2025-12¶

2025-12-31
in Policy-as-Code, Kubernetes, Automation
4 min read

The Policy That Wrote Itself

12 teams. 47 namespaces. 1 security requirement. 0 teams wanted to write policies.

The mandate came down: all workloads need pod security policies. No root containers. No privileged escalation. No host volumes. Standard stuff. Every team got the requirement. Then the work stalled.

Policy-as-Code is powerful. Enforcement at admission time stops bad deployments before they reach etcd. But power has a price: someone has to write YAML.

Team A wrote a policy. 34 lines. Solid.

Team B copy-pasted it. Forgot to update the label selectors. Now it applies to everything, including system services. Everything gets rejected. Team B spends four hours debugging why their monitoring won't deploy.

Team C started from scratch. Different syntax. Nested conditions. Hard to read. Works, mostly.

Team D went with "we'll do it next sprint." Still waiting.

The pattern was obvious: enforcement is easy. Enforcement at scale isn't. Every team writing their own policies means every team makes the same mistakes.

Same mistakes repeated 12 times is an incident waiting to happen.

2025-12-30
in Compliance, SDLC, Security
5 min read

The Checklist That Passed the Audit

Audit notice: 30 days. Evidence requested: everything.

Two weeks of scrambling. Teams pulling logs. Spreadsheets cross-checking commits. Patch requests hunting for proof that code reviews actually happened. Documentation written in panic mode. Governance questions without answers. A process that lived in people's heads, not in tooling.

Then one team showed their checklist. One list. One enforcement mechanism. Every claim tied to evidence collected automatically.

Audit was over in 2 weeks instead of 6.

2025-12-29
in Documentation, Patterns, DevOps
4 min read

Strangling Your Documentation: A Meta-Journey

You know the pattern. Build the new thing alongside the old. Ensure compatibility. Swap when ready. Remove the old.

I just spent a day writing about zero-downtime platform migrations using the Strangler Fig pattern. The irony? I nearly broke that exact pattern while documenting it.

Here's what happened.

2025-12-28
in Go, Kubernetes, Engineering Patterns
6 min read

The CLI That Replaced 47 Shell Scripts

47 shell scripts. 12 CronJobs. Zero test coverage. One production incident that forced a rebuild.

The kubectl plugin pattern couldn't handle our complexity. Shell scripts worked until they didn't. No type safety. No testing. Debugging meant reading logs after failures.

Then came the rewrite: One CLI. 89% test coverage. Runs in CronJobs and Argo Workflows. Distroless container. Multi-arch binaries. Production deployments via Helm.

2025-12-27
in DevSecOps, Automation, Kubernetes
4 min read

The Queue That Deleted Itself

Eight workflows queued. Seven deleted themselves before execution. Zero wasted builds.

2025-12-26
in CI/CD, Code Quality, DevSecOps
3 min read

The Regex That Fixed Everything

Codecov components were configured. Five components, clean breakdown by package.

Codecov dashboard: "No report uploaded" for all components.

Coverage uploaded successfully. Components showed zero coverage.

The paths looked correct.

2025-12-25
in CI/CD, GitHub Actions, DevSecOps
3 min read

One Line: `secrets: inherit`

CODECOV_TOKEN worked perfectly in ci.yml.

Called ci.yml from release.yml as a reusable workflow. Codecov failed:

Error: Token required - not valid tokenless upload

Same token. Same workflow. Different result.

2025-12-24
in Kubernetes, Performance, DevSecOps
4 min read

Zero API Calls: The ConfigMap Pattern That Changed Everything

The workflows were slowing down. Not dramatically. Just... gradually. Week by week.

Then the logs started showing warnings: API rate limit approaching threshold.

100+ workflows per day. Each workflow making 2-3 Kubernetes API calls to read ConfigMaps. That's 200-300 API requests per day. Not sustainable.

2025-12-23
in Supply Chain Security, DevSecOps, Release Engineering
3 min read

The File That Wouldn't Verify: When Security Best Practices Contradict

The provenance file generated perfectly. Build completed. Release uploaded.

slsa-verifier failed:

Error: builder identity not recognized

Same workflow that worked last month. Nothing changed.

Except everything changed.

2025-12-22
in Go, DevSecOps, Developer Tools
3 min read

Go's Boring Security Tooling (And Why That's Perfect)

"What security tools do you use?"

I expected: Snyk. Semgrep. Custom vulnerability scanners. Expensive SaaS subscriptions.

The answer: go test -race.

That's it. That's the security tool.