Forwarded from KubeFM
Media is too big
VIEW IN TELEGRAM
Fernando from SadServers on how he cut his Kubernetes bill from $1,000/month on GKE to $30/month on Hetzner with Edka β a 500% cost reduction for the same capacity.
You will learn:
- Why Kubernetes hasn't delivered on its original promise of cost savings through bin packing β and what it actually provides instead
- A real cost comparison: $1,000/month on GKE vs. $30/month on Hetzner with Edka for the same nominal capacity
- What you need to bring with you (observability, logging, dashboards) when leaving a fully managed cloud provider
Watch (or listen to) it here: https://ku.bz/6nSDbz9m4
π This episode is brought to you by LearnKube β get started on your Kubernetes journey through comprehensive online, in-person or remote training https://learnkube.com/training
With @Birthmarkb
You will learn:
- Why Kubernetes hasn't delivered on its original promise of cost savings through bin packing β and what it actually provides instead
- A real cost comparison: $1,000/month on GKE vs. $30/month on Hetzner with Edka for the same nominal capacity
- What you need to bring with you (observability, logging, dashboards) when leaving a fully managed cloud provider
Watch (or listen to) it here: https://ku.bz/6nSDbz9m4
π This episode is brought to you by LearnKube β get started on your Kubernetes journey through comprehensive online, in-person or remote training https://learnkube.com/training
With @Birthmarkb
This article shows how to use tofu-controller to manage Terraform resources with GitOps for external systems like Grafana dashboards and HashiCorp Vault policies with continuous reconciliation and automatic drift detection.
More: https://ku.bz/B3y_Zflr7
More: https://ku.bz/B3y_Zflr7
Forwarded from LearnKube news
This week on Learn Kubernetes Weekly 174:
π€ How We Cut Build Debugging Time by 75% with a DevEx AI Assistant
π₯ We Cut Our Kubernetes Pods by 60% and Doubled Traffic Capacity
π Scaling Django SaaS to 1M Users: Async ORM, Caching, and Horizontal Pods
β οΈ Hidden Kubernetes Bad Practices Learned the Hard Way During Incidents
π₯· Kubernetes PKI & Kubelet Credential Abuse: From Popping a Pod to Owning the Cluster
Read it now: https://kube.today/issues/174
βοΈ This newsletter is brought to you by LearnKube β master Kubernetes with hands-on training designed for engineers who want to learn the smart way https://ku.bz/hypSbyc-V
π€ How We Cut Build Debugging Time by 75% with a DevEx AI Assistant
π₯ We Cut Our Kubernetes Pods by 60% and Doubled Traffic Capacity
π Scaling Django SaaS to 1M Users: Async ORM, Caching, and Horizontal Pods
β οΈ Hidden Kubernetes Bad Practices Learned the Hard Way During Incidents
π₯· Kubernetes PKI & Kubelet Credential Abuse: From Popping a Pod to Owning the Cluster
Read it now: https://kube.today/issues/174
βοΈ This newsletter is brought to you by LearnKube β master Kubernetes with hands-on training designed for engineers who want to learn the smart way https://ku.bz/hypSbyc-V
Forwarded from Kube Careers
This week's 6 best Kubernetes vacancies that focus on security are:
DevSecOps Engineer with Anthropic
π° $40.5M to $48.5M a year
π From the office in San Francisco, CA, USA
β https://ku.bz/wrrnmcjDQ
DevSecOps Engineer with Tailscale
π° $16.1M to $20.14M a year
π Fully remote
β https://ku.bz/J9Cs7QBBp
DevSecOps Engineer with Accenture Federal Services
π° $11.49M to $15.13M a year
π¨βπ» Remote from
β https://ku.bz/bsl59cPMh
DevSecOps Engineer with OpenAI
π° $364.5K to $490K a year
π¨βπ» Remote from the United States of America
β https://ku.bz/NXd17JHfV
DevSecOps Engineer with Faire
π° $268K to $368.5K a year
π From the office in San Francisco, CA, USA
β https://ku.bz/Lt703grhh
π Browse 2543 jobs on Kube Careers https://kube.careers
DevSecOps Engineer with Anthropic
π° $40.5M to $48.5M a year
π From the office in San Francisco, CA, USA
β https://ku.bz/wrrnmcjDQ
DevSecOps Engineer with Tailscale
π° $16.1M to $20.14M a year
π Fully remote
β https://ku.bz/J9Cs7QBBp
DevSecOps Engineer with Accenture Federal Services
π° $11.49M to $15.13M a year
π¨βπ» Remote from
β https://ku.bz/bsl59cPMh
DevSecOps Engineer with OpenAI
π° $364.5K to $490K a year
π¨βπ» Remote from the United States of America
β https://ku.bz/NXd17JHfV
DevSecOps Engineer with Faire
π° $268K to $368.5K a year
π From the office in San Francisco, CA, USA
β https://ku.bz/Lt703grhh
π Browse 2543 jobs on Kube Careers https://kube.careers
Forwarded from KubeFM
Media is too big
VIEW IN TELEGRAM
Mike Stefaniak, Head of Product, Kubernetes and Registries at Amazon Web Services (AWS), shares three key trends he's observing at KubeCon that are shaping the future of Kubernetes deployments:
1. How security and trust are becoming critical differentiators in open source projects
2. The resurgence of service mesh communication patterns, particularly around routing models and enabling communication between multiple agents within clusters.
3. The growing need for more sophisticated authorization mechanisms in Kubernetes to handle the actions that AI agents and MCP (Model Context Protocol) tools might take
Watch the full interview: https://ku.bz/PzjrglcZJ
1. How security and trust are becoming critical differentiators in open source projects
2. The resurgence of service mesh communication patterns, particularly around routing models and enabling communication between multiple agents within clusters.
3. The growing need for more sophisticated authorization mechanisms in Kubernetes to handle the actions that AI agents and MCP (Model Context Protocol) tools might take
Watch the full interview: https://ku.bz/PzjrglcZJ
Forwarded from KubeFM
Media is too big
VIEW IN TELEGRAM
Ron Matsliah from Next Insurance built an AI assistant that cut build debugging time by 75% β combining deterministic rules with AI, delivered straight into Slack.
You will learn:
- Why combining deterministic rules with AI produces better results than letting an LLM guess alone
- How correlating Kubernetes events with build logs catches spot instance terminations that produce misleading errors
- Why integrating into existing workflows and building feedback loops from day one drove adoption
- The prompt engineering lessons learned from testing with real production data instead of synthetic examples
Watch (or listen to) it here: https://ku.bz/PDdYfC00w
π This episode is brought to you by LearnKube β get started on your Kubernetes journey through comprehensive online, in-person or remote training. https://learnkube.com/training
With @Birthmarkb
You will learn:
- Why combining deterministic rules with AI produces better results than letting an LLM guess alone
- How correlating Kubernetes events with build logs catches spot instance terminations that produce misleading errors
- Why integrating into existing workflows and building feedback loops from day one drove adoption
- The prompt engineering lessons learned from testing with real production data instead of synthetic examples
Watch (or listen to) it here: https://ku.bz/PDdYfC00w
π This episode is brought to you by LearnKube β get started on your Kubernetes journey through comprehensive online, in-person or remote training. https://learnkube.com/training
With @Birthmarkb
Forwarded from LearnKube news
This week on Learn Kubernetes Weekly 175:
π° Advanced Kubernetes: Cost-Aware Scheduling for Multi-Cluster Optimization with Custom Metrics
π System Design Series: Scaling Kubernetes Workloads with Vertical Pod Autoscaler
πΈοΈ Service Mesh Patterns: The Invisible Network That Makes Microservices Work
π Troubleshooting Conan: ZFS ARC Container Initialization Slowness
π Developing on Raspberry Pi
Read it now: https://kube.today/issues/175
βοΈ This newsletter is brought to you by vCluster β join the free livestream on March 19 to learn how to enforce policies across multi-tenant Kubernetes at scale https://lnkd.in/g7jj-CtZ
π° Advanced Kubernetes: Cost-Aware Scheduling for Multi-Cluster Optimization with Custom Metrics
π System Design Series: Scaling Kubernetes Workloads with Vertical Pod Autoscaler
πΈοΈ Service Mesh Patterns: The Invisible Network That Makes Microservices Work
π Troubleshooting Conan: ZFS ARC Container Initialization Slowness
π Developing on Raspberry Pi
Read it now: https://kube.today/issues/175
βοΈ This newsletter is brought to you by vCluster β join the free livestream on March 19 to learn how to enforce policies across multi-tenant Kubernetes at scale https://lnkd.in/g7jj-CtZ
Forwarded from Kube Careers
This week's 6 best Kubernetes vacancies that focus on security are:
DevSecOps Engineer with Anthropic
π° $405K to $485K a year
Remote from the United States of America
β https://ku.bz/wrrnmcjDQ
DevSecOps Engineer with OpenAI
π° $364.5K to $490K a year
Remote from the United States of America
β https://ku.bz/NXd17JHfV
DevSecOps Engineer with Faire
π° $268K to $368.5K a year
Remote from the United States of America, Canada, the United Kingdom (+1 more)
β https://ku.bz/6dD8HVYdT
DevSecOps Engineer with Aurora Innovation
π° $275K to $352K a year
Hybrid in Seattle, WA, USA
β https://ku.bz/xPft28bGc
DevSecOps Engineer with Perplexity
π° $220K to $405K a year
Fully remote
β https://ku.bz/rnYh0TMpt
π Browse 3785 jobs on Kube Careers https://kube.careers
DevSecOps Engineer with Anthropic
π° $405K to $485K a year
Remote from the United States of America
β https://ku.bz/wrrnmcjDQ
DevSecOps Engineer with OpenAI
π° $364.5K to $490K a year
Remote from the United States of America
β https://ku.bz/NXd17JHfV
DevSecOps Engineer with Faire
π° $268K to $368.5K a year
Remote from the United States of America, Canada, the United Kingdom (+1 more)
β https://ku.bz/6dD8HVYdT
DevSecOps Engineer with Aurora Innovation
π° $275K to $352K a year
Hybrid in Seattle, WA, USA
β https://ku.bz/xPft28bGc
DevSecOps Engineer with Perplexity
π° $220K to $405K a year
Fully remote
β https://ku.bz/rnYh0TMpt
π Browse 3785 jobs on Kube Careers https://kube.careers
Forwarded from KubeFM
Media is too big
VIEW IN TELEGRAM
Santosh Vallurupalli, Senior Solution Architect at Amazon Web Services, discusses how organizations are solving the tension between rapid container deployments and regulatory compliance requirements.
He explains how policy-as-code tools like OPA, Gatekeeper, and Kyverno enable teams to maintain an application security posture without sacrificing deployment velocity through shift-left strategies that integrate compliance checks directly into CI/CD pipelines, providing real-time alerts when applications fail to meet compliance standards at deployment time.
Watch the full interview: https://ku.bz/pklYlRr80
He explains how policy-as-code tools like OPA, Gatekeeper, and Kyverno enable teams to maintain an application security posture without sacrificing deployment velocity through shift-left strategies that integrate compliance checks directly into CI/CD pipelines, providing real-time alerts when applications fail to meet compliance standards at deployment time.
Watch the full interview: https://ku.bz/pklYlRr80
Forwarded from KubeFM
Media is too big
VIEW IN TELEGRAM
Landon Clipp built a GPU Containers as a Service platform from scratch β solving multi-tenant GPU isolation with Kata/QEMU, NVLink fabric partitioning, and Cilium network policies.
You will learn:
- Why standard NVIDIA tooling fails in multi-tenant setups, and how PCI topology scanning makes GPUs visible to Kubernetes without kernel drivers
- How to partition the NVLink fabric between tenants using a trusted service VM running Fabric Manager
- What caused 8-GPU VMs to take 30+ minutes to boot, and the fixes that brought it down to minutes
Watch (or listen to) it here: https://ku.bz/jjK_yJTDz
π This episode is brought to you by LearnKube β get started on your Kubernetes journey through comprehensive online, in-person or remote training. https://learnkube.com/training
With @Birthmarkb
You will learn:
- Why standard NVIDIA tooling fails in multi-tenant setups, and how PCI topology scanning makes GPUs visible to Kubernetes without kernel drivers
- How to partition the NVLink fabric between tenants using a trusted service VM running Fabric Manager
- What caused 8-GPU VMs to take 30+ minutes to boot, and the fixes that brought it down to minutes
Watch (or listen to) it here: https://ku.bz/jjK_yJTDz
π This episode is brought to you by LearnKube β get started on your Kubernetes journey through comprehensive online, in-person or remote training. https://learnkube.com/training
With @Birthmarkb
Forwarded from LearnKube news
This week on Learn Kubernetes Weekly 176:
β‘ Go on Kubernetes: Why Your p99 Spikes with CFS CPU Throttling, Quotas, and Go 1.25
π From 10,000 eBPF Events to 1 Alert: Don't Burn the CPU
π€ Inside a Self-Hosted AI Coding Assistant: Architecture, Kubernetes Deployment, and llama.cpp
π₯ Kubernetes Pod Auto-Scaling: HPA and CDN
π How My Client Hit Linux Kernel Network Limits on AWS EKS
Read it now: https://kube.today/issues/176
βοΈ This newsletter is brought to you by LearnKube β master Kubernetes with hands-on training designed for engineers who want to learn the smart way https://ku.bz/hypSbyc-V
β‘ Go on Kubernetes: Why Your p99 Spikes with CFS CPU Throttling, Quotas, and Go 1.25
π From 10,000 eBPF Events to 1 Alert: Don't Burn the CPU
π€ Inside a Self-Hosted AI Coding Assistant: Architecture, Kubernetes Deployment, and llama.cpp
π₯ Kubernetes Pod Auto-Scaling: HPA and CDN
π How My Client Hit Linux Kernel Network Limits on AWS EKS
Read it now: https://kube.today/issues/176
βοΈ This newsletter is brought to you by LearnKube β master Kubernetes with hands-on training designed for engineers who want to learn the smart way https://ku.bz/hypSbyc-V
Forwarded from KubeFM
Media is too big
VIEW IN TELEGRAM
Amine Hilaly, Software Development Engineer at Amazon Web Services (AWS), explores the fundamental architectural decision of whether to expose multiple Kubernetes resources through a single higher-level API or manage them individually.
He examines the security implications of giving users access to all deployment fields versus implementing restricted defaults with secure configurations.
Watch the full interview: https://ku.bz/Gq1-34ZN0
He examines the security implications of giving users access to all deployment fields versus implementing restricted defaults with secure configurations.
Watch the full interview: https://ku.bz/Gq1-34ZN0
Forwarded from Kube Careers
This week's 6 best Kubernetes vacancies that focus on security are:
DevSecOps Engineer with Anthropic
π° $405K to $485K a year
Remote from the United States of America
β https://ku.bz/wrrnmcjDQ
DevSecOps Engineer with OpenAI
π° $364.5K to $490K a year
Remote from the United States of America
β https://ku.bz/NXd17JHfV
DevSecOps Engineer with Faire
π° $268K to $368.5K a year
Remote from the United States of America, Canada, the United Kingdom (+1 more)
β https://ku.bz/6dD8HVYdT
DevSecOps Engineer with Perplexity
π° $220K to $405K a year
Fully remote
β https://ku.bz/rnYh0TMpt
DevSecOps Engineer with xAI
π° $180K to $440K a year
Remote from the United States of America
β https://ku.bz/R4vBYC5mW
π Browse 4557 jobs on Kube Careers https://kube.careers
DevSecOps Engineer with Anthropic
π° $405K to $485K a year
Remote from the United States of America
β https://ku.bz/wrrnmcjDQ
DevSecOps Engineer with OpenAI
π° $364.5K to $490K a year
Remote from the United States of America
β https://ku.bz/NXd17JHfV
DevSecOps Engineer with Faire
π° $268K to $368.5K a year
Remote from the United States of America, Canada, the United Kingdom (+1 more)
β https://ku.bz/6dD8HVYdT
DevSecOps Engineer with Perplexity
π° $220K to $405K a year
Fully remote
β https://ku.bz/rnYh0TMpt
DevSecOps Engineer with xAI
π° $180K to $440K a year
Remote from the United States of America
β https://ku.bz/R4vBYC5mW
π Browse 4557 jobs on Kube Careers https://kube.careers
AgentDiscover Scanner detects autonomous AI agents and Shadow AI in codebases using static analysis for Python and JavaScript, network monitoring for active LLM traffic, and Kubernetes runtime detection via Cilium Tetragon eBPF.
More: https://ku.bz/lCqClc_3w
More: https://ku.bz/lCqClc_3w
This case study shows how upgrading to Kubernetes 1.34 caused KIAM pods to fail due to service account token expiration changes, revealing that legacy clients using long-lived tokens now expire after 24 hours instead of 90 days.
More: https://ku.bz/73CpNdNtb
More: https://ku.bz/73CpNdNtb
Forwarded from KubeFM
Media is too big
VIEW IN TELEGRAM
Vincent von BΓΌren was refactoring an old Helm chart when he spotted a debug log line printing a Kubernetes ServiceAccount token to stdout β still running in production.
He decoded it: no audience restrictions, one-year expiry. "My stomach turned. I knew this could be a serious security incident."
In this episode, Vincent breaks down:
- What's actually inside a ServiceAccount JWT
- Why default tokens enable replay attacks
- Projected tokens β the solution that's been available since 1.20, but why most teams haven't switched
- Practical steps to reduce exposure
Watch (or listen to) it here: https://ku.bz/LTnB_Ntbc
π This episode is brought to you by LearnKube β comprehensive Kubernetes training. https://learnkube.com/training
With @Birthmarkb
He decoded it: no audience restrictions, one-year expiry. "My stomach turned. I knew this could be a serious security incident."
In this episode, Vincent breaks down:
- What's actually inside a ServiceAccount JWT
- Why default tokens enable replay attacks
- Projected tokens β the solution that's been available since 1.20, but why most teams haven't switched
- Practical steps to reduce exposure
Watch (or listen to) it here: https://ku.bz/LTnB_Ntbc
π This episode is brought to you by LearnKube β comprehensive Kubernetes training. https://learnkube.com/training
With @Birthmarkb
Forwarded from KubeFM
Media is too big
VIEW IN TELEGRAM
Paul Butler, founder at Jamsocket, shares his team's approach to Role-Based Access Control (RBAC) in Kubernetes.
He explains why they deliberately minimize RBAC usage by leveraging Google Kubernetes Engine's IAM for cluster access and limiting RBAC to essential pod-to-resource permissions.
This approach has proven effective for their 4-person team, showing how small organizations can manage Kubernetes without complex RBAC configurations.
Watch the full episode: https://ku.bz/Dmn93dd7M
He explains why they deliberately minimize RBAC usage by leveraging Google Kubernetes Engine's IAM for cluster access and limiting RBAC to essential pod-to-resource permissions.
This approach has proven effective for their 4-person team, showing how small organizations can manage Kubernetes without complex RBAC configurations.
Watch the full episode: https://ku.bz/Dmn93dd7M
Forwarded from KubeFM
Media is too big
VIEW IN TELEGRAM
60-70% of all Kubernetes exploits start with exposed credentials.
Rodrigo Bersa from AWS lays out the three security concerns every developer should address before going to production:
1. Supply chain security β build from scratch or use hardened base images with zero CVEs from the start.
2. Continuous scanning β a clean image today won't stay clean.
3. Secrets management β Kubernetes secrets are base64-encoded, not encrypted. Store secrets externally (e.g., Secrets Manager) and mount them as volumes. If there's no shell in your image, credentials stay out of reach.
Watch the full interview: https://ku.bz/dB7PDNt0v
Rodrigo Bersa from AWS lays out the three security concerns every developer should address before going to production:
1. Supply chain security β build from scratch or use hardened base images with zero CVEs from the start.
2. Continuous scanning β a clean image today won't stay clean.
3. Secrets management β Kubernetes secrets are base64-encoded, not encrypted. Store secrets externally (e.g., Secrets Manager) and mount them as volumes. If there's no shell in your image, credentials stay out of reach.
Watch the full interview: https://ku.bz/dB7PDNt0v
Forwarded from LearnKube news
This week on Learn Kubernetes Weekly 177:
β What Happens When You Run Java at Scale on Kubernetes
π From Push to Production: Our Deployment Pipeline with Argo CD
β‘ From Minutes to Seconds: How I Eliminated Kubernetes Image Pull Delays
ποΈ Nomad on OpenShift: The Case for the Control Plane
π¬ Deep Dive: The Linkerd Destination Service
Read it now: https://kube.today/issues/177
βοΈ This newsletter is brought to you by Spectro Cloud, helping you scale K8s infrastructure for AI workloads β from cloud to edge https://ku.bz/JD0dS5lhZ
β What Happens When You Run Java at Scale on Kubernetes
π From Push to Production: Our Deployment Pipeline with Argo CD
β‘ From Minutes to Seconds: How I Eliminated Kubernetes Image Pull Delays
ποΈ Nomad on OpenShift: The Case for the Control Plane
π¬ Deep Dive: The Linkerd Destination Service
Read it now: https://kube.today/issues/177
βοΈ This newsletter is brought to you by Spectro Cloud, helping you scale K8s infrastructure for AI workloads β from cloud to edge https://ku.bz/JD0dS5lhZ
Forwarded from Kube Careers
This week's 6 best Kubernetes vacancies that focus on security are:
DevSecOps Engineer with Anthropic
π° $405K to $485K a year
Remote from the United States of America
β https://ku.bz/wrrnmcjDQ
DevSecOps Engineer with OpenAI
π° $364.5K to $490K a year
Remote from the United States of America
β https://ku.bz/NXd17JHfV
DevSecOps Engineer with Faire
π° $268K to $368.5K a year
Remote from the United States of America, Canada, the United Kingdom (+1 more)
β https://ku.bz/6dD8HVYdT
DevSecOps Engineer with Perplexity
π° $220K to $405K a year
Fully remote
β https://ku.bz/rnYh0TMpt
DevSecOps Engineer with xAI
π° $180K to $440K a year
On-site in Palo Alto, CA, USA, Washington, DC, USA
β https://ku.bz/fk6J-Tflt
π Browse 5267 jobs on Kube Careers https://kube.careers
DevSecOps Engineer with Anthropic
π° $405K to $485K a year
Remote from the United States of America
β https://ku.bz/wrrnmcjDQ
DevSecOps Engineer with OpenAI
π° $364.5K to $490K a year
Remote from the United States of America
β https://ku.bz/NXd17JHfV
DevSecOps Engineer with Faire
π° $268K to $368.5K a year
Remote from the United States of America, Canada, the United Kingdom (+1 more)
β https://ku.bz/6dD8HVYdT
DevSecOps Engineer with Perplexity
π° $220K to $405K a year
Fully remote
β https://ku.bz/rnYh0TMpt
DevSecOps Engineer with xAI
π° $180K to $440K a year
On-site in Palo Alto, CA, USA, Washington, DC, USA
β https://ku.bz/fk6J-Tflt
π Browse 5267 jobs on Kube Careers https://kube.careers
Forwarded from KubeFM
Media is too big
VIEW IN TELEGRAM
Rohit Agrawal from Databricks on replacing Kubernetes networking with a proxy-less, client-side load balancing system and eliminating 20-30% over-provisioning across hundreds of services.
You will learn:
- Why KubeProxy's L4 routing breaks down for gRPC: it picks a backend once per connection, not per request
- How Databricks built an Endpoint Discovery Service that streams real-time pod metadata to every client
- How zone-aware spillover cuts cross-AZ costs without sacrificing availability
- Why CPU-based routing failed and what signals to use instead
Watch (or listen to) it here: https://ku.bz/y803JMhBk
π Sponsored by LearnKube β Kubernetes training, online or in-person. https://learnkube.com/training
With @Birthmarkb
You will learn:
- Why KubeProxy's L4 routing breaks down for gRPC: it picks a backend once per connection, not per request
- How Databricks built an Endpoint Discovery Service that streams real-time pod metadata to every client
- How zone-aware spillover cuts cross-AZ costs without sacrificing availability
- Why CPU-based routing failed and what signals to use instead
Watch (or listen to) it here: https://ku.bz/y803JMhBk
π Sponsored by LearnKube β Kubernetes training, online or in-person. https://learnkube.com/training
With @Birthmarkb