[jiggawatts]

I was just telling a friend that I had an idea for a public cloud:

Management API is Kubernetes only, similar to AKS or EKS.

Networking is IPv6 only, public routeable all the way down to individual pods.

Only entire physical servers can be requested as nodes.

The only other services available are the bare essentials: IPv4 to IPv6 ingress, DNS, key vault, and blob storage.

[kortilla]

V6 direct to pod is sort of antithetical to k8s though because you’re exposing an ephemeral endpoint directly to users.

[wmf]

Yeah, most people assume that pods are not exposed to the Internet so you'd probably want to block that. But using GUA addresses for pods is a good idea because it eliminates NAT and overlapping IPs.

[xnyanta]

Doesn't mean you have to expose it. V6 direct to ClusterIP/LoadBalancerIP/ExternalIP makes more sense and CNIs like Calico have this functionality as a first-class citizen.

[jeroenhd]

Why would you not firewall those off? You could use different subnets for internal traffic and exposed deployments just like you can on IPv4. It's all just a naming scheme more than anything, though it's one which you can make work across firewalls if you disable enough firewall rules on both sides.

Functionally, there's little difference between a private /8 or a DHCPv6 /64 except that you can serve even more hosts.

[nielsole]

That's a nice solution for compute, but what about state? PVs and some type of rds are pretty hard to do without(if you only have ephemeral nodes).

[pm90]

This would be pretty amazing if you could price it right.

I don’t think AWS will maintain its dominance organically forever. Cracks are already showing. There are too many expensive managed services; maybe fine if you have the budget, but for cash starved startups? Maybe a dead simple cloud provider that goes 90% of the way is good enough.

[9dev]

Yeah, I just looked into setting up a private CA to avoid having to store the private key manually, and it’s like $400 per month. I’m just not going to pay that. Comes in cheaper to pay someone to take a USB stick to a bank safe and fetch me that anytime I need to sign a cert…

[rswail]

Having just gone through that for the company I work for, a cloud based HSM that is compliant and attested for the key storage and an API around issuing/revoking/auditing certificates would cost a lot more.

So you're not paying for the private key storage, you could do that in AWS KMS for like $1/month. You're paying for the CA API.

[9dev]

But what if I don’t even need a HSM, but just somebody to store a CA certificate for me? Even if they just put it onto some storage and encrypt it with a KMS key, that’s more than enough for a vast amount of use cases. I don’t need government grade security. I just have some internal services that need to use a trusted certificate, and don’t want to maintain a server with storage myself, just for that.

I could build that service in a weekend(tm)!

[rswail]

So encrypt it with KMS and store it in S3.

[pid-1]

Can't you archive that in all major cloud providers?