Forwarded from LearnKube news
This week on Learn Kubernetes Weekly 176:
β‘ Go on Kubernetes: Why Your p99 Spikes with CFS CPU Throttling, Quotas, and Go 1.25
π From 10,000 eBPF Events to 1 Alert: Don't Burn the CPU
π€ Inside a Self-Hosted AI Coding Assistant: Architecture, Kubernetes Deployment, and llama.cpp
π₯ Kubernetes Pod Auto-Scaling: HPA and CDN
π How My Client Hit Linux Kernel Network Limits on AWS EKS
Read it now: https://kube.today/issues/176
βοΈ This newsletter is brought to you by LearnKube β master Kubernetes with hands-on training designed for engineers who want to learn the smart way https://ku.bz/hypSbyc-V
β‘ Go on Kubernetes: Why Your p99 Spikes with CFS CPU Throttling, Quotas, and Go 1.25
π From 10,000 eBPF Events to 1 Alert: Don't Burn the CPU
π€ Inside a Self-Hosted AI Coding Assistant: Architecture, Kubernetes Deployment, and llama.cpp
π₯ Kubernetes Pod Auto-Scaling: HPA and CDN
π How My Client Hit Linux Kernel Network Limits on AWS EKS
Read it now: https://kube.today/issues/176
βοΈ This newsletter is brought to you by LearnKube β master Kubernetes with hands-on training designed for engineers who want to learn the smart way https://ku.bz/hypSbyc-V
Forwarded from KubeFM
Media is too big
VIEW IN TELEGRAM
Amine Hilaly, Software Development Engineer at Amazon Web Services (AWS), explores the fundamental architectural decision of whether to expose multiple Kubernetes resources through a single higher-level API or manage them individually.
He examines the security implications of giving users access to all deployment fields versus implementing restricted defaults with secure configurations.
Watch the full interview: https://ku.bz/Gq1-34ZN0
He examines the security implications of giving users access to all deployment fields versus implementing restricted defaults with secure configurations.
Watch the full interview: https://ku.bz/Gq1-34ZN0
Forwarded from Kube Careers
This week's 6 best Kubernetes vacancies that focus on security are:
DevSecOps Engineer with Anthropic
π° $405K to $485K a year
Remote from the United States of America
β https://ku.bz/wrrnmcjDQ
DevSecOps Engineer with OpenAI
π° $364.5K to $490K a year
Remote from the United States of America
β https://ku.bz/NXd17JHfV
DevSecOps Engineer with Faire
π° $268K to $368.5K a year
Remote from the United States of America, Canada, the United Kingdom (+1 more)
β https://ku.bz/6dD8HVYdT
DevSecOps Engineer with Perplexity
π° $220K to $405K a year
Fully remote
β https://ku.bz/rnYh0TMpt
DevSecOps Engineer with xAI
π° $180K to $440K a year
Remote from the United States of America
β https://ku.bz/R4vBYC5mW
π Browse 4557 jobs on Kube Careers https://kube.careers
DevSecOps Engineer with Anthropic
π° $405K to $485K a year
Remote from the United States of America
β https://ku.bz/wrrnmcjDQ
DevSecOps Engineer with OpenAI
π° $364.5K to $490K a year
Remote from the United States of America
β https://ku.bz/NXd17JHfV
DevSecOps Engineer with Faire
π° $268K to $368.5K a year
Remote from the United States of America, Canada, the United Kingdom (+1 more)
β https://ku.bz/6dD8HVYdT
DevSecOps Engineer with Perplexity
π° $220K to $405K a year
Fully remote
β https://ku.bz/rnYh0TMpt
DevSecOps Engineer with xAI
π° $180K to $440K a year
Remote from the United States of America
β https://ku.bz/R4vBYC5mW
π Browse 4557 jobs on Kube Careers https://kube.careers
AgentDiscover Scanner detects autonomous AI agents and Shadow AI in codebases using static analysis for Python and JavaScript, network monitoring for active LLM traffic, and Kubernetes runtime detection via Cilium Tetragon eBPF.
More: https://ku.bz/lCqClc_3w
More: https://ku.bz/lCqClc_3w
This case study shows how upgrading to Kubernetes 1.34 caused KIAM pods to fail due to service account token expiration changes, revealing that legacy clients using long-lived tokens now expire after 24 hours instead of 90 days.
More: https://ku.bz/73CpNdNtb
More: https://ku.bz/73CpNdNtb
Forwarded from KubeFM
Media is too big
VIEW IN TELEGRAM
Vincent von BΓΌren was refactoring an old Helm chart when he spotted a debug log line printing a Kubernetes ServiceAccount token to stdout β still running in production.
He decoded it: no audience restrictions, one-year expiry. "My stomach turned. I knew this could be a serious security incident."
In this episode, Vincent breaks down:
- What's actually inside a ServiceAccount JWT
- Why default tokens enable replay attacks
- Projected tokens β the solution that's been available since 1.20, but why most teams haven't switched
- Practical steps to reduce exposure
Watch (or listen to) it here: https://ku.bz/LTnB_Ntbc
π This episode is brought to you by LearnKube β comprehensive Kubernetes training. https://learnkube.com/training
With @Birthmarkb
He decoded it: no audience restrictions, one-year expiry. "My stomach turned. I knew this could be a serious security incident."
In this episode, Vincent breaks down:
- What's actually inside a ServiceAccount JWT
- Why default tokens enable replay attacks
- Projected tokens β the solution that's been available since 1.20, but why most teams haven't switched
- Practical steps to reduce exposure
Watch (or listen to) it here: https://ku.bz/LTnB_Ntbc
π This episode is brought to you by LearnKube β comprehensive Kubernetes training. https://learnkube.com/training
With @Birthmarkb
Forwarded from KubeFM
Media is too big
VIEW IN TELEGRAM
Paul Butler, founder at Jamsocket, shares his team's approach to Role-Based Access Control (RBAC) in Kubernetes.
He explains why they deliberately minimize RBAC usage by leveraging Google Kubernetes Engine's IAM for cluster access and limiting RBAC to essential pod-to-resource permissions.
This approach has proven effective for their 4-person team, showing how small organizations can manage Kubernetes without complex RBAC configurations.
Watch the full episode: https://ku.bz/Dmn93dd7M
He explains why they deliberately minimize RBAC usage by leveraging Google Kubernetes Engine's IAM for cluster access and limiting RBAC to essential pod-to-resource permissions.
This approach has proven effective for their 4-person team, showing how small organizations can manage Kubernetes without complex RBAC configurations.
Watch the full episode: https://ku.bz/Dmn93dd7M
Forwarded from KubeFM
Media is too big
VIEW IN TELEGRAM
60-70% of all Kubernetes exploits start with exposed credentials.
Rodrigo Bersa from AWS lays out the three security concerns every developer should address before going to production:
1. Supply chain security β build from scratch or use hardened base images with zero CVEs from the start.
2. Continuous scanning β a clean image today won't stay clean.
3. Secrets management β Kubernetes secrets are base64-encoded, not encrypted. Store secrets externally (e.g., Secrets Manager) and mount them as volumes. If there's no shell in your image, credentials stay out of reach.
Watch the full interview: https://ku.bz/dB7PDNt0v
Rodrigo Bersa from AWS lays out the three security concerns every developer should address before going to production:
1. Supply chain security β build from scratch or use hardened base images with zero CVEs from the start.
2. Continuous scanning β a clean image today won't stay clean.
3. Secrets management β Kubernetes secrets are base64-encoded, not encrypted. Store secrets externally (e.g., Secrets Manager) and mount them as volumes. If there's no shell in your image, credentials stay out of reach.
Watch the full interview: https://ku.bz/dB7PDNt0v
Forwarded from LearnKube news
This week on Learn Kubernetes Weekly 177:
β What Happens When You Run Java at Scale on Kubernetes
π From Push to Production: Our Deployment Pipeline with Argo CD
β‘ From Minutes to Seconds: How I Eliminated Kubernetes Image Pull Delays
ποΈ Nomad on OpenShift: The Case for the Control Plane
π¬ Deep Dive: The Linkerd Destination Service
Read it now: https://kube.today/issues/177
βοΈ This newsletter is brought to you by Spectro Cloud, helping you scale K8s infrastructure for AI workloads β from cloud to edge https://ku.bz/JD0dS5lhZ
β What Happens When You Run Java at Scale on Kubernetes
π From Push to Production: Our Deployment Pipeline with Argo CD
β‘ From Minutes to Seconds: How I Eliminated Kubernetes Image Pull Delays
ποΈ Nomad on OpenShift: The Case for the Control Plane
π¬ Deep Dive: The Linkerd Destination Service
Read it now: https://kube.today/issues/177
βοΈ This newsletter is brought to you by Spectro Cloud, helping you scale K8s infrastructure for AI workloads β from cloud to edge https://ku.bz/JD0dS5lhZ
Forwarded from Kube Careers
This week's 6 best Kubernetes vacancies that focus on security are:
DevSecOps Engineer with Anthropic
π° $405K to $485K a year
Remote from the United States of America
β https://ku.bz/wrrnmcjDQ
DevSecOps Engineer with OpenAI
π° $364.5K to $490K a year
Remote from the United States of America
β https://ku.bz/NXd17JHfV
DevSecOps Engineer with Faire
π° $268K to $368.5K a year
Remote from the United States of America, Canada, the United Kingdom (+1 more)
β https://ku.bz/6dD8HVYdT
DevSecOps Engineer with Perplexity
π° $220K to $405K a year
Fully remote
β https://ku.bz/rnYh0TMpt
DevSecOps Engineer with xAI
π° $180K to $440K a year
On-site in Palo Alto, CA, USA, Washington, DC, USA
β https://ku.bz/fk6J-Tflt
π Browse 5267 jobs on Kube Careers https://kube.careers
DevSecOps Engineer with Anthropic
π° $405K to $485K a year
Remote from the United States of America
β https://ku.bz/wrrnmcjDQ
DevSecOps Engineer with OpenAI
π° $364.5K to $490K a year
Remote from the United States of America
β https://ku.bz/NXd17JHfV
DevSecOps Engineer with Faire
π° $268K to $368.5K a year
Remote from the United States of America, Canada, the United Kingdom (+1 more)
β https://ku.bz/6dD8HVYdT
DevSecOps Engineer with Perplexity
π° $220K to $405K a year
Fully remote
β https://ku.bz/rnYh0TMpt
DevSecOps Engineer with xAI
π° $180K to $440K a year
On-site in Palo Alto, CA, USA, Washington, DC, USA
β https://ku.bz/fk6J-Tflt
π Browse 5267 jobs on Kube Careers https://kube.careers
Forwarded from KubeFM
Media is too big
VIEW IN TELEGRAM
Rohit Agrawal from Databricks on replacing Kubernetes networking with a proxy-less, client-side load balancing system and eliminating 20-30% over-provisioning across hundreds of services.
You will learn:
- Why KubeProxy's L4 routing breaks down for gRPC: it picks a backend once per connection, not per request
- How Databricks built an Endpoint Discovery Service that streams real-time pod metadata to every client
- How zone-aware spillover cuts cross-AZ costs without sacrificing availability
- Why CPU-based routing failed and what signals to use instead
Watch (or listen to) it here: https://ku.bz/y803JMhBk
π Sponsored by LearnKube β Kubernetes training, online or in-person. https://learnkube.com/training
With @Birthmarkb
You will learn:
- Why KubeProxy's L4 routing breaks down for gRPC: it picks a backend once per connection, not per request
- How Databricks built an Endpoint Discovery Service that streams real-time pod metadata to every client
- How zone-aware spillover cuts cross-AZ costs without sacrificing availability
- Why CPU-based routing failed and what signals to use instead
Watch (or listen to) it here: https://ku.bz/y803JMhBk
π Sponsored by LearnKube β Kubernetes training, online or in-person. https://learnkube.com/training
With @Birthmarkb
Forwarded from LearnKube news
This week on Learn Kubernetes Weekly 178:
π₯ Kubernetes Remote Code Execution via nodes/proxy Get Permission
π¦ AetΓ²s: From Chaos to Engineering Excellence β A 3-Year Transformation
βΈοΈ Kubernetes v1.35: Extended Toleration Operators to Support Numeric Comparisons
π Reducing Complexity By Migrating from K8S to ECS Fargate for NetworkLessons
ποΈ Database State Management in Kubernetes: Running SQL Server on AKS with GitOps
Read it now: https://kube.today/issues/178
βοΈ This newsletter is brought to you by StormForge by CloudBolt. Stop setting Kubernetes requests. Let ML handle rightsizing https://ku.bz/2wYKp0Q2Y
π₯ Kubernetes Remote Code Execution via nodes/proxy Get Permission
π¦ AetΓ²s: From Chaos to Engineering Excellence β A 3-Year Transformation
βΈοΈ Kubernetes v1.35: Extended Toleration Operators to Support Numeric Comparisons
π Reducing Complexity By Migrating from K8S to ECS Fargate for NetworkLessons
ποΈ Database State Management in Kubernetes: Running SQL Server on AKS with GitOps
Read it now: https://kube.today/issues/178
βοΈ This newsletter is brought to you by StormForge by CloudBolt. Stop setting Kubernetes requests. Let ML handle rightsizing https://ku.bz/2wYKp0Q2Y
Forwarded from Kube Careers
This week's 6 best Kubernetes vacancies that focus on security are:
DevSecOps Engineer with Anthropic
π° $405K to $485K a year
Remote from the United States of America
β https://ku.bz/wrrnmcjDQ
DevSecOps Engineer with OpenAI
π° $364.5K to $490K a year
Remote from the United States of America
β https://ku.bz/NXd17JHfV
DevSecOps Engineer with Faire
π° $268K to $368.5K a year
Remote from the United States of America, Canada, the United Kingdom (+1 more)
β https://ku.bz/6dD8HVYdT
DevSecOps Engineer with Perplexity
π° $220K to $405K a year
Fully remote
β https://ku.bz/rnYh0TMpt
DevSecOps Engineer with Veeam Software
π° $172.4K to $441.5K a year
Remote from the United States of America
β https://ku.bz/lhKbTMggn
π Browse 5950 jobs on Kube Careers https://kube.careers
DevSecOps Engineer with Anthropic
π° $405K to $485K a year
Remote from the United States of America
β https://ku.bz/wrrnmcjDQ
DevSecOps Engineer with OpenAI
π° $364.5K to $490K a year
Remote from the United States of America
β https://ku.bz/NXd17JHfV
DevSecOps Engineer with Faire
π° $268K to $368.5K a year
Remote from the United States of America, Canada, the United Kingdom (+1 more)
β https://ku.bz/6dD8HVYdT
DevSecOps Engineer with Perplexity
π° $220K to $405K a year
Fully remote
β https://ku.bz/rnYh0TMpt
DevSecOps Engineer with Veeam Software
π° $172.4K to $441.5K a year
Remote from the United States of America
β https://ku.bz/lhKbTMggn
π Browse 5950 jobs on Kube Careers https://kube.careers
Forwarded from KubeFM
Media is too big
VIEW IN TELEGRAM
Nicholaos Mouzourakis, Staff Product Security Engineer at Gusto, explains a fascinating performance issue they encountered when deploying Open Policy Agent in Kubernetes. He details how Go's default thread management clashed with Kubernetes CPU resource limits, causing significant performance degradation.
The core issue: Go automatically spawns threads equal to the number of CPU cores reported by the OS (8 in their case), but Kubernetes with a 750 millicore limit only allowed access to 75% of a single core. This meant all 8 Go threads were competing for limited CPU resources, creating what he describes as "context switch thrashing."
Nicholaos shares how they diagnosed this problem and the counterintuitive solution - reducing
Watch the full episode: https://kube.fmhttps://ku.bz/S-2vQ_j-4
The core issue: Go automatically spawns threads equal to the number of CPU cores reported by the OS (8 in their case), but Kubernetes with a 750 millicore limit only allowed access to 75% of a single core. This meant all 8 Go threads were competing for limited CPU resources, creating what he describes as "context switch thrashing."
Nicholaos shares how they diagnosed this problem and the counterintuitive solution - reducing
GOMAXPROCS from 8 to 2 - which immediately improved performance.Watch the full episode: https://kube.fmhttps://ku.bz/S-2vQ_j-4
Forwarded from LearnKube news
This week on Learn Kubernetes Weekly 179:
βοΈ CloudEvents: The Missing Standards of Event-Driven Architecture
π₯ A Field Guide to Sandboxes for AI
π Securing East-West Traffic with GKE Internal Gateway
π₯ Designing for Failure: Chaos Engineering Best Practices
π Building a Centralized Multi-Account AWS Monitoring Platform
Read it now: https://kube.today/issues/179
βοΈ This newsletter is brought to you by Portworx. Automate, protect, and unify data for modern applications across on-premises, public, and hybrid cloud environments https://ku.bz/sjN4qdbrL
βοΈ CloudEvents: The Missing Standards of Event-Driven Architecture
π₯ A Field Guide to Sandboxes for AI
π Securing East-West Traffic with GKE Internal Gateway
π₯ Designing for Failure: Chaos Engineering Best Practices
π Building a Centralized Multi-Account AWS Monitoring Platform
Read it now: https://kube.today/issues/179
βοΈ This newsletter is brought to you by Portworx. Automate, protect, and unify data for modern applications across on-premises, public, and hybrid cloud environments https://ku.bz/sjN4qdbrL
Forwarded from Kube Careers
This week's 6 best Kubernetes vacancies that focus on security are:
DevSecOps Engineer with Anthropic
π° $405K to $485K a year
Remote from the United States of America
β https://ku.bz/wrrnmcjDQ
DevSecOps Engineer with OpenAI
π° $364.5K to $490K a year
Remote from the United States of America
β https://ku.bz/NXd17JHfV
DevSecOps Engineer with Faire
π° $268K to $368.5K a year
Remote from the United States of America, Canada, the United Kingdom (+1 more)
β https://ku.bz/6dD8HVYdT
DevSecOps Engineer with Mercor
π° $130K to $500K a year
On-site in San Francisco, CA, USA
β https://ku.bz/Hs5qfr1h2
DevSecOps Engineer with Perplexity
π° $220K to $405K a year
Fully remote
β https://ku.bz/rnYh0TMpt
π Browse 6284 jobs on Kube Careers https://kube.careers
DevSecOps Engineer with Anthropic
π° $405K to $485K a year
Remote from the United States of America
β https://ku.bz/wrrnmcjDQ
DevSecOps Engineer with OpenAI
π° $364.5K to $490K a year
Remote from the United States of America
β https://ku.bz/NXd17JHfV
DevSecOps Engineer with Faire
π° $268K to $368.5K a year
Remote from the United States of America, Canada, the United Kingdom (+1 more)
β https://ku.bz/6dD8HVYdT
DevSecOps Engineer with Mercor
π° $130K to $500K a year
On-site in San Francisco, CA, USA
β https://ku.bz/Hs5qfr1h2
DevSecOps Engineer with Perplexity
π° $220K to $405K a year
Fully remote
β https://ku.bz/rnYh0TMpt
π Browse 6284 jobs on Kube Careers https://kube.careers
Forwarded from LearnKube news
Master Kubernetes with LearnKube's Advanced Kubernetes workshop!
What should you expect?
- Learn how to architect and design clusters from the ground up (in the cloud or on-prem).
- Explore the Kubernetes internal component and how the system is designed with resiliency in mind.
- Deep-dive into the networking components and observe the packets flowing into the cluster.
- Hands-on labs to test the theory with real-world scenarios!
- And more.
The next course starts next week: https://learnkube.com/training
We also run in-person courses and private training: https://learnkube.com/corporate-training
What should you expect?
- Learn how to architect and design clusters from the ground up (in the cloud or on-prem).
- Explore the Kubernetes internal component and how the system is designed with resiliency in mind.
- Deep-dive into the networking components and observe the packets flowing into the cluster.
- Hands-on labs to test the theory with real-world scenarios!
- And more.
The next course starts next week: https://learnkube.com/training
We also run in-person courses and private training: https://learnkube.com/corporate-training
Cilium Policy Generator, watches dropped flows in real time, and auto-generates CiliumNetworkPolicy YAML files to allow them β so you stop writing policies by hand in default-deny Cilium clusters.
More: https://ku.bz/hZYF4XgL_
More: https://ku.bz/hZYF4XgL_
X.509 Certificate Exporter is a Go-based Prometheus exporter that monitors certificate expiration inside Kubernetes clusters or as a standalone service, helping teams alert before TLS certificates expire.
More: https://ku.bz/BPXM_D-v2
More: https://ku.bz/BPXM_D-v2
Forwarded from LearnKube news
The Kubernetes control plane is where the cluster accepts changes, stores the desired state, and decides what happens next.
In this series of articles, you will learn:
- How the API server handles authentication, authorization, admission, and storage
- How etcd stores the cluster state and why it can become a bottleneck at scale
- How the controller manager turns intent into actions through reconciliation loops
- How the scheduler filters and ranks nodes before placing Pods
https://learnkube.com/kubernetes-control-plane
π If you want to level up your Kubernetes knowledge, the next LearnKube training starts this Thursday:
https://learnkube.com/training
In this series of articles, you will learn:
- How the API server handles authentication, authorization, admission, and storage
- How etcd stores the cluster state and why it can become a bottleneck at scale
- How the controller manager turns intent into actions through reconciliation loops
- How the scheduler filters and ranks nodes before placing Pods
https://learnkube.com/kubernetes-control-plane
π If you want to level up your Kubernetes knowledge, the next LearnKube training starts this Thursday:
https://learnkube.com/training
This tutorial teaches how to build a cert-manager external issuer that uses a YubiHSM 2 to sign TLS certificates via Go's crypto.Signer interface.
More: https://ku.bz/b9GlYRS88
More: https://ku.bz/b9GlYRS88