Glossary

Attribute-Based Access Control: authorization decisions based on attributes of the user, resource, and context (e.g. department, time, location).

See also: RBAC

Access Control List: a list of permissions attached to a resource specifying who can perform which actions.

See also: RBAC, IAM

A plugin that intercepts API server requests after authentication but before persistence; used for validation, mutation, and policy enforcement.

See also: OPA, Kyverno, Kubernetes

A service that sits in front of APIs to handle routing, auth, rate limiting, and monitoring.

See also: load balancer, reverse proxy

A build output (e.g. JAR, container image) produced by a pipeline and stored for deployment.

See also: CI/CD, pipeline

Verifying who someone is (identity), e.g. via password, MFA, or federated identity.

See also: authorization, JWT, OAuth

Deciding what an authenticated user or service is allowed to do (permissions).

See also: RBAC, ABAC, authentication

Istio CRD for L7 RBAC: allow or deny requests based on source principal (SPIFFE ID), namespace, path, method, or JWT claims.

See also: PeerAuthentication, RBAC, mTLS

A physically separate data center within a region; used for redundancy and high availability.

See also: region, high availability

A post-incident review focused on systems and process, not individuals, to learn and improve.

See also: SRE, incident response

Two identical environments (blue and green); switch traffic from one to the other for releases.

See also: deployment strategy, failover

A parallel line of development in Git; used for features, fixes, or experiments.

See also: merge, commit, Git

Storing copies of data or responses closer to the consumer to reduce latency and load on the source.

See also: CDN, cache invalidation

Rolling out a new version to a small subset of traffic first, then expanding if healthy.

See also: deployment strategy, rolling

In a distributed system under network partition, you cannot guarantee both consistency and availability at the same time.

See also: consistency, availability

Content Delivery Network: distributed edge caches that serve static or dynamic content closer to users.

See also: caching, edge

Continuous Integration and Continuous Delivery/Deployment: automate build, test, and release of software.

See also: pipeline, deployment

Classless Inter-Domain Routing: notation for IP ranges (e.g. 10.0.0.0/16) used in networking.

See also: subnet, VPC

Container Network Interface: a plugin standard for Kubernetes pod networking (e.g. Calico, Cilium, Flannel) that assigns IPs and configures routes.

See also: pod, network policy, Kubernetes

A snapshot of changes in Git with a unique hash; the unit of history.

See also: branch, Git

Kubernetes object storing non-sensitive key-value config that can be injected into pods as environment variables or mounted files.

See also: Secret, Pod

A lightweight, isolated runtime environment that shares the host OS kernel; packages app and dependencies.

See also: Docker, Kubernetes

Custom Resource Definition: extends the Kubernetes API with new resource types without modifying the core codebase.

See also: Operator, Kubernetes, API

Ensures one Pod runs on every (or selected) node; used for log collectors, monitoring agents, and CNI plugins.

See also: Pod, CNI, Kubernetes

A Kubernetes workload resource that manages ReplicaSets for stateless apps, enabling declarative rollouts, rollbacks, and scaling.

See also: ReplicaSet, Pod, StatefulSet

How you roll out new versions: rolling, blue-green, canary, etc., to minimize risk.

See also: CI/CD, release

Istio CRD defining traffic policy after routing: load balancing algorithm, connection pool limits, circuit breaker, and mTLS mode per subset.

See also: VirtualService, circuit breaker, mTLS

Plans and systems to restore services after a major outage or data loss (RTO, RPO).

See also: RTO, RPO, high availability

A platform for building, shipping, and running containers; uses images and Dockerfile.

See also: container, Kubernetes

High-performance L7 proxy written in C++ used as Istio's sidecar and gateway; configurable via xDS APIs.

See also: istiod, xDS, sidecar

The allowed amount of unreliability (e.g. 0.1% downtime) before pausing feature work to focus on reliability.

See also: SLO, SLI, SRE

The distributed key-value store that is Kubernetes' source of truth; uses Raft consensus to guarantee consistency.

See also: Raft, Kubernetes, cluster

Switching to a backup system when the primary fails; part of high availability and DR.

See also: redundancy, RTO

Istio CRD that configures an Envoy proxy at the mesh boundary (ingress or egress) to accept or forward external traffic.

See also: VirtualService, ServiceEntry, Envoy

A distributed version control system for tracking changes in source code and collaborating.

See also: branch, merge, commit

A Git branching model with long-lived develop and release branches plus main.

See also: trunk-based development, branch

Managing infrastructure and app config via Git as the source of truth; automated sync (e.g. pull-based).

See also: CI/CD, infrastructure as code

Designing systems to stay up despite failures (redundancy, health checks, failover).

See also: redundancy, failover, SLA

Horizontal Pod Autoscaler: scales the number of pod replicas based on CPU, memory, or custom metrics.

See also: VPA, Deployment, metrics

Identity and Access Management: policies and roles that define who can do what on which resources.

See also: RBAC, policy

An event that causes or may cause a disruption to service; often triaged and resolved via runbooks.

See also: postmortem, SRE

Defining and managing infrastructure (servers, networks, etc.) in code and version control.

See also: Terraform, GitOps

Istio's unified control plane daemon (merges Pilot, Citadel, and Galley); pushes xDS config to sidecars and manages certificates.

See also: Envoy, xDS, sidecar

JSON Web Token: a compact, signed token used to represent claims (e.g. identity) between parties.

See also: OAuth, authentication

Node agent that programs iptables/IPVS rules to route traffic to Service virtual IPs across the cluster.

See also: Service, iptables, Kubernetes

The node agent in Kubernetes that ensures containers described in PodSpecs are running and healthy; reports node status to the API server.

See also: Pod, kube-apiserver, node

An orchestration platform for containers: deploys, scales, and manages containerized workloads.

See also: container, pod, Deployment

Granting only the minimum permissions needed for a role or user to do their job.

See also: RBAC, IAM

Distributes incoming traffic across multiple targets to improve availability and scalability.

See also: high availability, API Gateway

Combining changes from one branch into another (e.g. feature branch into main).

See also: branch, Git

A numeric measure of system or app behavior (e.g. request rate, error rate, latency).

See also: SLI, monitoring

Multi-Factor Authentication: requiring more than one factor (e.g. password + code) to sign in.

See also: authentication, 2FA

An architecture where the application is split into small, loosely coupled services.

See also: API, service mesh

Mutual TLS: both the client and server present certificates and verify each other's identity; Istio automates this for all in-mesh traffic.

See also: SPIFFE, PeerAuthentication, zero trust

A logical isolation boundary within a Kubernetes cluster; scopes resources, RBAC, and network policies.

See also: RBAC, network policy, Kubernetes

An authorization framework that lets users grant limited access to their resources without sharing passwords.

See also: JWT, authentication

Understanding system behavior from outputs: logs, metrics, traces, and alerts.

See also: monitoring, SLO

A Kubernetes pattern combining a CRD + controller to automate domain-specific operational tasks (e.g. database backups, Istio config).

See also: CRD, controller, Kubernetes

Istio CRD controlling the mTLS mode (STRICT, PERMISSIVE, DISABLE) applied to inbound connections for a namespace or workload.

See also: mTLS, AuthorizationPolicy, SPIFFE

A piece of storage in the cluster provisioned by an admin or dynamically; claimed by pods via PersistentVolumeClaims.

See also: StatefulSet, StorageClass

An automated sequence of steps (build, test, deploy) triggered by code changes.

See also: CI/CD, artifact

The smallest deployable unit in Kubernetes; one or more containers that share network and storage.

See also: Kubernetes, container

The smallest deployable unit in Kubernetes: one or more containers that share a network namespace, IP address, and storage volumes.

See also: Deployment, ReplicaSet, Kubernetes

A written review after an incident to document what happened, cause, and follow-up actions.

See also: blameless postmortem, incident

Consensus algorithm used by etcd: elects a single leader per term and replicates a write-ahead log to followers before committing entries.

See also: etcd, quorum, distributed system

Restricting how many requests a client can make in a time window to protect the service.

See also: API Gateway, DDoS

Role-Based Access Control: permissions assigned to roles; users get permissions by being assigned roles.

See also: ABAC, IAM

A geographic area where a cloud provider runs data centers; choose for latency and compliance.

See also: availability zone, disaster recovery

Ensures a specified number of Pod replicas are running at all times; normally managed by a Deployment.

See also: Deployment, Pod

Representational State Transfer: an architectural style for APIs using HTTP methods and resource URLs.

See also: API, HTTP

A server that sits in front of backends and forwards client requests; can do SSL, caching, routing.

See also: load balancer, API Gateway

Recovery Point Objective: maximum acceptable amount of data loss (e.g. 15 minutes) after a disaster.

See also: RTO, backup

Recovery Time Objective: maximum acceptable time to restore service after an outage.

See also: RPO, failover

Documented steps to perform common operations or respond to incidents.

See also: incident, SRE

Sensitive data (passwords, keys) stored and accessed securely; never in plain text in code.

See also: authentication, security

A firewall-like rule set that controls inbound and outbound traffic for cloud resources.

See also: VPC, subnet

Infrastructure layer that manages service-to-service communication (mTLS, observability, routing).

See also: microservices, observability

Istio CRD that registers an external service (outside the mesh) so Istio can apply traffic management and policy to egress traffic.

See also: Gateway, VirtualService, egress

Addressing security (or quality) earlier in the lifecycle, e.g. in design and CI, not only in production.

See also: security, CI/CD

An Envoy proxy container injected alongside every application container; intercepts all inbound and outbound traffic transparently via iptables.

See also: Envoy, istiod, mTLS

Service Level Agreement: a commitment to a level of service (e.g. 99.9% uptime) with consequences if not met.

See also: SLO, SLI

Service Level Indicator: a quantitative measure of service health (e.g. availability, latency).

See also: SLO, error budget

Service Level Objective: a target value or range for an SLI (e.g. 99.9% availability).

See also: SLI, error budget, SRE

Secure Production Identity Framework for Everyone: an open standard for workload identity using X.509 SVIDs (spiffe://trust-domain/path).

See also: mTLS, istiod, SVID

Site Reliability Engineering: applying software engineering to operations and reliability (SLOs, automation, postmortems).

See also: SLO, toil, error budget

A workload that stores persistent data or session state; harder to scale than stateless.

See also: stateless, redundancy

Kubernetes workload for stateful apps; provides stable network IDs, ordered deployment, and persistent volume claims per replica.

See also: Deployment, PersistentVolume, pod

A workload that does not store client state between requests; easier to scale and replicate.

See also: stateful, scalability

A segment of a VPC or network with its own IP range; used to isolate or group resources.

See also: VPC, CIDR

An infrastructure-as-code tool that uses declarative config to provision and manage cloud resources.

See also: infrastructure as code, GitOps

Manual, repetitive work that scales with the size of the system; SRE aims to eliminate or automate it.

See also: SRE, automation

A record of a request as it flows through multiple services; used for distributed debugging.

See also: metric, logging

A branching strategy with a single main branch and short-lived feature branches; frequent integration.

See also: Git, CI/CD, git-flow

Istio CRD that defines routing rules: traffic weights, header matching, retries, timeouts, and fault injection for a destination.

See also: DestinationRule, Gateway, Istio

Virtual Private Cloud: an isolated network in the cloud where you place compute and data resources.

See also: subnet, security group

A family of discovery APIs (LDS, RDS, CDS, EDS) that istiod uses to push listener, route, cluster, and endpoint config to Envoy proxies.

See also: Envoy, istiod, LDS

Security model that assumes the network is hostile; verify every request and grant least privilege.

See also: authentication, authorization, security