Hi there!
I have been poking around the internals of render when I was setting up our tailscale router. There is not much written about it. From an engineer point of view it is great that you are SOCII and all but it doesn’t help decide if the system isolation is enough for a particular project.
For comparison we have quite a lot of documentation on how AWS ECS Fargate works under the hood and I can trust that the isolation between tenants is fairly tight. I also know the VPC is a complete network isolation between customers, SG ensures network access, etc. I also know that network disk are replicated to multiple AZ. Details that can be important even if I am perfectly happy to use a managed service that just work the rest of the time.
From what I was able to gather each team gets a k8s namespace (which are not known to be super thight out of the box). I also see the full RAM of the node when I run top in a service so I am guessing you are not using firecracker or kata containers. On the network side I figured out the 10.205.0.0 for databases and 10.204.0.0 for services but it is otherwise pretty obscure and latency is sometimes pretty bad (we know cloudflare is in front at least). You guys are working on project network isolation so I imagine this will change stuff. I also saw a lot of disparity in the latency of database operations maybe due to disk IO on which there is no doc.
Anyway a little more transparency/documentation around the internals (k8s setup), details (subnets) and specs (IO/s, replication) would go a long way to increase confidence even if it is bound to change. It also helps me answer the security questionnaires of my customers. I thought the post about the free tier scaling was great, but I am a paying customer (not a big bill but still around 200$/m) so I care about what you do for us much more. I think the blog posts of fly.io are a good benchmark these day on what we like to see as engineers though I would take plain boring design documentation anytime.
Thanks!
