HackerTrans
TopNewTrendsCommentsPastAskShowJobs

bdesimone

no profile record

Submissions

It's always DNS part ∞: tracking down a use-after-free bug in Envoy's DNS

pomerium.com
5 points·by bdesimone·7 mesi fa·0 comments

Designing Smarter Health Checks for Pomerium

pomerium.com
6 points·by bdesimone·9 mesi fa·4 comments

comments

bdesimone
·9 mesi fa·discuss
Posting a coworker’s deep dive on the nuance of health checks that actually represent readiness. If you’ve had pods say "ready" while still failing traffic during rollouts, this will resonate.

Happy to answer any questions about the finer points of readiness checks in Pomerium, Envoy, and in general for systems running in systems like k8s, systemd, and so on.
bdesimone
·10 mesi fa·discuss
FWIW, I'm very happy to see this announcement. Full MCP support was the only thing holding me back from using GPT5 as my daily driver as it has been my "go to" for hard problems and development since it was released.

Calling out ChatGPT specifically here feels a bit unfair. The real story is "full MCP client access," and others have shipped that already.

I’m glad MCP is becoming the common standard, but its current security posture leans heavily on two hard things:

(1) agent/UI‑level controls (which are brittle for all the reasons you've written about, wonderfully I might add), and

(2) perfectly tuned OAuth scopes across a fleet of MCP servers. Scopes are static and coarse by nature; prompts and context are dynamic. That mismatch is where trouble creeps in.
bdesimone
·anno scorso·discuss
Genuinely, didn't take it that way at all! I don't expect you to be an expert on Pomerium.

> Funnily enough, Octelium started as a sidecar ext_authz svc for Envoy instances to operate as an IaP but I ended up creating my own Golang-based IaP, Vigil, from scratch because Envoy was just nothing but pain outside HTTP-based resources.

That's really funny... we went the opposite direction as the original versions were based on a custom Go proxy. Of course there are tradeoffs either way. Envoy is blazing fast, and does great with HTTP naturally, but has a giant configuration surface area (both pro and con), but we are now having to write some pretty low level filters /protocol capabilities in envoy for the other protocols we support (SSH, MCP, and so on) in C++ which does not spark joy. So I totally feel what you are saying.

Thanks for the kind words, though I am one of the contributors my colleague did the heavy lifting on the WebAuthN side.

Genuinely happy to see the release and where you are headed on the AI/MCP side. If you (or others) are interested, I am trying to bring more light to this model in the spec if you (or others) would like to weigh in: https://github.com/modelcontextprotocol/modelcontextprotocol...
bdesimone
·anno scorso·discuss
Quick note since it was mentioned. Pomerium does support Kubernetes at pretty much every level you mentioned (although I'm not entirely sure what a "a complete Kubernetes-tier platform" means) including:

- "remote access" : https://www.pomerium.com/docs/capabilities/kubernetes-access

- "access control" https://www.pomerium.com/docs/capabilities/authorization

- "visibility and auditing" : https://www.pomerium.com/docs/capabilities/audit-logs

- "user and identtiy management" https://www.pomerium.com/docs/capabilities/authentication to which I'd add device identity as well.

- "centralized policy management": https://www.pomerium.com/docs/capabilities/authorization & https://www.pomerium.com/docs/internals/ppl

- deployments using Ingress Controller or GatewayAPI https://www.pomerium.com/docs/deploy/k8s/ingress, https://www.pomerium.com/docs/deploy/k8s/gateway-api

- "for an arbitrary number of resources" not sure what to link to but there's no limit here

Congrats on the release. I saw your thread on MCP and completely agree with the approach. Happy to trade notes :)