Containers

Definition

Containers coverage in this archive spans 11 posts from Feb 2016 to Jul 2022 and focuses on reliability, delivery speed, and cost discipline as one system, not three separate concerns. The strongest adjacent threads are kubernetes, devops, and security. Recurring title motifs include container, kubernetes, containers, and production.

Working claims

Most posts prioritize predictable operations over feature breadth or stack novelty.
Early posts lean on docker and production, while newer posts lean on container and kubernetes as constraints shifted.
This topic repeatedly intersects with kubernetes, devops, and security, so design choices here rarely stand alone.

How to apply this

Set SLOs first, then choose tooling that keeps deploy, observability, and rollback simple.
Start with the newest post to calibrate current constraints, then backtrack to older entries for first principles.
When boundary questions appear, cross-read kubernetes and devops before committing implementation details.

Where teams get burned

Adding platform layers faster than the team can operate and debug them.
Chasing throughput gains without proving they improve end-user reliability.
Applying guidance from 2016 to 2022 without revisiting assumptions as context changed.

References

Container Scanning Without the Security Theater

Jul 2022

Most container scanning setups generate noise, not security. Here is how to build a pipeline that actually catches what matters.

Hardening Kubernetes: The Stuff That Actually Matters

Feb 2022

Kubernetes defaults are built for getting things running, not for keeping attackers out. A layered hardening walkthrough covering pods, RBAC, network policies, secrets, and the control plane.

Your Container Image Scan Passed. Now What?

Nov 2020

Image scanning tells you what's in the box. Runtime security tells you what the box is doing. Here's how we lock down containers at Decloud with seccomp, network policies, Falco, and paranoia earned from NATO work.

Serverless vs Containers: Where the Math Stops Working

Jun 2020

Serverless is great until it isn't. A comparison of serverless and containers at different traffic scales, with actual numbers on where the economics flip.

Container Security in 2018: What Actually Changed

Aug 2018

Eight months after my first container security post, an update on what moved at the fintech startup and in the ecosystem — PodSecurityPolicy, image signing, and the shift from scratch to real.

Two Years of Kubernetes in Production — The Boring Parts Are the Hard Parts

Jan 2018

Year two of running Kubernetes at the fintech startup. The panic is gone. Now it's networking, resource tuning, and all the operational grunt work nobody blogs about.

Your Containers Aren't Secure. Here's What to Actually Do About It.

Dec 2017

Containers give you process isolation, not a security boundary. I break down how we hardened images, locked down runtimes, and segmented networks at the fintech startup — plus the stuff nobody warns you about.

A Year Running Kubernetes in Production — What Actually Happened

Jan 2017

After a year of running Kubernetes in production, the wins are real but the sharp edges drew blood first. Here's what paid off, what bit us, and what I'd do differently.

2016: The Year I Stopped Fighting Infrastructure

Dec 2016

A personal look back at what mattered in 2016 -- Docker going mainstream, Kubernetes momentum, Go adoption, and lessons from building at Dropbyke and a fintech startup.

Container Orchestration: Docker Swarm vs Kubernetes vs Mesos

Oct 2016

A side-by-side comparison of Swarm, Kubernetes, and Mesos based on running all three in evaluation at Dropbyke. Kubernetes is going to win, but the operational tax is real.

Docker in Production: What We Learned Running Containers at Dropbyke

Feb 2016

Running Docker in production at Dropbyke forced us to get serious about image builds, container networking, log aggregation, and security. Here is what actually worked.