KIAM [a Kubernetes IAM API helper] happens to provide short-lived credentials to Pods, which makes sense as it’s fair to assume that the average lifetime of a Pod is shorter than EC2 instances. The default is precisely 15 min. But if you put both defaults together, you have a problem. Each certificate provided to the application has a 15 min expiration time. The AWS Java SDK will force refreshing any certificate with less than 15 min expiration time left. The result is that every request will be forced to refresh the temporary certificate, which requires two calls to the AWS API that add a huge latency penalty to each request. We later found a feature request in the AWS Java SDK that mentions this same issue. The fix was easy. We reconfigured KIAM to request credentials with a longer expiration period. Once this change was applied, requests started being served without involving the AWS Metadata service and returned to an even lower latency than in EC2.
Laura Keunssberg, the Beeb’s inept political editor, manages to make an utter mess of explaining “shitposting”, claiming it’s analogous to “boomer memes”. Inadvertently this introduces the concept of a “skunked term” — ‘a word that becomes difficult to use because it is in the middle of transitioning from one common meaning to another’.