Cloud Infrastructure Challenges

Explore top LinkedIn content from expert professionals.

  • View profile for Deepak Agrawal

    Founder & CEO @ Infra360 | DevOps, FinOps & CloudOps Partner for FinTech, SaaS & Enterprises

    19,475 followers

    Here are the most expensive Kubernetes mistakes (that nobody talks about). I’ve spent 12+ years in DevOps and I’ve seen K8s turn into a money pit when engineering teams don’t understand how infra decisions hit the bill. Not because the team is bad. But because Kubernetes makes it way too easy to burn cash silently. 𝐇𝐞𝐫𝐞 𝐚𝐫𝐞 𝐭𝐡𝐞 𝐫𝐞𝐚𝐥 𝐦𝐢𝐬𝐭𝐚𝐤𝐞𝐬 that don’t show up in your monitoring tools: 1. 𝐎𝐯𝐞𝐫𝐩𝐫𝐨𝐯𝐢𝐬𝐢𝐨𝐧𝐞𝐝 𝐧𝐨𝐝𝐞𝐬 "𝐣𝐮𝐬𝐭 𝐢𝐧 𝐜𝐚𝐬𝐞". Engineers love to play it safe. So they add buffer CPU and memory for traffic spikes that rarely happen. ☠️ What you get: idle nodes running 24/7, racking up your cloud bill. ✓ 𝐅𝐢𝐱: Use vertical pod autoscaling and limit ranges properly. Educate teams on real usage patterns vs. “just in case” setups. 2. 𝐏𝐞𝐫𝐬𝐢𝐬𝐭𝐞𝐧𝐭 𝐯𝐨𝐥𝐮𝐦𝐞𝐬 𝐭𝐡𝐚𝐭 𝐧𝐞𝐯𝐞𝐫 𝐝𝐢𝐞. You delete the app. But the storage stays. Forever. Cloud providers won’t remind you. They’ll just keep billing you. ✓ 𝐅𝐢𝐱: Use “reclaimPolicy: Delete” where safe. And audit your PVs like your AWS bill depends on it. Because it does. 3. 𝐋𝐨𝐠𝐠𝐢𝐧𝐠 𝐞𝐯𝐞𝐫𝐲𝐭𝐡𝐢𝐧𝐠... 𝐚𝐭 𝐞𝐯𝐞𝐫𝐲 𝐥𝐞𝐯𝐞𝐥. Verbose logging might help you debug. But writing 1TB+ of logs daily to expensive storage? That’s just bad economics. ✓ 𝐅𝐢𝐱: Route logs smartly. Don’t store what you won’t read. Consider tiered logging or low-cost storage for historical data. 4. 𝐔𝐬𝐢𝐧𝐠 𝐒𝐒𝐃𝐬 𝐰𝐡𝐞𝐫𝐞 𝐇𝐃𝐃𝐬 𝐰𝐨𝐮𝐥𝐝 𝐝𝐨. Yes, SSDs are fast. But do you really need them for staging environments or batch jobs? ✓ 𝐅𝐢𝐱: Use storage classes wisely. Match performance to actual workload needs, not just default configs. 5. 𝐈𝐠𝐧𝐨𝐫𝐢𝐧𝐠 𝐢𝐧𝐭𝐞𝐫𝐧𝐚𝐥 𝐭𝐫𝐚𝐟𝐟𝐢𝐜 𝐞𝐠𝐫𝐞𝐬𝐬. You’re not just paying for internet egress. Internal service-to-service comms can spike costs, especially in multi-zone clusters. ✓ 𝐅𝐢𝐱: Optimize service placement. Use node affinity and avoid chatty microservices spraying traffic across zones. 6. 𝐍𝐞𝐯𝐞𝐫 𝐫𝐞𝐯𝐢𝐬𝐢𝐭𝐢𝐧𝐠 𝐲𝐨𝐮𝐫 𝐚𝐮𝐭𝐨𝐬𝐜𝐚𝐥𝐞𝐫 𝐜𝐨𝐧𝐟𝐢𝐠𝐬. Initial HPA/VPA configs get set and never touched again. Meanwhile, your workloads have changed completely. ✓ 𝐅𝐢𝐱: Treat autoscaling like code. Revisit, test, and tune configs every sprint. Truth is most K8s cost overruns aren't infra problems. They're visibility problems. And cultural ones. If your engineering teams aren’t accountable for infra spend, it’s just a matter of time before you’re bleeding cash. ♻️ 𝐏𝐋𝐄𝐀𝐒𝐄 𝐑𝐄𝐏𝐎𝐒𝐓 𝐒𝐎 𝐎𝐓𝐇𝐄𝐑𝐒 𝐂𝐀𝐍 𝐋𝐄𝐀𝐑𝐍.

  • View profile for Dan Case

    CTO at CybrIQ | Creator of CrossConnect | Network Intelligence, Layer 1 Hardware Verification, AV/IoT Security

    7,266 followers

    Kubernetes was built by Google for Google. It was designed to run software at massive scale across global data centers. Most companies will never operate at that level, yet they start with the same tooling. The cost shows up immediately. Before shipping anything, teams must make dozens of decisions about configuration, resources, networking, restarts, and deployments. Each decision can fail in subtle ways. Progress slows before customers see value. What used to be a simple deploy becomes pages of fragile setup. When something breaks, it is hard to see why. The problem might live in the code, the container, the node, the scheduler, or the network. Engineers spend more time figuring out where the issue is than fixing it. Clear cause and effect disappears. Team flow suffers too. Someone has to run the platform, so a platform team appears. Developers stop deploying directly. They open tickets and wait. Feedback loops stretch. The system meant to speed delivery quietly adds friction. Costs climb at the same time. Clusters are built for peak traffic, not normal days. Most capacity sits idle, but you still pay for it. That tradeoff makes sense at extreme scale. It does not for most teams. A simpler setup works for many products and is easier to recover when things go wrong. Start with one solid server. Run your app with systemd or basic containers. Keep deployment scripts simple and owned by the same people who write the code. When traffic grows, move to a bigger machine before adding more machines. For reliability, add a second server in a different availability zone or region. Keep it warm or ready to start. Replicate your data using built in database replication or regular backups tested by real restores. Put a basic load balancer or DNS failover in front. If one server goes down, traffic shifts. Recovery is clear and predictable. This approach is boring by design. Fewer moving parts. Fewer places for failure to hide. When something breaks, you know where to look and how to bring it back. Kubernetes is not bad technology. It solves real problems for very large systems. The mistake is starting with that level of complexity when a simpler setup can ship faster, recover more easily, cost less, and keep teams focused on building the product.

  • View profile for Erik Osterman (Cloud Posse)

    DevOps Accelerator 🚀Cloud Posse, LLC (CEO)

    10,294 followers

    Gitpod, a platform with 1.5 million users, has made the decision to move away from Kubernetes after six years of trying to make it work for their cloud development environments (CDEs). Despite exhausting every possible optimization, they ultimately realized Kubernetes wasn’t suited for their unique requirements. Hosting a real-time desktop experience comes with zero tolerance for lag or interruptions caused by pod rescheduling. Unlike traditional stateless or stateful services, this operational model demands an entirely different level of performance and predictability. Gitpod’s thorough write-up dives deep into the challenges they faced, such as: • Complex resource management • Storage performance bottlenecks • Networking limitations with isolation and bandwidth sharing • Security trade-offs required for user flexibility This shift highlights an important lesson: while Kubernetes is a powerful tool for many applications, it’s not a one-size-fits-all solution. Teams often adopt Kubernetes because it’s seen as the “default” choice, only to discover that it doesn’t align with their specific needs. In some cases, a tailored or alternative approach may be the better path, even if it means moving away from an industry standard. For anyone considering Kubernetes, this write-up is a must-read to understand its limitations and whether it fits your use case before making a commitment. https://lnkd.in/g49tz9ax

  • View profile for Arshad Siddieque

    Senior DevSecOps Engineer | Simplifying DevSecOps, Cloud & AI | GenAI, MLOps, Kubernetes & AWS

    4,774 followers

    Kubernetes can scale your app, but it can’t fix the code running inside it. Saw an engineer keep scaling a service that refused to start. Infra was fine. Cluster was fine. The real issue was a small Python import error. This happens a lot. Many DevOps engineers know cloud and Kubernetes well, but get stuck when the failure is inside the application. In modern production, infra skills are only half the job. To keep systems healthy, you need to understand how the app behaves. Not to become a developer. But to debug what actually runs in production. Key skills that matter: • Knowing how startup logic and dependencies load. • Understanding how resource usage links to specific code paths. • Reading stack traces and logs with confidence. • Recognizing how concurrency and I O shape performance. • Telling infra problems apart from application defects. Engineers who master both sides stand out fast. They can scale a service, but they can also trace the code and find the real issue. In an AI driven world, this mixed skill set is essential. Your growth depends on it.

  • View profile for Tobias Schmidt

    AWS Made Simple - Overcoming Cloud Complexity, Trusted by 12k+ Engineers

    21,509 followers

    I assumed my AWS Organizations security was solid. Ran an audit today and found 8 massive gaps 🔥 The biggest one: my CloudTrail wasn't org-wide. One line of config, missed for months. Every member account was completely dark. Here's what I fixed, all in Terraform: • Org-wide CloudTrail is_organization_trail = true. One line. My trail was only watching the management account — 5 member accounts were completely dark. • Read events were off Only write events were logged. Read calls like GetSecretValue, ListBuckets, DescribeInstances — invisible. That's attacker recon territory. • No SCP protecting CloudTrail itself Added an SCP blocking StopLogging, DeleteTrail, UpdateTrail, and PutEventSelectors across all member accounts. • No S3 Object Lock on the trail bucket Trail logs had no tamper protection. Now locked with a 365-day GOVERNANCE window. No deletes, no overwrites. • No region restriction Resources could spin up in any region undetected. Added an SCP limiting to 4 approved regions. • No IAM role alerts CreateRole, AttachRolePolicy, PutRolePolicy — no notifications on any of them. Classic privilege escalation vector, completely silent. • Hit the 5-SCP limit AWS allows 5 SCPs per target including the default FullAWSAccess. Had to consolidate 3 existing policies into 1 to make room. • No Lambda DLQ Security alert notifications could silently fail with no trace. Added an SQS dead-letter queue with 14-day retention. GuardDuty is still missing. That one is next. Manage all of this in Terraform, not the console. Console clicks don't survive multiple accounts and you lose the audit trail on the config itself.

  • View profile for Vivian Voss

    System Architect & Philosopher | Sustainable System Design • Technical beauty emerges from reduction • Root-cause elimination • Wabi-Sabi 侘寂

    7,105 followers

    ✮✮✮ THE INVOICE ✮✮✮ The Kubernetes Tax: What You Actually Pay "But we need container orchestration!" — the argument that turned DevOps into a department. Let's examine what you're actually purchasing. ✮ The Technical Invoice: Kubernetes has 81 distinct resource types. Each with its own YAML schema, lifecycle hooks, and failure modes. Your developers now need to understand Pods, Deployments, StatefulSets, DaemonSets, Services, Ingresses, ConfigMaps, Secrets, PersistentVolumeClaims, NetworkPolicies, and ResourceQuotas — before writing a single line of application code. A "simple" deployment: 200+ lines of YAML across 5-8 files. For one service. That previously ran with `systemctl start myapp`. ✮ The Organisational Invoice: You now need a Platform Team. 2-4 engineers whose entire job is maintaining the platform that runs your actual product. At €80k-120k per engineer, that's €160k-480k annually — before cloud costs. The developers who used to deploy with `git push` now open Jira tickets and wait. "DevOps" became "Dev waits for Ops." Rather defeats the purpose, doesn't it? ✮ The Hidden Invoice: YAML drift. The configuration in Git doesn't match what's running. Nobody knows why. Debugging requires kubectl, stern, k9s, lens, and a prayer. Networking complexity that would make a CCIE weep. Service mesh overhead that adds 5-15ms latency to every internal call. Certificate rotation that fails silently at 3am. Average Kubernetes cluster utilisation: 13%. You're paying for 7.7x the compute you actually use. Splendid. ✮ The Root Cause Nobody Mentions: Kubernetes was built by Google. For Google's scale. For running millions of containers across global data centres. For problems that 99.9% of companies will never have. A startup with 3 services adopted the same orchestration platform as a company processing 8.5 billion daily requests. The tooling equivalent of buying an Airbus A380 to commute to the office. ✮ The Question Nobody Asked: What actually requires container orchestration? A VPS with systemd handles thousands of requests per second. Docker Compose orchestrates multiple services on a single host — without a cluster. FreeBSD jails have provided process isolation since 2000, consuming approximately 0% of your YAML budget. "But what about scaling?" — Vertical scaling exists. A single modern server handles more traffic than most companies will ever see. And when you genuinely need horizontal scaling, perhaps start with two servers and a load balancer rather than a distributed systems PhD programme. Kubernetes solves real problems — for Spotify, Airbnb, and companies genuinely operating at scale. For the other 95%, you're paying Google-grade complexity to run what a €20/month VPS handles perfectly well. The architecture that impresses in interviews rarely ships products efficiently. #TheInvoice #Kubernetes #DevOps #SystemsArchitecture #SoftwareEngineering

  • IAM managed policies cap out at 6,144 characters. Permissions boundaries are worse. One policy, one limit, no way to split it. We were deep in a governance project when we ran straight into this. The obvious fix was wildcards. But introducing wildcards manually in a permissions boundary is risky. One misplaced asterisk and you've quietly expanded access you never intended. So we built a tool instead. IAM-minify takes your policy, uses a Trie algorithm to find safe compression opportunities, and outputs a shorter policy that behaves exactly like the original — no additional permissions granted. A real example: the AWSQuicksightAthenaAccess policy went from 2,280 to 1,719 characters. 25% smaller. Same permissions. Zero manual risk. What I liked about how this got solved wasn't just the result. It was the instinct — the problem was specific, the constraints were real, and the response was to solve it properly rather than cut corners on security. That's what matters when you're embedded inside a client's AWS environment.

  • View profile for Jordan Saunders

    Founder/CEO | Digital Transformation | DevSecOps | Cloud Native

    5,654 followers

    Most multi-account AWS setups grow the same way. One account becomes two. Two becomes five. Then someone is clicking through the console trying to remember which account has which guardrails. Here's how we manage AWS Organizations and SCPs in Terraform so the guardrails stop drifting: The drift starts the first time someone changes an SCP through the console. It works. Nobody documents it. Six months later you're debugging a broken deployment because an SCP is silently blocking an API call. We treat any console-based SCP change as immediate technical debt. First, the misconception worth clearing up: SCPs are a ceiling, not a floor. An SCP that allows s3:* doesn't grant anyone access. It just means S3 access isn't blocked at the org level. IAM still has to permit it. SCPs only restrict. Our OU structure: • DevOps (CI/CD, internal tooling) • Internal Developments (R&D) • Partner (AWS partner accounts) • Sandbox (with spend cap SCP) • Security (logs, locked down) Five SCP patterns we ship on every engagement: 1. Deny root user access on every workload OU 2. Region lockdown with global service exemptions (the NotAction list trap that breaks IAM and STS if you skip it) 3. Deny leaving the organization 4. Protect security tooling (CloudTrail, Config, GuardDuty, Security Hub) with a break-glass IAM role for incidents 5. Sandbox spend cap that blocks expensive instance types at the policy level Before any SCP touches a production OU, four checks: • Run aws accessanalyzer validate-policy on the JSON • Test on an isolated sandbox account first • Run it through the IAM Policy Simulator • Use describe-effective-policy to confirm what actually applies The drift catcher: an EventBridge rule that fires on every Create/Update/Delete/Attach/Detach Policy event. If anyone touches an SCP outside Terraform, an SNS alert fires immediately. SCP changes ship through GitLab CI with manual apply. Every change requires a merge request, a plan output as an MR comment, and sign-off from a tech lead and a senior engineer. Four common mistakes we still see: 1. Removing FullAWSAccess from root. Every account loses access instantly. 2. Incomplete NotAction list. IAM and STS fail in confusing ways. 3. Workloads in the management account. SCPs don't apply there, by design. 4. Blocking iam:CreateRole broadly. Service-Linked Roles fail silently and the errors don't point to the SCP. Full breakdown of the OU structure, the exact SCP JSON, the testing protocol, and the pipeline in this week's newsletter. Read it here: https://lnkd.in/eBPZsZDR Subscribe so you don't miss the next: https://lnkd.in/efpcmnTk

  • View profile for Dr. V Amrutha 🚀👩🏻‍💻

    Operator | Orchestrator | Product, Engineering & AI Transformation Leader | Building & Scaling Digital Platforms Across FinTech, Healthcare & Global Enterprises | Working to align with my higher Self and higher Purpose.

    2,876 followers

    The biggest challenge in cloud-native isn't Kubernetes, microservices, or tooling; that's the decoy. The real challenge lies in operational complexity outpacing human understanding. Cloud-native promised speed, resilience, and scale. However, when implemented poorly, it results in a distributed system where no single person can fully explain how a request travels, fails, or recovers. Debugging becomes akin to archaeology. Let's break it down: First: Cognitive overload. Cloud-native transforms a simple application into containers, services, meshes, pipelines, feature flags, policies, queues, retries, autoscalers, and clouds masquerading as regions. Each component is logical in isolation, but together they exceed the working memory of teams. When issues arise at 2 a.m., the system often knows more than the engineers managing it. Second: False sense of resilience. Teams often assume "Kubernetes will handle it." However, Kubernetes manages scheduling, not poor architecture. A chatty microservice mesh can still fail under load, and retry storms can cascade. Autoscaling can amplify bugs. Cloud-native makes failure survivable only if you design for it intentionally, yet many teams design for demos, not disasters. Third: Observability debt. While logs, metrics, and traces exist, they tend to be fragmented, noisy, and often ineffective under pressure. The issue isn't a lack of data; it's a lack of meaning. Without clear service ownership, golden signals, and causal tracing, observability can become a vanity project rather than a decision-making tool. Fourth: Organizational structure lagging behind architecture. Microservices require autonomous, accountable teams, yet many organizations maintain shared ownership, unclear SLAs, and approval chains that masquerade as governance. Cloud-native exposes weak operating models brutally. Fifth: Cost entropy. Cloud-native systems can drift, expanding like gas when left unchecked. This results in idle capacity, overprovisioned clusters, zombie services, and duplicated pipelines. Costs can leak rather than spike, leading to surprise bills

Explore categories