Yes, it is the holy grail. Yes, the documentation is a bit spotty in some cases. We've been using kubernetes in GCE for about 1 year. We run both interactive services and batch jobs in 2 clusters: dev and production. The production cluster runs fully with declarative configs (we have a jenkins instance that performs the deployments of committed k8s configs). There are a couple of features that we are missing: (pod anti-affinity now in 1.6) and better support for storage. But in general kubernetes has the right concepts for running services, imho. We have 0 ops people. Our clusters run on large VMs with 10s of PODs in the same VM. We can get high cpu/mem utilization; resilience to failures; logging; monitoring (via prometheus - GCE /stackdriver is awful). I don't think there is anything out there that comes close in terms of supporting the right abstractions and being ready to use in production.

we aren't anywhere close to using it in production yet, but my impression so far is to agree with you. Every single use case or weird requirement I've made up so far has had an answer, or had a solution in at least the proposal phase.

Is your jenkins code public?

Yes. It may not cover some of the most recent advances (e.g. deep learning) but it lays the foundations required to understand them. Besides, it is really really accessible. And fun. I enjoyed taking the class.

We use it in conjunction with kubernetes service proxy https://github.com/pedro-r-marques/k8s-service-proxy to access all of our internal services and debug ports deployed in the k8s/GKE cluster. oauth2 proxy authenticates, service discovery in k8s means that we can keep publishing apps. We don't use fine grain ACLs... But i guess that we could if we wanted to.

As others have mentioned there are multiple options. If you want micro-segmentation (one network per app-tier) with fine-grain access control you can use the OpenContrail plugin https://github.com/Juniper/contrail-kubernetes. It has the added advantage that you have a tenant network span k8s, openstack, vlans, or anything else you can plug into a reasonable mid-tier router.

[Disclosure: i'm currently working on this project]

If you are a content provider you may choose not to serve ads on your content.

hmm, not talking about the content provider. I am saying if I am an author who was publishing something under anonymity and I assumed I was anonymous because I "cleared my cookies/Enabled Do Not Track settings" during the publication of the material - only to discover that my cookies had been circumvented via permacookie by a commercial entity - is my "moral right" of anonymity is now gone? could I claim the permacookie method was a circumvention under the DMCA?

There is no "moral right of anonymity" in copyright law. Even supposing there was, de-anonymizing you would not violate anything in the DMCA. The anti-circumvention section prohibits circumventing technical access control measures, not circumventing "rights" in general. Circumventing the rights that copyright law does provide an author is just called copyright infringement.

My guess is that the "entrepreneurial" solution here would be a combination of: - A browser that doesn't support cookies and provides the server with a client controlled session-id (perhaps a user-id also). - Only uses SSL sessions to avoid middle-box injection of HTML headers (this still leaves the provider with the ability to inject data as IP options / TCP headers). - A micropayment solution that allows content providers to get revenue from content rather than ads.

Anyone working on the later ?

| A micropayment solution that allows content providers to get revenue from content rather than ads.

Even if this were popular, you'd still be tracked because it makes money. Really, so few people care about this deeply I don't think it will be solved. Sure, everyone hates it, but no one will switch carriers over it.

> A browser that doesn't support cookies

We are working on a browser (https://gngr.info) that supports cookies but doesn't enable them by default for all websites. We also don't enable JavaScript by default. User needs to enable these on a per-site basis. Enabling for all sites at once is also possible if the user so wishes.

In the near future, we also want to support https only sessions (opt-in to begin with and opt-out once https becomes more commonly deployed).

About micropayments, there are many. Flattr comes to mind. But I am sure there are more.

Why was this downvoted? It seems like a productive contribution to the conversation—in fact, it's a direct response to another user's question. I can imagine plenty of technical objections, but it seems that they should be made via responses, not downvotes.

I think Aviator doesn't support cookies, among other privacy features:

https://www.whitehatsec.com/aviator/

EFF is working on a "HTTP Nowhere" option for HTTPS Everywhere, which only allows HTTPS connections. On Firefox there already is an HTTP Nowhere addon from someone else.

But as others have said, it's probably easier to just use Tor.

OpenContrail can be used as an overlay network for docker: the overlay is implemented as a kernel module and comes very close to the theoretical maximum iperf performance on a server with 2x10G links. This script https://github.com/pedro-r-marques/opencontrail-netns/blob/m... can be used to associate any docker container created with "--net=none" with an overlay network. Better yet you get all the semantics of the OpenStack neutron API: floating-ip, dhcp options, source-nat, LBaaS. The kernel module also collects flow records of all the traffic and there is a web-ui that can display the analytics of all the traffic flows in your network. Install guide: https://github.com/Juniper/contrail-controller/wiki/OpenCont... Support on freenode.net #opencontrail.