Paul Butler, founder at Jamsocket, shares his team's approach to Role-Based Access Control (RBAC) in Kubernetes.

He explains why they deliberately minimize RBAC usage by leveraging Google Kubernetes Engine's IAM for cluster access and limiting RBAC to essential pod-to-resource permissions.

This approach has proven effective for their 4-person team, showing how small organizations can manage Kubernetes without complex RBAC configurations.

Watch the full episode: https://ku.bz/Dmn93dd7M

60-70% of all Kubernetes exploits start with exposed credentials.

Rodrigo Bersa from AWS lays out the three security concerns every developer should address before going to production:

1. Supply chain security — build from scratch or use hardened base images with zero CVEs from the start.
2. Continuous scanning — a clean image today won't stay clean.
3. Secrets management — Kubernetes secrets are base64-encoded, not encrypted. Store secrets externally (e.g., Secrets Manager) and mount them as volumes. If there's no shell in your image, credentials stay out of reach.





Watch the full interview: https://ku.bz/dB7PDNt0v

This week on Learn Kubernetes Weekly 177:

☕ What Happens When You Run Java at Scale on Kubernetes
🚀 From Push to Production: Our Deployment Pipeline with Argo CD
⚡ From Minutes to Seconds: How I Eliminated Kubernetes Image Pull Delays
🏕️ Nomad on OpenShift: The Case for the Control Plane
🔬 Deep Dive: The Linkerd Destination Service

Read it now: https://kube.today/issues/177

⭐️ This newsletter is brought to you by Spectro Cloud, helping you scale K8s infrastructure for AI workloads — from cloud to edge https://ku.bz/JD0dS5lhZ

This week's 6 best Kubernetes vacancies that focus on security are:

DevSecOps Engineer with Anthropic
💰 $405K to $485K a year
Remote from the United States of America
→ https://ku.bz/wrrnmcjDQ

DevSecOps Engineer with OpenAI
💰 $364.5K to $490K a year
Remote from the United States of America
→ https://ku.bz/NXd17JHfV

DevSecOps Engineer with Faire
💰 $268K to $368.5K a year
Remote from the United States of America, Canada, the United Kingdom (+1 more)
→ https://ku.bz/6dD8HVYdT

DevSecOps Engineer with Perplexity
💰 $220K to $405K a year
Fully remote
→ https://ku.bz/rnYh0TMpt

DevSecOps Engineer with xAI
💰 $180K to $440K a year
On-site in Palo Alto, CA, USA, Washington, DC, USA
→ https://ku.bz/fk6J-Tflt

👉 Browse 5267 jobs on Kube Careers https://kube.careers

Rohit Agrawal from Databricks on replacing Kubernetes networking with a proxy-less, client-side load balancing system and eliminating 20-30% over-provisioning across hundreds of services.

You will learn:

- Why KubeProxy's L4 routing breaks down for gRPC: it picks a backend once per connection, not per request
- How Databricks built an Endpoint Discovery Service that streams real-time pod metadata to every client
- How zone-aware spillover cuts cross-AZ costs without sacrificing availability
- Why CPU-based routing failed and what signals to use instead

Watch (or listen to) it here: https://ku.bz/y803JMhBk

🌟 Sponsored by LearnKube — Kubernetes training, online or in-person. https://learnkube.com/training

With @Birthmarkb

This week on Learn Kubernetes Weekly 178:

🔥 Kubernetes Remote Code Execution via nodes/proxy Get Permission
🦅 Aetòs: From Chaos to Engineering Excellence — A 3-Year Transformation
☸️ Kubernetes v1.35: Extended Toleration Operators to Support Numeric Comparisons
🔄 Reducing Complexity By Migrating from K8S to ECS Fargate for NetworkLessons
🗄️ Database State Management in Kubernetes: Running SQL Server on AKS with GitOps

Read it now: https://kube.today/issues/178

⭐️ This newsletter is brought to you by StormForge by CloudBolt. Stop setting Kubernetes requests. Let ML handle rightsizing https://ku.bz/2wYKp0Q2Y

This week's 6 best Kubernetes vacancies that focus on security are:

DevSecOps Engineer with Anthropic
💰 $405K to $485K a year
Remote from the United States of America
→ https://ku.bz/wrrnmcjDQ

DevSecOps Engineer with OpenAI
💰 $364.5K to $490K a year
Remote from the United States of America
→ https://ku.bz/NXd17JHfV

DevSecOps Engineer with Faire
💰 $268K to $368.5K a year
Remote from the United States of America, Canada, the United Kingdom (+1 more)
→ https://ku.bz/6dD8HVYdT

DevSecOps Engineer with Perplexity
💰 $220K to $405K a year
Fully remote
→ https://ku.bz/rnYh0TMpt

DevSecOps Engineer with Veeam Software
💰 $172.4K to $441.5K a year
Remote from the United States of America
→ https://ku.bz/lhKbTMggn

👉 Browse 5950 jobs on Kube Careers https://kube.careers

Nicholaos Mouzourakis, Staff Product Security Engineer at Gusto, explains a fascinating performance issue they encountered when deploying Open Policy Agent in Kubernetes. He details how Go's default thread management clashed with Kubernetes CPU resource limits, causing significant performance degradation.

The core issue: Go automatically spawns threads equal to the number of CPU cores reported by the OS (8 in their case), but Kubernetes with a 750 millicore limit only allowed access to 75% of a single core. This meant all 8 Go threads were competing for limited CPU resources, creating what he describes as "context switch thrashing."

Nicholaos shares how they diagnosed this problem and the counterintuitive solution - reducing GOMAXPROCS from 8 to 2 - which immediately improved performance.

Watch the full episode: https://kube.fmhttps://ku.bz/S-2vQ_j-4

This week on Learn Kubernetes Weekly 179:

☁️ CloudEvents: The Missing Standards of Event-Driven Architecture
🔥 A Field Guide to Sandboxes for AI
🔐 Securing East-West Traffic with GKE Internal Gateway
💥 Designing for Failure: Chaos Engineering Best Practices
📊 Building a Centralized Multi-Account AWS Monitoring Platform

Read it now: https://kube.today/issues/179

⭐️ This newsletter is brought to you by Portworx. Automate, protect, and unify data for modern applications across on-premises, public, and hybrid cloud environments https://ku.bz/sjN4qdbrL

This week's 6 best Kubernetes vacancies that focus on security are:

DevSecOps Engineer with Anthropic
💰 $405K to $485K a year
Remote from the United States of America
→ https://ku.bz/wrrnmcjDQ

DevSecOps Engineer with OpenAI
💰 $364.5K to $490K a year
Remote from the United States of America
→ https://ku.bz/NXd17JHfV

DevSecOps Engineer with Faire
💰 $268K to $368.5K a year
Remote from the United States of America, Canada, the United Kingdom (+1 more)
→ https://ku.bz/6dD8HVYdT

DevSecOps Engineer with Mercor
💰 $130K to $500K a year
On-site in San Francisco, CA, USA
→ https://ku.bz/Hs5qfr1h2

DevSecOps Engineer with Perplexity
💰 $220K to $405K a year
Fully remote
→ https://ku.bz/rnYh0TMpt

👉 Browse 6284 jobs on Kube Careers https://kube.careers

Master Kubernetes with LearnKube's Advanced Kubernetes workshop!

What should you expect?

- Learn how to architect and design clusters from the ground up (in the cloud or on-prem).
- Explore the Kubernetes internal component and how the system is designed with resiliency in mind.
- Deep-dive into the networking components and observe the packets flowing into the cluster.
- Hands-on labs to test the theory with real-world scenarios!
- And more.

The next course starts next week: https://learnkube.com/training

We also run in-person courses and private training: https://learnkube.com/corporate-training

Cilium Policy Generator, watches dropped flows in real time, and auto-generates CiliumNetworkPolicy YAML files to allow them — so you stop writing policies by hand in default-deny Cilium clusters.

More: https://ku.bz/hZYF4XgL_

X.509 Certificate Exporter is a Go-based Prometheus exporter that monitors certificate expiration inside Kubernetes clusters or as a standalone service, helping teams alert before TLS certificates expire.

More: https://ku.bz/BPXM_D-v2

The Kubernetes control plane is where the cluster accepts changes, stores the desired state, and decides what happens next.

In this series of articles, you will learn:

- How the API server handles authentication, authorization, admission, and storage
- How etcd stores the cluster state and why it can become a bottleneck at scale
- How the controller manager turns intent into actions through reconciliation loops
- How the scheduler filters and ranks nodes before placing Pods

https://learnkube.com/kubernetes-control-plane

🌟 If you want to level up your Kubernetes knowledge, the next LearnKube training starts this Thursday:
https://learnkube.com/training

This tutorial teaches how to build a cert-manager external issuer that uses a YubiHSM 2 to sign TLS certificates via Go's crypto.Signer interface.

More: https://ku.bz/b9GlYRS88

A special episode on KubeFM, and a slightly different subject than usual.

Kelsey Hightower, Eric Abercrombie, and Julius Payne II join Bart to explore what hip-hop can teach us about Kubernetes and how music, creativity, and lived experience shape how we think about technology.

You will learn:

- Why fundamentals, patience, and repetition still matter more than shortcuts
- How Kubernetes, community, and confidence intersect for people entering cloud-native work
- What hip-hop, production, and storytelling can teach us about ownership, authenticity, and finding your voice

Watch (or listen to) it here: https://ku.bz/czrCCXSLt

🌟 This episode is brought to you by LearnKube — get started on your Kubernetes journey through comprehensive online, in-person, or remote training: https://learnkube.com/training

With @Birthmarkb

New report: Immutable OS for Kubernetes

We’ve published a new report on how teams manage Kubernetes node OSes in practice.

Based on 2,138 responses across 4 platforms, the report examines node updates, incident response, CVE patch windows, and OS customization. The results suggest that immutable-node operations are becoming more common, but the hard part is still operational: building reliable image pipelines, observability, and rollout processes around the base OS.

Read the full report:
https://kube.today/immutable-linux-kubernetes-2026

⭐️ This research was sponsored by Spectro Cloud. If you want to explore an immutable OS built for Kubernetes, check out Hadron OS:
https://ku.bz/P5Gj9c18t

This article explains how ListenerSet in Gateway API v1.5 separates listeners from Gateways so teams can restore self-service TLS management across namespaces and scale beyond the old listener limit.

More: https://ku.bz/s-5QsVS_T

k8s-mechanic watches for pod crashes, degraded Deployments, and NotReady nodes, spawns a read-only in-cluster agent that investigates the failure and opens a PR on your GitOps repo with secret redaction, prompt injection detection, and a pentest report.

More: https://ku.bz/Xg8shhsZb

This week on Learn Kubernetes Weekly 180:

🔥 Hidden Infrastructure Challenges in Distributed LLM Inference on Kubernetes
🎯 Simplifying Model Serving with Kubernetes and Ray: Inside DoubleVerify's ML Platform
🔥 Lazy-Pulling Container Images: A Deep Dive into OCI Seekability
🔥 Building eBPF-Based Bandwidth Limiting in AWS Network Policy Agent — Why Vibe Coding Isn't Enough
🚀 Slurm on Kubernetes (SUNK): Modernizing HPC and AI Workload Management

Read it now: https://kube.today/issues/180

⭐️ This newsletter is brought to you by Portworx. Automate, protect, and unify data for modern applications across on-premises, public, and hybrid cloud environments https://ku.bz/sjN4qdbrL

This article explains how to secure production debugging in Kubernetes with least-privilege RBAC, controlled exec access, ephemeral containers, and short-lived just-in-time credentials for on-call teams.

More: https://ku.bz/k0qGtqj-d