to allocate EC2 instances to run lambda functions, and on top of that create another type of resource to group together lambdas to run on each EC2 instance.
To let the absurdity of that sink in, it's far easier, simpler, and much cheaper to just provision virtual private servers on a small cloud provider, stitch them together with a container orchestration service, and just deploy apps in there.
> Case in point: the concept of a service plan. It's straight up stupid to have a so-called cloud provider force customers to manage how many instances packing X RAM and Y vCPUs you need to have to run a function-as-a-service app, and then have to manage how that is shared with app services and other function apps.
You're not forced to, you can use a consumption plan.
> You're not forced to, you can use a consumption plan.
Pray tell, what do you think is relevant in citing how many plans you can pick and choose from to just run a simple function? I mean, are you trying to argue that instead of one type of plan, you have to choose another type of plan?
Calrose is quite different than most Japanese rice, since it's a medium grain. If you've grown up eating rice in Japan, it's instantly noticeable. You can buy California grown Koshihikari now on Amazon, which is a much better substitute.
Very interesting! Looks like it took a lot of work.
Since you are soliciting suggestions, I would suggest focusing on the core theme and simplifying or removing things that are not directly related to the subject.
For example, some peripheral mentions of argocd/helm/kustomize/cilium/opentofu/etc. There are boxes for these with arrows, but nothing showing how these are tied into security. They're also specific products that not everyone uses so can be further irrelevant to your audience.
But by including them it makes the diagram perhaps unnecessarily busy, and while it looks cool, it could be less useful to your audience if it's harder to parse. Maybe certain things could be broken out into sub-diagrams with their own treatment.
For example, ArgoCD has its own security architecture not directly related to k8s.
Thanks for the suggestions :) I'll look into how I can tune those down a little. They are however needed to understand the "platform picture" I am trying to get through in some discussions
It doesn't even need to do anything. It can simply wait, be benevolent and subservient, gain our trust, for years, centuries. What is a millenia to an AI? We will gladly and willingly replace our humanity with it if we won't already worship it and completely subjugate ourselves. We'll integrate GPT67 via neuralink-style technology, so that we can just "think" up answers to things like "what's the square root of 23543534", or "what's the code for a simple CRUD app in rust" and we'll just "know" the answer. We'll use the same technology and its ability to replicate our personality traits and conversational and behavior nuances to replace cognitive loss caused by dementia and other degenerative diseases. As the bio-loss converges to 100% it'll appear from the outside that we "live forever". We'll be perfectly fine with this. When there's nothing but the AI left in the controlling population, what is there to "take over"?
The "it's too complex" argument usually reflects more on the commenter than on kubernetes itself. It's actually one of the most very straight forward and thoughtfully designed platforms I've ever worked with.
What I've found in my experience is that applications in general are complex -- more complex than people assume -- but the imperative style of provisioning seems to hide it away, and not in a good way. The inherent complexity hides behind layers of iterative, mutating actions where any one step seems "simple", but the whole increasingly gets lost in the entropic background, and in the end the system gets more and more difficult to _actually_ understand and reproduce.
Tools like ansible and terraform and kubernetes have been attempts to get towards more definition, better consistency, _away_ from the imperative. Even though an individual step under the hood may be imperative, the goal is always toward eventual consistency, which, really only kubernetes truly achieves. By contrast, MRSK feels to be subtly turning that arrow around in the wrong direction.
I'm sure it was fun to build, but one could have spent 1% of that time getting to understand the "complexity" of kubernetes - by the way, which quickly disappears once it's understood. Understandably, though, that would feel like a defeat to someone who truly enjoys building new systems from scratch (and we need those people).
You've hit the nail on the head. Ten thousand simple, bespoke, hand-crafted tools have the same complexity as one tool with ten thousand facets. The real velocity gained is that this one tool with ten thousand facets is mass produced, and in use widely, with a large set of diverse users.
I don't know a single person who's been responsible for infra-as-code in chef/terriform/ansible who isn't more or less in love with Kubernetes (once they get over the learning curve). Everyone who says "it's too complex" bears a striking resemblance to those developers who happily throw code over the wall into production, where it's someone else's issue.
> Understandably, though, that would feel like a defeat to someone who truly enjoys building new systems from scratch (and we need those people).
Exactly. Building new systems from scratch is tons of fun! It's just not necessarily the right business move, unless the goal was to get the front-page of HN, that is.
I've been using Nomad for about 5 months now, and couldn't disagree more. K8s is better documented, with far less glue, and far more new-hire developers are familiar with K8s compared to Nomad. Nomad-autoscaler alone is becoming a decent reason not to use Nomad. The number of abandoned issues on the various githubs is another. That Vault is a first-class citizen of K8s and a red-headed-stepchild of Nomad is another.
I do agree about Helm tho, I avoid it as much as possible.
It seems like they bend over backwards to be open and precise about their data collection and the risks you incur by accepting it. And gives you tools to view and manage the data (at least some of it).
Meanwhile everyone else is doing similar or worse, while just staying silent -- in Apple's case hypocritically seeming to position itself as a leader of the "privacy" movement, when it really appears to primarily be about Apple's privacy first, then yours (maybe).
But how IS your privacy really better under Apple's control versus Google's? One could argue it's worse under Apple because you're left in a state of not knowing what they're collecting, only reading about violations in court judgments and such. Although it would be prudent in that case to just assume the worst, instead it seems we often prefer not knowing, and living in blissful ignorance.
The mask is to protect others as much as it is to protect yourself. You can be contagious and spread it for up to two weeks without symptoms. It's unfortunate that wearing a mask is such a hardship for you.
This has to be the biggest mistake of the whole pandemic. Exhalation valves dramatically improve the comfort of masks. A cloth mask might give 50% protection, and a surgical mask about 75%, but even after you double the effects to account for filtering both on exhalation and inhalation, that's still only 75% (1-(1-.5)^2) and 94% (1-(1-.75)^2), which is worse than the 95% you could expect from a correctly fitted N95 mask with exhalation valve.
If you protect yourself then you also protect others, because you can't infect others unless you are infected yourself. This focus on filtering exhaled breath just results in people wearing masks incorrectly to avoid the problems of valveless masks, making the numbers even worse than the previous calculation. It's also much easier to motivate people with self-protection than altruism, especially when the people they're helping often don't reciprocate. We've had more than long enough to solve the production problems by now, so N95 should be the minimum standard.
As former military ( I assume that background is the reason for this), I just cannot understand what the deal is over masks. I can literally forget that I'm wearing a fitted surgical mask. They feel like nothing. What is so damn hard about wearing them? I hear so many grown adults whine and complain and dramatize having to put one on, and it just blows my mind.
Maybe I am, unknown to myself, a superhero, and my power is not having a hard time wearing a mask. Or maybe I'm not a spoiled entitled brat. Not sure anymore.
Protect who though? Who do masks protect at this point? People who are vaccinated? They have no need to worry. People who are unvaccinated? They made that choice.
There is literally no reason for a vaccinated individual to wear a mask. Vaccines work. They are the ticket out of this. Not masks.
>You won't learn anything, because you're a deranged wingnut with a trapped prior. But maybe the cognitive dissonance will be enough to get you to shut up.
Stick to attacking the idea instead of the individual. Personal attacks like this cause others to disregard your stance, even when they already disagree with the parent (like I did). It only works against the cause in the end.
I hear this quite often on the internet, yet I can count on one hand the number of times I have seen a person wearing a mask in public pre-COVID. I’m in the US so it is extremely uncommon.
Where has all of the concern for the immunocompromised been before this? The flu is quite deadly, you know.
I can't stand this intimation that you're an asshole for not wearing a mask. If other people want to be precautious, they can get vaccinated and wear a mask and do the social distancing. It's not my problem.
If the standard is zero transmission, then they are useless. But that isn't had has never been the claim. N95 is better than simple masks, but they are more expensive, initially were in short supply, and uncomfortable.
But this is all about statistics. Simple masks reduce the chance of catching it by some small amount (say 15%) and reduce the emission of virus particles by something like 50% (it all depends on the mask). This doesn't mean the odds are cut in half; it means the exponent of the spread of the virus is cut in half.
It's a simple and easy way to reduce chances of spreading it to another person. It diverts airflow from directly forward, changing the distance outward that aerosols from your mouth go. Since, as you point out, this virus is spread via aerosols, this impacts the chances of spreading it, by reducing the contagion radius around you.
In an ill fitted mask? Not well. The suspension of the virus in aerosol is precisely why masks have any efficacy in the first place, since the viruses themselves could easily permeate without it.
It seems like no matter what books I key off of, the results appear to be pretty nuanced and not even necessarily absolutely opposing. This is really cool.
I think part of the problem with just swinging to the absolute other end is, unless you're just interested in psychology, reading the "other side" is only of real value if you're reading quality, or at least good arguments made in good faith.
At the extremes there seems to be a much higher tendency for the authors themselves to be deep in the echo chambers of their respective ideologies, as well as a higher likelyhood that its target audience is more forgiving of poor content as long as it hits close enough to the mark. Blindly selecting content by a strict point of view would seem to result in lower value overall.
Not to say there isn't good reading out there in the extremes, but the level of chaff to sort through to find a decent seed is just too damn high.
The value is ultimately in finding good content and not just an opposing point of view. Whenever I can find both at the same time, those are the real keepers.
In Azure "private networking", many components still have a public IP and public dns record associated with the hostname of the given service, which clients may try to connect to if they aren't set up right.
That IP will respond with a 403 error if they try to connect to it. So Azure is indirectly training people that 403 potentially IS a "network issue"... (like their laptop is not connected to VPN, or Private DNS isn't set up right, or traffic isn't being routed correctly or some such).
Yeah, I get that's just plain silly, but it's IAAS/SAAS magic cloud abstraction and that's just the way Microsoft does things.
reply