~/ emre.cavunt_
WritingNotes
Emre Cavunt — Principal Engineer

Platform engineering, identity & applied AI.

I set technical direction for Sky's multi-tenant AdTech platform and the Applied AI that runs on it. Previously Co-Founder & Head of Engineering at Syntonym; privacy / GAN anonymisation on cloud + edge GPU. On the side I'm building Life sciences with Applied AI for healthcare at Asklepion Health.

Emre on the Striding Edge ridge during the Helvellyn hike
Striding Edge, Helvellyn
01

Start here

Not the newest. The ones I'd hand a senior engineer first.

F01 · cornerstone

Authentication 101: A Complete Guide to Modern Identity Methods

Authentication gets easier when you separate login, delegated access, SSO, and workload identity. This guide shows where each one fits.

#Security#Authentication#OAuth222 min
F02 · deep dive

Multi-Tenant Observability: LGTM at Platform Scale

Your tenants want dashboards. Your security team wants isolation. Your SREs want a single pane of glass. Here is how to build all three with the LGTM stack.

#Kubernetes#Observability#Platform-Engineering8 min
F03 · the pattern

AI Tool Gateways: Sandboxing Agent Access in Kubernetes

AI agents have unlimited ambition and undefined access boundaries. You have sandboxed everything else. Here is how to sandbox your agents too.

#Security#Software-Development#Kubernetes9 min
02

Latest writing

Long-form, most recent first.

All writing
2026-06-22

Observing LLM Inference: The Metrics That Actually Matter

TTFT is your SLO, not throughput. Here is what to measure for LLM inference, and what Google ADK, LangChain, and LangGraph give you out of the box.

#Observability#Software-Development#Platform-Engineering8 min
2026-06-15

Network Control with Cilium and Kyverno: Policies That Actually Work

Network policies in most Kubernetes clusters are cargo cult. Teams write them, Kubernetes accepts them, and nothing changes. Cilium actually enforces them — and shows you the traffic.

#Kubernetes#Security#Platform-Engineering8 min
2026-06-13

Keyless GCP Secrets in GitHub Actions: Workload Identity, Scoped to One Secret

Drop the service-account JSON key. Federate GitHub Actions into GCP with OIDC, then scope the service account to read one named secret — not the whole project.

#GCP#Security#CI-CD9 min
03

Field notes

Short-form: the gotchas and configs worth keeping, logged before they're forgotten.

All notes
2026-05-28

kubectl can sort by anything in the object

Stop eyeballing pod age. --sort-by takes any JSONPath, so you can rank by restart count and surface the flapping pod immediately.

#kubernetes#tools
2026-05-19

Go 1.22's http.ServeMux finally does method routing

You can drop the third-party router for most services now. mux.HandleFunc("POST /items/{id}", h) gives you path params and method matching in the standard library — one fewer dependency to patch.

#golang#til
2026-05-11

Workload Identity beats a mounted key, even for "just a cron"

If a job touches a cloud API, it can use federation. There's no traffic too small to justify a long-lived service-account key sitting on disk waiting to leak. The cron is exactly the thing nobody rotates.

#gcp#security
2026-05-02

The fastest observability win is one well-placed exemplar

Trace exemplars on your latency histogram turn "p99 is bad" into "here's the exact slow request." Wire them before you add another dashboard nobody reads.

#observability