Keep the Raccoons Out: Service Mesh, MCP, and Securing Agentic Workloads
With William Morgan, CEO of Buoyant and creator of Linkerd
Linkerd just turned 10, so we brought on the person who built it and coined the term “service mesh” in the first place. William Morgan joins Jonathan and Justin to talk about where service mesh came from, where it’s going, and the very specific kind of chaos that agentic AI is about to unleash on anyone who owns a Kubernetes cluster. The short version: lock your doors, because the raccoons are coming.
“Our job is basically to make Linkerd as boring as possible.”
William traces Linkerd’s origins back to Twitter’s infrastructure work between 2010 and 2014, when a Ruby on Rails monolith turned into a sprawling distributed system — the same problems we have today, just a different decade. As the fifth project ever to join the CNCF, Linkerd has had a front-row seat to the ecosystem’s evolution, and William explains why his actual goal these days is to make it as boring as humanly possible: the kind of dependable infrastructure layer you can trust to still be around in another 90 years. That’s also why he’s not adding AI to Linkerd — an infrastructure layer has to be fast, lightweight, and predictable, and generative AI is the opposite of all three.
“At some point your agentic workload is going to figure out how to delete the production database. And it’s going to try it.”
The heart of the conversation is what the AI wave means for the platform teams who own the clusters. Developers just got an army of AI assistants, and that has real consequences for CI/CD, code quality, and blast radius. William digs into the boundary problem — agentic workloads are untrusted but need access to your most important systems — and why zero trust has suddenly stopped being optional now that the code hitting your database no longer clears peer review and a security committee. Along the way they get into cache-aware routing that can take a 13-second inference call down to one, the still-unsolved mess of agentic identity, and why we keep anthropomorphizing these tools and letting our guard down.
“If you don’t use Linkerd, your data system will be overrun by raccoons.”
Finally, they turn to MCP — building a catalog of MCP servers, detecting tool calls, and adding DLP-style protection in front of the services an agent never sees. But William’s real point is that MCP is something of a red herring for a much older problem: uncontrolled access to your APIs. Whatever protocol you use, once an unconstrained workload is loose in your environment, you need an immune system to keep it in check.
Links and resources:
- Linkerd: linkerd.io
- Buoyant: buoyant.io (free if your company has fewer than 50 employees)
- CNCF: cncf.io
- AI Darwin Awards (worth a doomscroll)
- Find William on LinkedIn, where he welcomes your nasty-grams
The Cloud Pod
Visit thecloudpod.net to subscribe, join our Slack, or sign up for the weekly newsletter. Thanks to William for joining us, and thanks for listening.
Leave a Reply