Blog

Notes on observability, distributed systems, and software engineering. RSS.

2026

Cross-account Prometheus replication with end-to-end mTLS via Envoy 06-29

How to stream Prometheus metrics from one AWS account to another over the public internet, with Envoy doing mTLS termination on both sides and a NAT-pinned IP allow-list as the outer fence.
How ServiceMonitor can quietly overload your kube-apiserver 06-28

Adding a ServiceMonitor looks innocent — at scale it sets off a chain reaction through EndpointSlices, Istio XDS, and kube-proxy that can take down your control plane.