Forwarded from LearnKube news
This week on Learn Kubernetes Weekly 179:
☁️ CloudEvents: The Missing Standards of Event-Driven Architecture
🔥 A Field Guide to Sandboxes for AI
🔐 Securing East-West Traffic with GKE Internal Gateway
💥 Designing for Failure: Chaos Engineering Best Practices
📊 Building a Centralized Multi-Account AWS Monitoring Platform
Read it now: https://kube.today/issues/179
⭐️ This newsletter is brought to you by Portworx. Automate, protect, and unify data for modern applications across on-premises, public, and hybrid cloud environments https://ku.bz/sjN4qdbrL
☁️ CloudEvents: The Missing Standards of Event-Driven Architecture
🔥 A Field Guide to Sandboxes for AI
🔐 Securing East-West Traffic with GKE Internal Gateway
💥 Designing for Failure: Chaos Engineering Best Practices
📊 Building a Centralized Multi-Account AWS Monitoring Platform
Read it now: https://kube.today/issues/179
⭐️ This newsletter is brought to you by Portworx. Automate, protect, and unify data for modern applications across on-premises, public, and hybrid cloud environments https://ku.bz/sjN4qdbrL
Forwarded from Kube Careers
This week's 6 best Kubernetes vacancies that focus on security are:
DevSecOps Engineer with Anthropic
💰 $405K to $485K a year
Remote from the United States of America
→ https://ku.bz/wrrnmcjDQ
DevSecOps Engineer with OpenAI
💰 $364.5K to $490K a year
Remote from the United States of America
→ https://ku.bz/NXd17JHfV
DevSecOps Engineer with Faire
💰 $268K to $368.5K a year
Remote from the United States of America, Canada, the United Kingdom (+1 more)
→ https://ku.bz/6dD8HVYdT
DevSecOps Engineer with Mercor
💰 $130K to $500K a year
On-site in San Francisco, CA, USA
→ https://ku.bz/Hs5qfr1h2
DevSecOps Engineer with Perplexity
💰 $220K to $405K a year
Fully remote
→ https://ku.bz/rnYh0TMpt
👉 Browse 6284 jobs on Kube Careers https://kube.careers
DevSecOps Engineer with Anthropic
💰 $405K to $485K a year
Remote from the United States of America
→ https://ku.bz/wrrnmcjDQ
DevSecOps Engineer with OpenAI
💰 $364.5K to $490K a year
Remote from the United States of America
→ https://ku.bz/NXd17JHfV
DevSecOps Engineer with Faire
💰 $268K to $368.5K a year
Remote from the United States of America, Canada, the United Kingdom (+1 more)
→ https://ku.bz/6dD8HVYdT
DevSecOps Engineer with Mercor
💰 $130K to $500K a year
On-site in San Francisco, CA, USA
→ https://ku.bz/Hs5qfr1h2
DevSecOps Engineer with Perplexity
💰 $220K to $405K a year
Fully remote
→ https://ku.bz/rnYh0TMpt
👉 Browse 6284 jobs on Kube Careers https://kube.careers
Forwarded from LearnKube news
Master Kubernetes with LearnKube's Advanced Kubernetes workshop!
What should you expect?
- Learn how to architect and design clusters from the ground up (in the cloud or on-prem).
- Explore the Kubernetes internal component and how the system is designed with resiliency in mind.
- Deep-dive into the networking components and observe the packets flowing into the cluster.
- Hands-on labs to test the theory with real-world scenarios!
- And more.
The next course starts next week: https://learnkube.com/training
We also run in-person courses and private training: https://learnkube.com/corporate-training
What should you expect?
- Learn how to architect and design clusters from the ground up (in the cloud or on-prem).
- Explore the Kubernetes internal component and how the system is designed with resiliency in mind.
- Deep-dive into the networking components and observe the packets flowing into the cluster.
- Hands-on labs to test the theory with real-world scenarios!
- And more.
The next course starts next week: https://learnkube.com/training
We also run in-person courses and private training: https://learnkube.com/corporate-training
Cilium Policy Generator, watches dropped flows in real time, and auto-generates CiliumNetworkPolicy YAML files to allow them — so you stop writing policies by hand in default-deny Cilium clusters.
More: https://ku.bz/hZYF4XgL_
More: https://ku.bz/hZYF4XgL_
X.509 Certificate Exporter is a Go-based Prometheus exporter that monitors certificate expiration inside Kubernetes clusters or as a standalone service, helping teams alert before TLS certificates expire.
More: https://ku.bz/BPXM_D-v2
More: https://ku.bz/BPXM_D-v2
Forwarded from LearnKube news
The Kubernetes control plane is where the cluster accepts changes, stores the desired state, and decides what happens next.
In this series of articles, you will learn:
- How the API server handles authentication, authorization, admission, and storage
- How etcd stores the cluster state and why it can become a bottleneck at scale
- How the controller manager turns intent into actions through reconciliation loops
- How the scheduler filters and ranks nodes before placing Pods
https://learnkube.com/kubernetes-control-plane
🌟 If you want to level up your Kubernetes knowledge, the next LearnKube training starts this Thursday:
https://learnkube.com/training
In this series of articles, you will learn:
- How the API server handles authentication, authorization, admission, and storage
- How etcd stores the cluster state and why it can become a bottleneck at scale
- How the controller manager turns intent into actions through reconciliation loops
- How the scheduler filters and ranks nodes before placing Pods
https://learnkube.com/kubernetes-control-plane
🌟 If you want to level up your Kubernetes knowledge, the next LearnKube training starts this Thursday:
https://learnkube.com/training
This tutorial teaches how to build a cert-manager external issuer that uses a YubiHSM 2 to sign TLS certificates via Go's crypto.Signer interface.
More: https://ku.bz/b9GlYRS88
More: https://ku.bz/b9GlYRS88
Forwarded from KubeFM
Media is too big
VIEW IN TELEGRAM
A special episode on KubeFM, and a slightly different subject than usual.
Kelsey Hightower, Eric Abercrombie, and Julius Payne II join Bart to explore what hip-hop can teach us about Kubernetes and how music, creativity, and lived experience shape how we think about technology.
You will learn:
- Why fundamentals, patience, and repetition still matter more than shortcuts
- How Kubernetes, community, and confidence intersect for people entering cloud-native work
- What hip-hop, production, and storytelling can teach us about ownership, authenticity, and finding your voice
Watch (or listen to) it here: https://ku.bz/czrCCXSLt
🌟 This episode is brought to you by LearnKube — get started on your Kubernetes journey through comprehensive online, in-person, or remote training: https://learnkube.com/training
With @Birthmarkb
Kelsey Hightower, Eric Abercrombie, and Julius Payne II join Bart to explore what hip-hop can teach us about Kubernetes and how music, creativity, and lived experience shape how we think about technology.
You will learn:
- Why fundamentals, patience, and repetition still matter more than shortcuts
- How Kubernetes, community, and confidence intersect for people entering cloud-native work
- What hip-hop, production, and storytelling can teach us about ownership, authenticity, and finding your voice
Watch (or listen to) it here: https://ku.bz/czrCCXSLt
🌟 This episode is brought to you by LearnKube — get started on your Kubernetes journey through comprehensive online, in-person, or remote training: https://learnkube.com/training
With @Birthmarkb
Forwarded from Kube Today
New report: Immutable OS for Kubernetes
We’ve published a new report on how teams manage Kubernetes node OSes in practice.
Based on 2,138 responses across 4 platforms, the report examines node updates, incident response, CVE patch windows, and OS customization. The results suggest that immutable-node operations are becoming more common, but the hard part is still operational: building reliable image pipelines, observability, and rollout processes around the base OS.
Read the full report:
https://kube.today/immutable-linux-kubernetes-2026
⭐️ This research was sponsored by Spectro Cloud. If you want to explore an immutable OS built for Kubernetes, check out Hadron OS:
https://ku.bz/P5Gj9c18t
We’ve published a new report on how teams manage Kubernetes node OSes in practice.
Based on 2,138 responses across 4 platforms, the report examines node updates, incident response, CVE patch windows, and OS customization. The results suggest that immutable-node operations are becoming more common, but the hard part is still operational: building reliable image pipelines, observability, and rollout processes around the base OS.
Read the full report:
https://kube.today/immutable-linux-kubernetes-2026
⭐️ This research was sponsored by Spectro Cloud. If you want to explore an immutable OS built for Kubernetes, check out Hadron OS:
https://ku.bz/P5Gj9c18t
Forwarded from Kube Architect
This article explains how ListenerSet in Gateway API v1.5 separates listeners from Gateways so teams can restore self-service TLS management across namespaces and scale beyond the old listener limit.
More: https://ku.bz/s-5QsVS_T
More: https://ku.bz/s-5QsVS_T
k8s-mechanic watches for pod crashes, degraded Deployments, and NotReady nodes, spawns a read-only in-cluster agent that investigates the failure and opens a PR on your GitOps repo with secret redaction, prompt injection detection, and a pentest report.
More: https://ku.bz/Xg8shhsZb
More: https://ku.bz/Xg8shhsZb
Forwarded from LearnKube news
This week on Learn Kubernetes Weekly 180:
🔥 Hidden Infrastructure Challenges in Distributed LLM Inference on Kubernetes
🎯 Simplifying Model Serving with Kubernetes and Ray: Inside DoubleVerify's ML Platform
🔥 Lazy-Pulling Container Images: A Deep Dive into OCI Seekability
🔥 Building eBPF-Based Bandwidth Limiting in AWS Network Policy Agent — Why Vibe Coding Isn't Enough
🚀 Slurm on Kubernetes (SUNK): Modernizing HPC and AI Workload Management
Read it now: https://kube.today/issues/180
⭐️ This newsletter is brought to you by Portworx. Automate, protect, and unify data for modern applications across on-premises, public, and hybrid cloud environments https://ku.bz/sjN4qdbrL
🔥 Hidden Infrastructure Challenges in Distributed LLM Inference on Kubernetes
🎯 Simplifying Model Serving with Kubernetes and Ray: Inside DoubleVerify's ML Platform
🔥 Lazy-Pulling Container Images: A Deep Dive into OCI Seekability
🔥 Building eBPF-Based Bandwidth Limiting in AWS Network Policy Agent — Why Vibe Coding Isn't Enough
🚀 Slurm on Kubernetes (SUNK): Modernizing HPC and AI Workload Management
Read it now: https://kube.today/issues/180
⭐️ This newsletter is brought to you by Portworx. Automate, protect, and unify data for modern applications across on-premises, public, and hybrid cloud environments https://ku.bz/sjN4qdbrL
This article explains how to secure production debugging in Kubernetes with least-privilege RBAC, controlled exec access, ephemeral containers, and short-lived just-in-time credentials for on-call teams.
More: https://ku.bz/k0qGtqj-d
More: https://ku.bz/k0qGtqj-d
Forwarded from Kube Careers
This week's 6 best Kubernetes vacancies that focus on security are:
DevSecOps Engineer with Anthropic
💰 $405K to $485K a year
Remote from the United States of America
→ https://ku.bz/wrrnmcjDQ
DevSecOps Engineer with OpenAI
💰 $364.5K to $490K a year
Remote from the United States of America
→ https://ku.bz/NXd17JHfV
DevSecOps Engineer with Faire
💰 $268K to $368.5K a year
Remote from the United States of America, Canada, the United Kingdom (+1 more)
→ https://ku.bz/6dD8HVYdT
DevSecOps Engineer with Mercor
💰 $130K to $500K a year
On-site in San Francisco, CA, USA
→ https://ku.bz/Hs5qfr1h2
DevSecOps Engineer with Perplexity
💰 $220K to $405K a year
Fully remote
→ https://ku.bz/rnYh0TMpt
👉 Browse 6598 jobs on Kube Careers https://kube.careers
DevSecOps Engineer with Anthropic
💰 $405K to $485K a year
Remote from the United States of America
→ https://ku.bz/wrrnmcjDQ
DevSecOps Engineer with OpenAI
💰 $364.5K to $490K a year
Remote from the United States of America
→ https://ku.bz/NXd17JHfV
DevSecOps Engineer with Faire
💰 $268K to $368.5K a year
Remote from the United States of America, Canada, the United Kingdom (+1 more)
→ https://ku.bz/6dD8HVYdT
DevSecOps Engineer with Mercor
💰 $130K to $500K a year
On-site in San Francisco, CA, USA
→ https://ku.bz/Hs5qfr1h2
DevSecOps Engineer with Perplexity
💰 $220K to $405K a year
Fully remote
→ https://ku.bz/rnYh0TMpt
👉 Browse 6598 jobs on Kube Careers https://kube.careers
Audicia is an open source Kubernetes operator that reads audit logs and generates least-privilege RBAC policies, compliance reports, and GitOps-ready manifests.
More: https://ku.bz/JC2kbCg1X
More: https://ku.bz/JC2kbCg1X
This article explains how PAI adds security hooks, memory, reusable skills, and verification steps on top of Claude Code to make AI-assisted Kubernetes work more safely and more under control.
More: https://ku.bz/xR1ZgkWlv
More: https://ku.bz/xR1ZgkWlv
Forwarded from KubeFM
Media is too big
VIEW IN TELEGRAM
Brock Mowry, CTO @ Tintri, discusses the practical considerations when choosing between single cluster multi-tenancy and dedicated clusters per tenant.
He explains why single cluster multi-tenancy requires extensive RBAC configuration and granular security work to properly isolate tenants, making it operationally complex.
From a service provider perspective, Brock advocates for dedicated clusters per tenant as the simpler approach - allowing for templated Kubernetes environments that can be quickly provisioned.
Watch the full interview: https://ku.bz/F6X3C5Nvg
This interview is a reaction to Artem Lajko's episode https://ku.bz/zp0L7-xM4
He explains why single cluster multi-tenancy requires extensive RBAC configuration and granular security work to properly isolate tenants, making it operationally complex.
From a service provider perspective, Brock advocates for dedicated clusters per tenant as the simpler approach - allowing for templated Kubernetes environments that can be quickly provisioned.
Watch the full interview: https://ku.bz/F6X3C5Nvg
This interview is a reaction to Artem Lajko's episode https://ku.bz/zp0L7-xM4
Forwarded from KubeFM
Media is too big
VIEW IN TELEGRAM
John Howard, Senior Software Engineer at Solo.io, compares different network encryption approaches in Kubernetes and explains why CNI-based options like IPsec and WireGuard aren't equivalent to TLS.
He clarifies that IPsec and WireGuard typically provide node-to-node encryption rather than workload-to-workload encryption, resulting in less granular identity verification for zero-trust environments. John discusses practical considerations, including FIPS compliance requirements for government use cases and feature trade-offs when implementing IPsec with CNIs like Cilium. He debunks performance misconceptions, explaining that mTLS often outperforms WireGuard despite kernel-level implementation advantages, with benchmarks showing similar latency but 3-4× better throughput for mTLS due to hardware-optimized TLS processing.
Watch the full episode: https://kube.fmhttps://ku.bz/sk-ZF1PG9
He clarifies that IPsec and WireGuard typically provide node-to-node encryption rather than workload-to-workload encryption, resulting in less granular identity verification for zero-trust environments. John discusses practical considerations, including FIPS compliance requirements for government use cases and feature trade-offs when implementing IPsec with CNIs like Cilium. He debunks performance misconceptions, explaining that mTLS often outperforms WireGuard despite kernel-level implementation advantages, with benchmarks showing similar latency but 3-4× better throughput for mTLS due to hardware-optimized TLS processing.
Watch the full episode: https://kube.fmhttps://ku.bz/sk-ZF1PG9
KubeUser is a Kubernetes native operator that manages users, certificates, RBAC, and kubeconfigs declaratively for small teams that want simple cluster access without a full IAM or OIDC stack.
More: https://ku.bz/qnbH0j751
More: https://ku.bz/qnbH0j751
Forwarded from KubeFM
Media is too big
VIEW IN TELEGRAM
How do you build SaaS-style workflows with Kubernetes APIs without turning one CRD into a dumping ground?
Alexander Held, former platform engineer at Mercedes-Benz Tech Innovation, explains how a production platform moved from a 2,000-line CRD to purpose-built resources and controllers.
You will learn:
- Why monolithic CRDs create performance and troubleshooting problems
- How controllers turn database provisioning and backups into reconciliation loops
- How finalizers clean up external resources such as S3 backups
- Why Kubernetes events make platform workflows easier to debug
Watch (or listen to) it here: https://ku.bz/TGy4Qn7Qs
🌟 This episode is brought to you by LearnKube — get started on your Kubernetes journey through comprehensive online, in-person or remote training: https://learnkube.com/training
With @Birthmarkb
Alexander Held, former platform engineer at Mercedes-Benz Tech Innovation, explains how a production platform moved from a 2,000-line CRD to purpose-built resources and controllers.
You will learn:
- Why monolithic CRDs create performance and troubleshooting problems
- How controllers turn database provisioning and backups into reconciliation loops
- How finalizers clean up external resources such as S3 backups
- Why Kubernetes events make platform workflows easier to debug
Watch (or listen to) it here: https://ku.bz/TGy4Qn7Qs
🌟 This episode is brought to you by LearnKube — get started on your Kubernetes journey through comprehensive online, in-person or remote training: https://learnkube.com/training
With @Birthmarkb
This article explains how one team evaluated Crossplane and KRO to replace KIAM with EKS Pod Identities, balancing flexibility, maturity, and operational overhead after outages.
More: https://ku.bz/3tgpCxcm3
More: https://ku.bz/3tgpCxcm3