Scott's Weblog The weblog of an IT pro focusing on cloud computing, Kubernetes, Linux, containers, and networking

Technology Short Take 141

Welcome to Technology Short Take #141! This is the first Technology Short Take compiled, written, and published entirely on my M1-based MacBook Pro (see my review here). The collection of links shared below covers a fairly wide range of topics, from old Sun hardware to working with serverless frameworks in the public cloud. I hope that you find something useful here. Enjoy!



  • Much has been said about the “snappy” feel of Apple’s new M1-based Macs, and this article takes a look at how Quality of Service (QoS) across the efficiency and performance cores may be the reason why these new Macs seem so responsive.
  • Here’s an entertaining tale of attempting to resurrect a Sun Ultra 1 Workstation.
  • John Gruber’s post on “Secure Intent” on Apple devices was, for me at least, an informative read. I hadn’t delved that much into Apple’s hardware security efforts around Secure Enclave, mostly due to the fact that I was running older Apple hardware (a fact that has since changed).


  • Hari Rana has a detailed discussion of security concerns regarding Flatpak (a packaging format for Linux applications).
  • Published back in January of this year, Sysdig’s container security and usage report reveals some interesting security trends.
  • This is an interesting look at how someone managed to transmit arbitrary data via Apple’s “Find My” network.
  • SentinelOne shares a list of “must-have” apps and tools for hackers working on a Mac.
  • Ugh—a new Rowhammer exploit/technique. More details are available here.
  • Want to learn more about X.509 certificates? Check this out.

Cloud Computing/Cloud Management

  • Sandy Cash has a two-part series on working with Kubernetes ConfigMaps (part 1 and part 2).
  • Alessandro Perilli has a very lengthy article on NoOps. I love his different “paths” to NoOps (like “No(rmalized)Ops” or “No(tMy)Ops”).
  • Rory McCune tackles the topic of permissions and RBAC in Kubernetes.
  • Sam Weston takes a look at EKS Managed Node Groups, examining both the good and bad aspects of this functionality, and provides some sample configurations.
  • I recently got turned on to Alex Mitelman’s System Design Weekly, which is like a super-cool version of Technology Short Takes but a bit more tightly focused. In any event, there’s a ton of great information available here, so I recommend checking it out.
  • How about a tutorial on installing Cilium and Linkerd in a Kubernetes cluster? Here you go.
  • For VMware-heavy customers, this post by Cormac Hogan that draws out the connections between the upstream Cluster API project and VMware’s TKG product may be helpful.

Operating Systems/Applications


  • Lee Briggs takes a look at Pulumi’s use of the Output type and the apply() method in writing declarative code using an imperative programming language.
  • Ahmet Alp Balkan shows how to serve up gRPC and HTTP from a Go app on Cloud Run. I like reading posts like this, because even though I don’t necessarily understand all the code (yet) I feel like exposing me to the code is still helpful. I could be wrong; time will tell.
  • AJ Stuyvenberg demonstrates how to use the serverless framework to enable and simplify the use of multiple stacks for developers and avoid trying to emulate cloud environments on laptops.


Career/Soft Skills

That’s all I have for now, but hopefully it’s enough to provide some helpful and useful reading over the weekend. I’m always open to hearing from readers, so feel free to reach out to me on Twitter, find me on Slack (I frequent the Kubernetes Slack instance), or send me an e-mail (my address isn’t hard to find). Thanks for reading!

Review: Logitech Ergo K860 Ergonomic Keyboard

As part of an ongoing effort to refine my work environment, several months ago I switched to a Logitech Ergo K860 ergonomic keyboard. While I’m not a “keyboard snob,” I am somewhat particular about the feel of my keyboard, so I wasn’t sure how I would like the K860. In this post, I’ll provide my feedback, and provide some information on how well the keyboard works with both Linux and macOS.


Setting up the K860 is remarkably easy. The first system I tried to pair it with was an older Mac Pro workstation, and apparently the Bluetooth hardware on that particular workstation wasn’t new enough to support the K860 (Logitech indicates that Bluetooth 5.0 is needed; more on that in a moment). Instead, I popped in the USB-A wireless receiver, and was up and running with the K860 less than a minute later. This was using macOS, but the Mac Pro also dual-booted Linux, so I rebooted into Linux and found that the K860 with the Logitech-supplied USB receiver continued to work without any issues.

Linux, macOS, and Dual Boot Support

The key takeaway regarding Linux is this: if you’re interested in getting the K860 for use with Linux, the included USB wireless receiver works great. I had zero issues with the keyboard, and I really liked that Logitech provided a way to switch the keyboard back and forth between PC and macOS keyboard layouts (press and hold Fn+P to switch to a PC layout—Cmd becomes Alt, Option becomes Start—or press and hold Fn+O to switch to a Mac layout).

Although the wireless receiver worked flawlessly with both Linux and macOS, including across reboots with a dual-boot system, Bluetooth did not fare so well. To be honest, I didn’t expect it to. At some point after getting the K860, I upgraded the Bluetooth hardware in the Mac Pro and switched the keyboard from the wireless receiver to Bluetooth. With that configuration, I needed to switch between two different “connections” (the K860 can be connected to up to 3 devices and you can switch between them using special keys on the keyboard) when rebooting between Linux and macOS. As I said, this was not entirely unexpected. For folks who are considering dual-boot configurations, the wireless receiver may be the best approach.


I mentioned earlier that Logitech specifies Bluetooth 5.0 as a requirement. I found this not to be entirely true; the keyboard paired and worked fine with a 2017 MacBook Pro, which identified itself as Bluetooth 4.2. That being said, the older Mac Pro, which identified itself as Bluetooth 2.0 before the Bluetooth hardware upgrade, didn’t work at all with the keyboard via Bluetooth, so there is definitely some sort of minimum Bluetooth requirement in play here. After the hardware upgrade on the Mac Pro to bring it up to Bluetooth 5.0, the K860 worked fine with that system.

Quality and Feel

The keyboard feels great. I like the responsiveness of the keys; touch typing is a pleasure. The noise from typing isn’t that loud, so if you’re a fan of a loud keyboard you may not like the K860. If you’re a huge fan of mechanical keyboards, you may not like this keyboard, either. Although I find that the keyboard provides more than sufficient tactile and auditory feedback, others may prefer more. Build quality seems fine; I haven’t noticed any issues with the keyboard. It’s solid and sits firmly on my desk. The padded wrist rest is enough to provide some additional support, but isn’t obnoxious enough to get in the way.


In summary, I’m happy with the K860. It took a little while to acclimate to the split keyboard layout, but after getting accustomed to it it’s really quite comfortable. The keyboard looks great (it goes well with my Space Gray Magic Trackpad 2), feels great, and works great. I guess you can’t really ask for much more than that, can you?

Feel free to hit me up if you have any questions, comments, or feedback. I love to hear from readers!

Review: 2020 M1-Based MacBook Pro

I hadn’t done a personal hardware refresh in a while; my laptop was a 2017-era MacBook Pro (with the much-disliked butterfly keyboard) and my tablet was a 2014-era iPad Air 2. Both were serviceable but starting to show their age, especially with regard to battery life. So, a little under a month ago, I placed an order for some new Apple equipment. Included in that order was a new 2020 13" MacBook Pro with the Apple-designed M1 CPU. In this post, I’d like to provide a brief review of the 2020 M1-based MacBook Pro based on the past month of usage.

The “TL;DR” of my review is this: the new M1-based MacBook Pro offers impressive performance and even more impressive battery life. While the raw performance may not “blow away” its 2020 Intel-based counterpart—at least, it didn’t in my real-world usage—the M1-based MacBook Pro offered consistently responsive performance with a battery life that easily blew past any other laptop I’ve ever used, bar none.

Read on for more details.


The build quality is really good, with a significant improvement in keyboard quality relative to the earlier butterfly keyboard models (such as my 2017-era MacBook Pro). However, the overall design of the laptop remains identical to earlier models. In some respects, that’s OK; for example, I don’t mind the oversized trackpad, and given that this is my first laptop with the Touch Bar I’m finding I don’t really mind it either. (I wouldn’t say I like it, necessarily, but I don’t hate it.) In other areas, like connectivity, sticking to the previous design means having a limited number of Thunderbolt/USB-C ports instead of a full complement of ports. There are rumors that the “next-generation” MacBook Pros will have updated Apple-designed CPUs and more ports; we shall see soon (since Apple’s Worldwide Developer Conference [WWDC] is just around the corner).

Although the updated keyboard (aka the “Magic Keyboard”, a marketing name that Apple seems to splash on every keyboard they make these days) is far better than the butterfly keyboard, I would still rank the keyboard on the Lenovo X1 Carbon higher (see my review of a 5th generation X1 Carbon). That being said, though, at least I don’t hate typing on the M1-based MacBook Pro, and the typing noise is far reduced.

Finally, I’m finding the addition of Touch ID to be a useful and practical addition. Apple is certainly not alone in providing fingerprint readers on their laptops and other devices, but the integration here between hardware and software makes the addition of a fingerprint reader something that actually positively impacts the day-to-day user experience.

Speaking of software…


The M1-based MacBook Pro, along with all other models based on Apple-designed ARM CPUs, ship with macOS 11 “Big Sur”. Because earlier versions of macOS didn’t support ARM-based CPUs, and given that a fair amount of user value is derived from the tight integration of hardware and software, I think it’s reasonable to discuss macOS 11 in the context of a review of my 2020 M1-based MacBook Pro.

Touch ID is a great example (this isn’t new to macOS 11, however). As I mentioned a couple paragraphs above, the addition of a fingerprint reader at the hardware level isn’t revolutionary at all. However, providing OS-level constructs to use that fingerprint reader to authenticate the user does make a difference in the day-to-day usage of the product.

Similarly, integrations between macOS 11 and iOS via features like Handoff, Airdrop, and others are practically useful integrations that enhance the user experience. Again, although none of these features are new to macOS 11, they are present (maybe improved?) in macOS 11 and are worth mentioning here, I think.

Another area where software enhances the hardware is through macOS' use of Quality of Service (QoS) in placing workloads across the efficiency and performance cores of the M1 CPU. This article provides some good details on this QoS, and my own observations of CPU utilization during my day-to-day usage mirror the findings outlined in the article.

Apple’s use of Rosetta 2 seems to work well; I’ve run several Intel-based applications, both GUI and text-based, without any issues. I also haven’t noted any performance concerns, although I have not specifically conducted any performance tests. I mention this simply to assuage concerns about running older Intel-based applications on the M1-based hardware. That being said, I will note that finding ARM-native versions of popular GUI apps is becoming easier (this site is helpful, BTW), but finding ARM-native command-line interface (CLI) tools may be a bit more difficult. Homebrew helps quite a bit here.

Unlike some reports, I haven’t had any issues with the overall stability of macOS 11. It’s been pretty rock-solid for me. I’m also finding that I don’t really mind the refreshed UI in macOS 11, although it is a bit inconsistent in areas (have a look at the UI for the macOS Preview app, for example, and compare the window when the markup tools are showing versus when they are hidden).


The new M1-based MacBook Pro offers respectable performance while also delivering amazing battery life. In my real-world usage, I haven’t found it to be “incredibly faster” than Intel-based competitors, but the combination of the Apple-designed CPU plus QoS mechanisms in macOS 11 “Big Sur” provide a consistently responsive user experience and fewer instances of the “spinning beachball.” I’m sure some operations are just plain faster, especially when the application is an ARM-native application (as more and more are), but I haven’t personally experienced any such instances yet. Your mileage may vary, of course. All in all, I’m pretty pleased with the laptop and the user experience.

Feel free to contact me if you have any questions. I’d also love to hear impressions from other M1-based Mac users; perhaps I can publish another post with other users' feedback. You can drop me an e-mail (my address isn’t too hard to find or figure out), or contact me on Twitter (my DMs are open).

The Next Step

The Greek philosopher Heraclitus is typically attributed as the creator of the well-known phrase “Change is the only constant.” Since I left VMware in 2018 to join Heptio, change has been my companion. First, there was the change of focus, moving to a focus on Kubernetes and related technologies. Then there was the acquisition of Heptio by VMware, and all the change that comes with an acquisition. Just when things were starting to settle down, along came the acquisition of Pivotal by VMware and several more rounds of changes as a result. Today, I mark the start of another change, as I begin a new role and take the next step in my career journey.

Last week, I announced via Twitter that I was leaving VMware to explore a new opportunity. Today, I start at Kong, Inc., as a Principal Field Engineer. Kong, if you aren’t already familiar, is a company focused on service connectivity for modern architectures, with products like their eponymous API gateway and the Envoy-powered Kuma service mesh. I’m really looking forward to getting much more familiar with Envoy, the Kong API gateway, Kuma, and related projects and technologies. I still get to be involved with Kubernetes, since these products support Kubernetes, and so this allows me to continue to build upon the experience and knowledge I’ve gathered over the last few years while still pushing me in new directions.

(Rest assured, by the way, that stuff I learn will continue to make its way onto this site, just as it has for the last 16 years. I’ll still be sharing my knowledge with anyone who’s interested!)

I’m also excited to get to know the Kong team. This is a “two for one” bonus for me; not only do I get to meet lots of new and very talented people from whom I can learn and grow, but I also get to work with some folks with whom I’ve worked before (you know who you are!). Our industry really is a small industry, and I’m thankful to cross paths with these folks once more.

Feel free to contact me on Twitter (my DMs are open), and stay tuned as I take this next step. New challenges, new accomplishments, new friendships, and new knowledge await!

Technology Short Take 140

Welcome to Technology Short Take #140! It’s hard to believe it’s already the start of May 2021—my how time flies! In this Technology Short Take, I’ve gathered some links for you covering topics like Azure and AWS networking, moving from macOS to Linux (and back again), and more. Let’s jump right into the content!




  • Peyton Smith and Mitchell Moser share seven common Microsoft Active Directory misconfigurations that adversaries tend to abuse.
  • Paulos Yibelo describes exploiting macOS with a text file.
  • The folks at Netskope have a pair of blog posts on GCP OAuth token hijacking in Google Cloud (part 1, part 2). These are older posts, from August 2020, and I honestly don’t know if the vulnerability still exists (or if it has been patched). If you’re a Google Cloud user, this may be worth a closer examination to make sure your accounts are safe.
  • Most of this was beyond my comprehension, but I found the tale fascinating to read nevertheless.

Cloud Computing/Cloud Management

  • Stefan B├╝ringer talks about optimizing Open Policy Agent (OPA)-based Kubernetes authorization. Note that this is a slightly older post (about 2 years old), so some of it may no longer apply to the latest versions of OPA and Gatekeeper.
  • This post by “xssfox” takes an interesting (to me) look at a security hole created through the use of an automated code pipeline deploying to a production website.
  • I’ve noted several pundits/experts who have noted the transformational nature of AWS Lambda, and the impact it is having/will have on AWS and its offerings. The introduction of S3 Object Lambda is just the latest example, it seems.
  • Chris Evans examines the pricing of virtual instances compared to managed servie offerings as he ponders how hyper-scalers like AWS, Azure, and Google will go about/are going about optimizing service density (i.e., maximizing revenue per hardware instance). It’s an interesting observation, for sure (at least, it’s interesting to me).
  • Marco Lancini discusses security logging in AWS environments.
  • Pulumi recently released version 3; get more details on the latest release in this blog post.

Operating Systems/Applications

  • Justin Garrison shares some thoughts on whiteboarding software (and hardware).
  • Here is a reminder why time synchronization remains important.
  • Carlos Fenollosa has a series of articles describing his attempt to move to Linux from macOS, and why he came back. Part 3 of the series, found here, describes some of the challenges with desktop Linux and why, in his words, “the grass is not greener on the other side.”
  • Paddy Kelly shows how to filter JSON data in Ansible using json_query.
  • Ivan Pepelnjak’s mention of Network to Code’s Schema Enforcer tool sent me down the rabbit hole of JSON Schema and validation. Don’t be surprised if you see a blog post on this topic pop up soon.
  • If you’re new to vim, this post may be helpful.




  • William Lam outlines some enhancements for USB NIC-only installations that appeared in ESXi 7.0 Update 2.

Career/Soft Skills

That’s all for now! I hope that I have shared something useful with you. If you have feedback, or if you just want to say hi, feel free to hit me on Twitter, or find me on one of the various Slack communities I frequent. Have a great weekend!

Recent Posts

Making Firefox on Linux use Private Browsing by Default

While there are a couple different methods to make Firefox use private browsing by default (see this page for a couple methods), these methods essentially force private browsing and disable the ability to use “regular” (non-private) browsing. In this post, I’ll describe what I consider to be a better way of achieving this, at least on Linux.


Technology Short Take 139

Welcome to Technology Short Take #139! This Technology Short Take is a bit heavy on cloud, OS, and programming topics, but there should be enough other interesting links to be useful to plenty of folks. (At least, I hope that’s the case!) Now, let’s get on to the content!


Using WireGuard on macOS

A short while ago I published a post on setting up WireGuard for AWS VPC access. In that post, I focused on the use of Linux on both the server side (on an EC2 instance in your AWS VPC) as well as on the client side (using the GNOME Network Manager interface). However, WireGuard is not limited to Linux, and I recently configured one of my macOS systems to take advantage of this WireGuard infrastructure for access to the private subnets in my AWS VPC. In this post, I’ll walk readers through configuring macOS to use WireGuard.


Adding a MachineHealthCheck using Kustomize

MachineHealthChecks are a powerful feature in the Kubernetes Cluster API (CAPI), and something I played around with not too long ago on TGIK 143. Recently, I was helping to document the use of kustomize with Cluster API for inclusion in the upstream CAPI documentation, and I learned a simple trick with kustomize that I’d apparently overlooked in the past. If you’ve used kustomize for any great length of time you probably already know and have used the functionality I’ll describe in this post, but if you’re new to kustomize or, like me, a user of kustomize that hasn’t had time to dig into all of its functionality, then read on and see how you can use kustomize to add a MachineHealthCheck to a CAPI workload cluster.


Technology Short Take 138

Welcome to Technology Short Take #138. I have what I hope is an interesting and useful set of links to share with everyone this time around. I didn’t do so well on storage links; apologies to my storage-focused friends! However, there should be something for most everyone else. Enjoy!


Deploying a CNI Automatically with a ClusterResourceSet

Not too long ago I hosted an episode of TGIK8s, where I explored some features of Cluster API. One of the features I explored on the show was ClusterResourceSet, an experimental feature that allows users to automatically install additional components onto workload clusters when the workload clusters are provisioned. In this post, I’ll show how to deploy a CNI plugin automatically using a ClusterResourceSet.


Setting up WireGuard for AWS VPC Access

Seeking more streamlined access to AWS EC2 instances on private subnets, I recently implemented WireGuard for VPN access. WireGuard, if you’re not familiar, is a relatively new solution that is baked into recent Linux kernels. (There is also support for other OSes.) In this post, I’ll share what I learned in setting up WireGuard for VPN access to my AWS environments.


Closing out the Tokyo Assignment

In late 2019, I announced that I would be temporarily relocating to Tokyo for a six-month assignment to build out a team focused on cloud-native services and offerings. A few months later, I was still in Colorado, and I explained what was happening in a status update on the Tokyo assignment. I’ve had a few folks ask me about it, so I thought I’d go ahead and share that the Tokyo assignment did not happen and will not happen.


Technology Short Take 137

Welcome to Technology Short Take #137! I’ve got a wide range of topics for you this time around—eBPF, Falco, Snort, Kyverno, etcd, VMware Code Stream, and more. Hopefully one of these links will prove useful to you. Enjoy!


Technology Short Take 136

Welcome to Technology Short Take #136, the first Short Take of 2021! The content this time around seems to be a bit more security-focused, but I’ve still managed to include a few links in other areas. Here’s hoping you find something useful!


Using Velero to Protect Cluster API

Cluster API (also known as CAPI) is, as you may already know, an effort within the upstream Kubernetes community to apply Kubernetes-style APIs to cluster lifecycle management—in short, to use Kubernetes to manage the lifecycle of Kubernetes clusters. If you’re unfamiliar with CAPI, I’d encourage you to check out my introduction to Cluster API before proceeding. In this post, I’m going to show you how to use Velero (formerly Heptio Ark) to backup and restore Cluster API objects so as to protect your organization against an unrecoverable issue on your Cluster API management cluster.


Details on the New Desk Layout

Over the holiday break I made some time to work on my desk layout, something I’d been wanting to do for quite a while. I’d been wanting to “up my game,” so to speak, with regard to producing more content, including some video content. Inspired by—and heavily borrowing from—this YouTube video, I decided I wanted to create a similar arrangement for my desk. In this post, I’ll share more details on my setup.


Technology Short Take 135

Welcome to Technology Short Take #135! This will likely be the last Technology Short Take of 2020, so it’s a tad longer than usual. Sorry about that! You know me—I just want to make sure everyone has plenty of technical content to read during the holidays. And speaking of holidays…whatever holidays you do (or don’t) celebrate, I hope that the rest of the year is a good one for you. Now, on to the content!


Bootstrapping a Cluster API Management Cluster

Cluster API is, if you’re not already familiar, an effort to bring declarative Kubernetes-style APIs to Kubernetes cluster lifecycle management. (I encourage you to check out my introduction to Cluster API post if you’re new to Cluster API.) Given that it is using Kubernetes-style APIs to manage Kubernetes clusters, there must be a management cluster with the Cluster API components installed. But how does one establish that management cluster? This is a question I’ve seen pop up several times in the Kubernetes Slack community. In this post, I’ll walk you through one way of bootstrapping a Cluster API management cluster.


Some Site Updates

For the last three years, the site has been largely unchanged with regard to the structure and overall function even while I continue to work to provide quality technical content. However, time was beginning to take its toll, and some “under the hood” work was needed. Over the Thanksgiving holiday, I spent some time updating the site, and there are a few changes I wanted to mention.


Older Posts

Find more posts by browsing the post categories, content tags, or site archives pages. Thanks for visiting!