Why we need a unified approach to Kubernetes environments

Today, organizations struggle managing disparate technologies for their Kubernetes networking and network security needs. Leveraging multiple technologies for networking and security for in-cluster, ingress, egress, and traffic across clusters creates challenges, including operational complexities and increased costs. For example, to manage ingress traffic for Kubernetes clusters, users cobble together multiple solutions from different providers such as ingress controllers or gateways and load balancers for routing traffic, as well as Web Application Firewalls (WAFs) for enhanced security.

Despite the challenges it brings, deploying disparate technologies has been a “necessary evil” for organizations to get all the capabilities needed for holistic Kubernetes networking. Here, we’ll explore challenges this proliferation of tooling introduces, and provide actionable tips for today’s platform and security teams to overcome these issues.

Challenges Managing Multiple Technologies

The fragmented approach to networking and network security in Kubernetes leads to challenges and inefficiencies, including:

  • Operational overhead: Each technology comes with its own learning curve, setup, configuration, integration, and maintenance requirements. This leads to a challenging user experience.
  • Increased costs: Licensing and operational costs accumulate as more tools are deployed.
  • Scaling challenges: As clusters grow or spread across diverse environments, ensuring consistent and secure networking becomes harder.
  • Security gaps: Disjointed solutions Continue reading

Repost: On the Advantages of XML

Continuing the discussion started by my Breaking APIs or Data Models Is a Cardinal Sin and Screen Scraping in 2025 blog posts, Dr. Tony Przygienda left another thoughtful comment worth reposting as a publicly visible blog post:

Having read your newest rant around my rant ;-} I can attest that you hit the nail on the very head in basically all you say:

  • XML output big? yeah.
  • JSON squishy syntax? yeah.
  • SSH prioritization? You didn’t live it until you had a customer where a runaway python script generated 800+ XML netconf sessions pumping data ;-)
Read more …

What is an EVPN Type 5 Route for (EVPN/VXLAN)

For EVPN/VXLAN, Type 5 routes are used for two purposes: Internally and Externally

Internally it’s used to communicate which VTEPs have a given subnet instantiated on it.

Here’s an example of the output of the command show ip bgp route-type ip-prefix ipv4 on an Arista cEOS spine running EVPN/VXLAN.

It’s showing you that 10.1.10.0/24 (VLAN 10/VNI 10010) is only available on leaf1 and leaf2 (10.1.255.1-2) and 10.1.20.0/24 (VLAN 20/VNI 10020) is only available on leaf3 and leaf4 (10.1.255.3-4). It’s eBGP so each leaf has its own ASN (you see in the path field). The next hop shows the VTEP IP (10.1.254.1-4). I checked on the spine as the spine receives all the EVPN routes from the leafs and propagates them as a route server. The spines don’t install any of these routes, they just propagates them.

       Network                Next Hop              Metric  LocPref Weight  Path

 * >      RD: 10.1.255.1:10000 ip-prefix 10.1.10.0/24
                                 10.1.254.1            -       100     0       65101 i
 * >      RD: 10.1.255.2:10000 ip-prefix 10.1.10.0/24
                                 10.1.254.2            -       100     0       65102 i
  Continue reading

Companies Must Embrace Bespoke AI Designed for IT Workflows

Although LLMs have been readily available for the past few years, inroads into the IT sector have been minimal. We have seen successful generative AI (GenAI) model penetration into SaaS solutions and areas like help desks; however, successful GenAI integration into security software has been few and far between. Generally speaking, it is not easy to repurpose an LLM to work within a security domain. LLMs are optimized for natural language; they can’t immediately understand or process security elements such as flow packets, logs, alerts, and knowledge graphs. To build out effective genAI integration in the security sphere, it’s time to embrace bespoke, foundational AI for IT workflows. AI Model Efficiency The recent trend toward building out models more efficiently, as opposed to scaling at all costs, is a natural progression of GenAI tools in the enterprise space. Despite all the LLM hype, not every business problem requires an LLM solution. If you utilize LLMs within your infrastructure, it’s best to right-size them (distill them into smaller models that address specific business problems) while focusing on privacy, security, and explainability. By right-sizing your models, compute is kept to a minimum, which prevents costs from being passed on to your customers. Continue reading

Lenovo Breaks Even On Datacenter Hardware, Makes It Up In Services

Here is how you know you are in a tough business: No matter what you do, no matter how hard your people work and how smart they are, no matter that you are riding the wild tiger of AI growth and revenues have grown marvelously, you can’t make any money.

Lenovo Breaks Even On Datacenter Hardware, Makes It Up In Services was written by Timothy Prickett Morgan at The Next Platform.

Cloudflare named in 2025 Gartner® Magic Quadrant™ for Security Service Edge

For the third consecutive year, Gartner has named Cloudflare in the Gartner® Magic Quadrant™ for Security Service Edge (SSE) report. This analyst evaluation helps security and network leaders make informed choices about their long-term partners in digital transformation. We are excited to share that Cloudflare is one of only nine vendors recognized in this year’s report. You can read more about our position in the report here.

What’s more exciting is that we’re just getting started. Since 2018, starting with our Zero Trust Network Access (ZTNA) service Cloudflare Access, we’ve continued to push the boundaries of how quickly we can build and deliver a mature SSE platform. In that time, we’ve released multiple products each year, delivering hundreds of features across our platform. That’s not possible without our customers. Today, tens of thousands of customers have chosen to connect and protect their people, devices, applications, networks, and data with Cloudflare. They tell us our platform is faster and easier to deploy and provides a more consistent and reliable user experience, all on a more agile architecture for longer term modernization. We’ve made a commitment to those customers to continue to deliver innovative solutions with the velocity and resilience Continue reading

Resolving a request smuggling vulnerability in Pingora

On April 11, 2025 09:20 UTC, Cloudflare was notified via its Bug Bounty Program of a request smuggling vulnerability in the Pingora OSS framework discovered by a security researcher experimenting to find exploits using Cloudflare’s Content Delivery Network (CDN) free tier which serves some cached assets via Pingora.

Customers using the free tier of Cloudflare’s CDN or users of the caching functionality provided in the open source pingora-proxy and pingora-cache crates could have been exposed.  Cloudflare’s investigation revealed no evidence that the vulnerability was being exploited, and was able to mitigate the vulnerability by April 12, 2025 06:44 UTC within 22 hours after being notified.

What was the vulnerability?

The bug bounty report detailed that an attacker could potentially exploit an HTTP/1.1 request smuggling vulnerability on Cloudflare’s CDN service. The reporter noted that via this exploit, they were able to cause visitors to Cloudflare sites to make subsequent requests to their own server and observe which URLs the visitor was originally attempting to access.

We treat any potential request smuggling or caching issue with extreme urgency.  After our security team escalated the vulnerability, we began investigating immediately, took steps to disable traffic to vulnerable components, and deployed Continue reading

Response: True Unnumbered Interfaces

Hendrik left an interesting comment on my Running IS-IS over Unnumbered Ethernet Interfaces blog post:

FRRouting (Linux) with pure IS-IS, the only way it currently (10.3) works is to copy the loopback IPv4 address to the interfaces that you need to do IPv4 routing on. The OpenFabric (IS-IS “extension” draft) does support true unnumbered interfaces and routes IPv6.

Let’s unpack this. There are (at least) four reasons a router needs an address associated with an interface1:

Read more …

What’s New in Calico: Spring 2025

Introducing Calico Cloud Free Tier

Calico provides a unified platform for all your Kubernetes networking, network security, and observability requirements. From ingress/egress management and east-west policy enforcement to multi-cluster connectivity, Calico delivers comprehensive capabilities. It is distribution-agnostic, preventing vendor lock-in and offering a consistent experience across popular Kubernetes distributions and managed services. Calico eliminates silos, providing seamless networking and observability for containers, VMs, and bare metal servers, and extends effortlessly to multi-cluster environments, in the cloud, on-premises, and at the edge.

With the recent release of Calico Open Source 3.30, we added:

  • Improved observability to visualize and troubleshoot workload communication with Calico Whisker and the Goldmane API.
  • Kubernetes Network Policies are critical for preventing ransomware, achieving microsegmentation to isolate sensitive assets for compliance, and thwarting attacks from malicious actors. However, implementing them effectively can be challenging due to the complexity of identifying, testing, and rapidly updating policies to meet evolving threats. Calico Open Source 3.30 introduces staged policies to enable teams to audit and validate policies before they are enforced, reducing the risk of misconfigured policies and improving security and compliance.
  • The ability to manage Kubernetes ingress traffic with Calico Ingress Gateway, a 100% upstream, enterprise-ready implementation Continue reading

🤖 AI Customer Support using an Agentic Framework

In this blog, I’ll walk you through the design, development, and lessons learned while building a multi-agent AI customer support assistant using the LangChain framework and related AI tools. 🎮💬 🎯 Motivation: Why Build This? At KGeN, a game aggregation platform connecting publishers and gamers, our primary users are gamers and clan chiefs (micro-community leaders). … Continue reading 🤖 AI Customer Support using an Agentic Framework

Bringing connections into view: real-time BGP route visibility on Cloudflare Radar

The Internet relies on the Border Gateway Protocol (BGP) to exchange IP address reachability information. This information outlines the path a sender or router can use to reach a specific destination. These paths, conveyed in BGP messages, are sequences of Autonomous System Numbers (ASNs), with each ASN representing an organization that operates its own segment of Internet infrastructure.

Throughout this blog post, we'll use the terms "BGP routes" or simply "routes" to refer to these paths. In essence, BGP functions by enabling autonomous systems to exchange routes to IP address blocks (“IP prefixes”), allowing different entities across the Internet to construct their routing tables.

When network operators debug reachability issues or assess a resource's global reach, BGP routes are often the first thing they examine. Therefore, it’s critical to have an up-to-date view of the routes toward the IP prefixes of interest. Some networks provide tools called "looking glasses" — public routing information services offering data directly from their own BGP routers. These allow external operators to examine routes from that specific network's perspective. Furthermore, services like bgp.tools, bgp.he.net, RouteViews, or the NLNOG RING looking glass offer aggregated, looking glass-like lookup capabilities, drawing Continue reading

1 42 43 44 45 46 3,832