Blocking IMDS cccess on Karpenter NodePools
Every EC2 instance exposes the Instance Metadata Service at 169.254.169.254. By default, pods can reach it. They should not and if they need AWS credentials, Pod Identity is the right tool for that.
writings
I write about what I've been working on, problems I've solved, and things I'm still trying to figure out.
Image Compression Efficiency, and Why AVIF Wins
JPEG has been the default image format on the web since 1992. AVIF, derived from the AV1 video codec, compresses better at every quality level. The Netflix engineering team benchmarked this. The numbers are significant.
k8s Jobs, Helper Containers, and Native Sidecars
k8s won't mark a Job complete while any container in the Pod is still running. If you have a logging sidecar that never exits on its own, you need a way to tell k8s it's a helper, not the work itself. That's what native sidecars are for.