For a decade, one idea has guided everything we’ve built at Tigera: How do you secure a dynamic system with a lot of moving parts that is changing rapidly, with a programmatic approach? Calico has applied that idea for Global 2000 companies running the largest Kubernetes platforms in the world, securing tens of millions of mission-critical transactions every day. Today I’m excited to announce the next chapter of that work: Lynx, a unified control plane for Kubernetes-native AI agents.
This enables us to apply our deep knowledge of Kubernetes, eBPF, and our expertise in building scalable and highly performant systems to solve the security challenges that come with deploying AI Agents. Before I explain how Lynx addresses these challenges, it’s worth being clear about why AI agents are so hard to secure in the first place.
The enterprise security tooling most organizations run was designed for workloads that are deterministic. A service does roughly the same thing today that it did yesterday. You can reason about its behavior, define what it’s allowed to touch, and trust that a valid credential maps to expected actions.
AI agents don’t work that way. Continue reading
Adopting or migrating to a Zero Trust network architecture can be a daunting task. Before a single policy changes, teams have to recall how their network is actually built: which applications exist, their authentication and authorization constructs, how traffic flows between them, and any assumptions the current architecture makes. This hands-on process requires practitioners to decode the intent behind every security and routing policy in place.
Today, we’re releasing the Cloudflare One stack, a set of skills you give to your agent to configure, deploy, and manage your Zero Trust environment for you. This toolkit is designed to help automate the process of learning an entirely new security suite and mapping your existing one into Cloudflare.
Cloudflare has worked with thousands of customers through exactly this process. That repetition built expertise on where migrations stall, what questions come up every time, and what it takes to move forward. The Cloudflare One stack packages that expertise and makes it more accessible than ever.
Teams are already using agents to write code, triage alerts, and automate workflows. Organizations are increasingly asking for Cloudflare-provided tooling to help agents execute on security workflows. On their own, agents Continue reading
Kota Telc, yang berada di Republik Ceko, adalah permata tersembunyi yang wajib dikunjungi bagi para pecinta wisata sejarah dan arsitektur klasik. Kota kecil ini terkenal dengan alun-alun utama yang menawan, yang memadukan keindahan Renaisans dan gaya Barok yang unik. Artikel ini akan membawa Anda menelusuri keindahan Telc dan daya tarik utama yang membuatnya menjadi destinasi menarik.
Telc merupakan sebuah kota kecil di wilayah Vysočina, Republik Ceko, yang memiliki sejarah panjang sejak abad ke-14. Kota ini dikenal dengan pusat bersejarahnya yang dipertahankan dengan baik, dengan bangunan-bangunan bergaya Renaisans yang menciptakan suasana klasik dan elegan. Oleh karena itu, Telc menjadi salah satu situs Warisan Dunia UNESCO yang populer bagi wisata sejarah.
Fokus utama wisatawan yang berkunjung ke Telc adalah alun-alun kota yang luar biasa indah. Alun-alun tersebut dipenuhi oleh deretan rumah bergaya Renaisans yang warna-warni dan dihiasi dengan panel dekoratif serta ornamen klasic yang menggambarkan keindahan arsitektur klasik.
Dalam dunia olahraga, banyak jenis aktivitas yang dikenal luas seperti sepak bola, basket, atau renang. Namun, ada juga olahraga unik yang mungkin belum banyak diketahui oleh masyarakat umum, salah satunya adalah toe wrestling. Olahraga ini menawarkan konsep kompetisi yang berbeda dan penuh keunikan. Yuk, kita mengenal lebih jauh tentang toe wrestling, sebuah kompetisi tradisional yang berasal dari budaya Inggris.
Toe wrestling adalah sebuah olahraga di mana dua peserta bertanding dengan mengaitkan jari kaki mereka, lalu berusaha menjatuhkan lawan dengan teknik tertentu. Mirip dengan wrestling atau gulat biasa, namun bedanya di sini yang digunakan adalah jari kaki, bukan tangan.
Olahraga unik ini biasanya dilakukan dengan kaki telanjang, dan para peserta berjuang untuk “menundukkan” kaki lawan di atas arena kecil yang telah disediakan. Sportsmanship dan strategi dalam flipping atau mengunci jari kaki menjadi kunci keberhasilan dalam kompetisi ini.
Toe wrestling bermula di Inggris pada tahun 1976, di sebuah kota kecil bernama Staffordshire. Olahraga ini awalnya dibuat sebagai hiburan di sebuah pub lokal, kemudian berkembang menjadi acara tahunan yang menarik banyak peserta dan penonton dari berbagai daerah.
Seiring waktu, toe wrestling menjadi bagian dari kompetisi tradisional yang dicintai banyak orang dan tetap dipertahankan Continue reading
In previous blog posts, I described the ARP issues in EVPN environments, starting with centralized routing, and then asymmetric IRB with unicast (per-leaf-switch) first-hop gateways. Of course, no self-respecting vendor would tell you to do that; anycast gateways are all the rage these days.
As always, anycast gateways could mean different things, depending on which vendor documentation you read ;)
SONiC (Software for Open Networking in the Cloud) is a Linux-based open-source network operating system that was originally developed at Microsoft and is now maintained by a broader open-source community. Its core idea is that the same network operating system can run on switch platforms from multiple hardware vendors. This reduces vendor lock-in and provides a more consistent operational model across different environments.
SONiC can also be viewed as an abstraction layer between network operators and the underlying switch hardware. Instead of learning and managing several vendor-specific operating systems, operators can use a common software architecture and management model across different switch platforms. This simplifies network operations, automation, monitoring, and telemetry collection. It can also reduce operational errors caused by configuration differences between platforms and make it easier to onboard new engineers.
Organizations can choose the hardware platform that best meets their technical, operational, and business requirements without being tied to a single software ecosystem. Some vendors provide commercially supported SONiC distributions together with professional support services, while others support community-based deployments or customer-tailored implementations. The appropriate model depends on the organization's operational requirements and support expectations.
From an architectural perspective, SONiC is a modular and container-based system. Major Continue reading
When we first launched DMARC Management, it was driven by a simple belief: every domain on the Internet deserves strong email authentication, and cost should never be the reason it doesn't happen. As part of our mission to help build a better Internet, we made DMARC Management available for free to every Cloudflare customer. We wanted to give everyone the tools to understand and improve their DMARC posture without needing to hire an email security consultant or parse XML report files by hand.
Today, we are taking that commitment further. Cloudflare DMARC Management is now generally available, with a redesigned experience built to help you reach full DMARC enforcement as easily as possible.
The DMARC Management dashboard offers a unified view of your email authentication posture.
Every time someone receives an email "from" your domain, their email provider asks a simple question: did the real owner of this domain actually send this? Without a way to answer that question, anyone can send an email pretending to be you and your recipients will have no way to tell the difference.
Email authentication is the set of DNS records that answers that question. There Continue reading
In 2008, I landed my second job, in the network team at Orange Portails, the division behind the websites and search engine of the French telecom operator Orange. The place ran like clockwork: a comprehensive technical setup, a dedicated team for every part of the business, and room to focus on what I do best. A few years later, none of that mattered: thanks to an obsession with the numbers, we could no longer deliver new services on time.
Disclaimer
This is a story I like to tell to warn people about Goodhart’s law.1 As these events happened almost 15 years ago, my recollection is a bit fuzzy. I left in 2012.
During my first years, the department operated like a startup. Its cradle was the French company Echo. They built a search engine. France Télécom bought it and renamed it Voila. It was the most visited search engine in France in the early 2000s. France Télécom consolidated the portal activities into the Wanadoo Portails division, later renamed Orange Portails.
The technical environment was excellent. We had many internal tools:2 a ticket system, an RRD-based graphing tool, an IPAM, a reporting tool, and an SNMP-based Continue reading
Chris Grundemann wrote an interesting article arguing that you should structure your network operations around teams, not heroes.
Even if you feel you’re perfectly OK with your network being held together by exhausted heroes (and duct tape), it could be a bit harder to deploy network automation in an always-busy hero culture. However, the choice, as they say, is yours.
Today, we’re excited to share that key members of the team at Ensemble AI are joining Cloudflare to help accelerate our work in AI infrastructure and make it easier for developers to run powerful AI models efficiently at scale.
Ensemble AI, founded in 2023 in San Francisco, has spent the last few years focused on one of the most important challenges in AI: making large models faster, smaller, and more cost-effective to serve, without sacrificing quality. The team has developed new approaches to model compression and efficient inference that are designed to reduce the memory, compute, and deployment overhead of large language models and multimodal architectures.
As AI becomes a core part of how developers build applications, the economics of inference matter more than ever. Models are getting larger; workloads are becoming more dynamic. And customers increasingly expect AI to be available everywhere: globally distributed, fast, reliable, and affordable. Bringing the Ensemble AI team into Cloudflare strengthens our ability to make that possible.
The team at Ensemble AI has focused on preserving the structure inside modern AI models while reducing the cost of running them. Instead of treating model efficiency as only a quantization or hardware problem, Continue reading
I started my part of the Segment Routing workshop @ ITNOG10 exploring SR-MPLS with IS-IS (simple SR-MPLS, dual-stack SR-MPLS, SR-MPLS over unnumbered IPv4 interfaces). Next step: let’s change the routing protocol to OSPF while using the same network topology:
This is a follow-up to a previous post about raytracing Quake demos.
But first, the money shot:
And flat shaded and textured videos. Youtube is Very Aggressive™ with its compression, so the quality there is not good. For pixel quality the above images showcase it better.
One of my original reasons for creating the quake demo povray files is that it was a good source of data for 3D experiments. POV-Ray is a great raytracer, though entirely CPU (no GPU) and no longer state of the art.
POV-Ray has plenty of built in options, but takes forever to render the 30-60fps demos I want to play with.
Also POV-Ray is AGPL now, so nope nope nope nope nope. That’s a dead end.
We live in interesting times. We could be living in a time when no two people are running the same email client, or music player, or shell. There used to be a barrier to writing these things custom. I know people who wrote their own shell and use it as a daily driver. I wrote my own email client, and use that.
There are many people out there, me included, who Continue reading
Step CA is an open-source private CA made by Smallstep. I will use it to generate certificates for some componenents in my lab.
First we install the dependencies:
sudo apt-get update && sudo apt-get install -y --no-install-recommends curl gpg ca-certificates
Then we get the Smallstep repository signing key:
sudo curl -fsSL https://packages.smallstep.com/keys/apt/repo-signing-key.gpg -o /etc/apt/keyrings/smallstep.asc
Then we add the Smallstep repository:
cat << 'EOF' | sudo tee /etc/apt/sources.list.d/smallstep.sources > /dev/null Types: deb URIs: https://packages.smallstep.com/stable/debian Suites: debs Components: main Signed-By: /etc/apt/keyrings/smallstep.asc EOF
Then we install step-cli and step-ca:
sudo apt-get update && sudo apt-get -y install step-cli step-ca
Then we check the install:
step-ca version step version Smallstep CA/0.30.2 (linux/amd64) Release Date: 2026-03-23T00:18:00Z Smallstep CLI/0.30.4 (linux/amd64) Release Date: 2026-06-10T06:10:28Z
Next, we’ll run the initializer:
step ca init \ --name "lostintransit.se" \ --dns "stepca.lostintransit.se" \ --address ":443" \ --provisioner "[email protected]"Deployment Type: Standalone Choose a password for your CA keys and first provisioner.
[leave empty and we'll generate one]: Generating root certificate... done! Generating intermediate certificate... done!
Root certificate: /home/ddib/.step/certs/root_ca.crt
Root private key: /home/ddib/.step/secrets/root_ca_key
Root fingerprint: 8f08102ae41eb7fc6a57f62fbaccaf82cb7a67dbedca858a0352a75b4fa763cd
Intermediate certificate: /home/ddib/.step/certs/intermediate_ca. Continue reading
I’ve been able to find some time, lately, to work on my project backlog. And because it’s 2026, I’ve been using AI as a diligent intern.
I’ve ranted before about
seccomp, but
still used it for a project or two. But then, rarely, it triggered an
unexpected openat. That’s exactly the kind of I do want to detect and kill
the binary for, so I don’t just want to allow it. I want to know where it’s
coming from.
strace showed it’s trying to read /proc/sys/vm/overcommit_memory.
It’s certainly not my code. But just the Rust transitive dependency tree is quite a few crates:
$ cargo tree | sed -r 's/^[^a-z]+//;s/ .*//' | sort -u | wc -l
236
Step 1 was to run it in gdb, and reproduce the problem. But it’s a bit
trickier than that, because seccomp fully kills the process, so no backtrace.
And setting breakpoints requires a few more syscalls to work, just for the
process to work under gdb (e.g. sigaltstack).
And turns out some calls fail with EINTR if running under a debugger.
Yes, I can fix all these things. But why not put the AI intern on it?