Alek's Blog
Diagram: an AuthorizationPolicy using ipBlocks reads Envoy's direct_remote_ip (the load balancer), while remoteIpBlocks reads remote_ip (the real client)

Istio AuthorizationPolicy & HTTP/2 Coalescing

Two Istio/Envoy pitfalls: AuthorizationPolicy IP matching (direct_remote_ip vs. remote_ip) and HTTP/2 connection coalescing across per-hostname listeners.

Istio AuthorizationPolicy & HTTP/2 Coalescing
Diagram: the five sovereignty questions arranged as equal spokes around a central sovereignty claim — a checklist, not a ranking

Sovereign-Cloud-Washing: Five Questions

Five questions on jurisdiction, technical access, key control, exit paths, and switching cost to test any 'sovereign cloud' claim beyond marketing. Part 1 of 6.

Sovereign-Cloud-Washing: Five Questions
Blog post cover image

Who Has Access? Humans, Accounts, AI Agents

Kubernetes RBAC, OVH IAM v2, LiteLLM keys, and an AI coding agent compared on documentation, auditing, and technical enforcement of who has access. Part 3 of 6.

Who Has Access? Humans, Accounts, AI Agents
Diagram: three rungs of enforcement — legally-enforced only, technically-enforced at rest, and technically-enforced at rest and in use

Legally vs. Technically Enforced

A framework for telling a legally-enforced sovereignty promise from a technically-enforced one, applied across BYOK, RBAC, and AI-agent access. Part 4 of 6.

Legally vs. Technically Enforced
Blog post cover image

Can You Leave? Data Portability & Egress

Data export formats, API/query-language openness, and egress pricing checked across AWS, GCP, Azure, OVH, and five EU sovereignty offerings. Part 5 of 6.

Can You Leave? Data Portability & Egress
Blog post cover image

Digital Sovereignty: The Complete Guide

Reading guide for a six-part series testing "sovereign cloud" claims against ownership, technology stack, access, enforcement, exit, and switching cost.

Digital Sovereignty: The Complete Guide