New report: Immutable OS for Kubernetes

We’ve published a new report on how teams manage Kubernetes node OSes in practice.

Based on 2,138 responses across 4 platforms, the report examines node updates, incident response, CVE patch windows, and OS customization. The results suggest that immutable-node operations are becoming more common, but the hard part is still operational: building reliable image pipelines, observability, and rollout processes around the base OS.

Read the full report:
https://kube.today/immutable-linux-kubernetes-2026

⭐️ This research was sponsored by Spectro Cloud. If you want to explore an immutable OS built for Kubernetes, check out Hadron OS:
https://ku.bz/P5Gj9c18t

This article explains how ListenerSet in Gateway API v1.5 separates listeners from Gateways so teams can restore self-service TLS management across namespaces and scale beyond the old listener limit.

More: https://ku.bz/s-5QsVS_T

k8s-mechanic watches for pod crashes, degraded Deployments, and NotReady nodes, spawns a read-only in-cluster agent that investigates the failure and opens a PR on your GitOps repo with secret redaction, prompt injection detection, and a pentest report.

More: https://ku.bz/Xg8shhsZb

This week on Learn Kubernetes Weekly 180:

🔥 Hidden Infrastructure Challenges in Distributed LLM Inference on Kubernetes
🎯 Simplifying Model Serving with Kubernetes and Ray: Inside DoubleVerify's ML Platform
🔥 Lazy-Pulling Container Images: A Deep Dive into OCI Seekability
🔥 Building eBPF-Based Bandwidth Limiting in AWS Network Policy Agent — Why Vibe Coding Isn't Enough
🚀 Slurm on Kubernetes (SUNK): Modernizing HPC and AI Workload Management

Read it now: https://kube.today/issues/180

⭐️ This newsletter is brought to you by Portworx. Automate, protect, and unify data for modern applications across on-premises, public, and hybrid cloud environments https://ku.bz/sjN4qdbrL

This article explains how to secure production debugging in Kubernetes with least-privilege RBAC, controlled exec access, ephemeral containers, and short-lived just-in-time credentials for on-call teams.

More: https://ku.bz/k0qGtqj-d

This week's 6 best Kubernetes vacancies that focus on security are:

DevSecOps Engineer with Anthropic
💰 $405K to $485K a year
Remote from the United States of America
→ https://ku.bz/wrrnmcjDQ

DevSecOps Engineer with OpenAI
💰 $364.5K to $490K a year
Remote from the United States of America
→ https://ku.bz/NXd17JHfV

DevSecOps Engineer with Faire
💰 $268K to $368.5K a year
Remote from the United States of America, Canada, the United Kingdom (+1 more)
→ https://ku.bz/6dD8HVYdT

DevSecOps Engineer with Mercor
💰 $130K to $500K a year
On-site in San Francisco, CA, USA
→ https://ku.bz/Hs5qfr1h2

DevSecOps Engineer with Perplexity
💰 $220K to $405K a year
Fully remote
→ https://ku.bz/rnYh0TMpt

👉 Browse 6598 jobs on Kube Careers https://kube.careers

Audicia is an open source Kubernetes operator that reads audit logs and generates least-privilege RBAC policies, compliance reports, and GitOps-ready manifests.

More: https://ku.bz/JC2kbCg1X

This article explains how PAI adds security hooks, memory, reusable skills, and verification steps on top of Claude Code to make AI-assisted Kubernetes work more safely and more under control.

More: https://ku.bz/xR1ZgkWlv

Brock Mowry, CTO @ Tintri, discusses the practical considerations when choosing between single cluster multi-tenancy and dedicated clusters per tenant.

He explains why single cluster multi-tenancy requires extensive RBAC configuration and granular security work to properly isolate tenants, making it operationally complex.

From a service provider perspective, Brock advocates for dedicated clusters per tenant as the simpler approach - allowing for templated Kubernetes environments that can be quickly provisioned.

Watch the full interview: https://ku.bz/F6X3C5Nvg

This interview is a reaction to Artem Lajko's episode https://ku.bz/zp0L7-xM4

John Howard, Senior Software Engineer at Solo.io, compares different network encryption approaches in Kubernetes and explains why CNI-based options like IPsec and WireGuard aren't equivalent to TLS.

He clarifies that IPsec and WireGuard typically provide node-to-node encryption rather than workload-to-workload encryption, resulting in less granular identity verification for zero-trust environments. John discusses practical considerations, including FIPS compliance requirements for government use cases and feature trade-offs when implementing IPsec with CNIs like Cilium. He debunks performance misconceptions, explaining that mTLS often outperforms WireGuard despite kernel-level implementation advantages, with benchmarks showing similar latency but 3-4× better throughput for mTLS due to hardware-optimized TLS processing.

Watch the full episode: https://kube.fmhttps://ku.bz/sk-ZF1PG9

KubeUser is a Kubernetes native operator that manages users, certificates, RBAC, and kubeconfigs declaratively for small teams that want simple cluster access without a full IAM or OIDC stack.

More: https://ku.bz/qnbH0j751

How do you build SaaS-style workflows with Kubernetes APIs without turning one CRD into a dumping ground?

Alexander Held, former platform engineer at Mercedes-Benz Tech Innovation, explains how a production platform moved from a 2,000-line CRD to purpose-built resources and controllers.

You will learn:

- Why monolithic CRDs create performance and troubleshooting problems
- How controllers turn database provisioning and backups into reconciliation loops
- How finalizers clean up external resources such as S3 backups
- Why Kubernetes events make platform workflows easier to debug

Watch (or listen to) it here: https://ku.bz/TGy4Qn7Qs

🌟 This episode is brought to you by LearnKube — get started on your Kubernetes journey through comprehensive online, in-person or remote training: https://learnkube.com/training

With @Birthmarkb

This article explains how one team evaluated Crossplane and KRO to replace KIAM with EKS Pod Identities, balancing flexibility, maturity, and operational overhead after outages.

More: https://ku.bz/3tgpCxcm3

This week on Learn Kubernetes Weekly 181:

🔥 Benchmarking Kubernetes log collectors: vlagent, Vector, Fluent Bit, OpenTelemetry collector, and more
🔥 Exploring ListenerSet in Gateway API v1.5
🔥 X-Ray Vision for GPUs: eBPF Monitoring on Kubernetes
🔄 The Invisible Rewrite: Modernizing the Kubernetes Image Promoter
💾 In-place PVC re-binding: zero-downtime disk migration on Kubernetes

Read it now: https://kube.today/issues/181

⭐️ This issue is brought to you by Dash0 — OpenTelemetry-native observability that takes minutes, not months. Full visibility into your logs, metrics, and traces with no lock-in and transparent pricing https://ku.bz/_n4B_yTWF

Mike Stefaniak, Head of Product, Kubernetes and Registries at Amazon Web Services (AWS), discusses the current limitations and future requirements for giving AI assistants write access to Kubernetes resources.

Mike identifies two critical barriers preventing autonomous AI actions in production: insufficient fine-grained security controls in current Kubernetes authorization systems and unresolved hallucination problems in AI models.

Watch the full interview: https://ku.bz/PzjrglcZJ

PII-Shield is a sidecar that sanitizes logs before they leave the pod by detecting secrets and personal data, preserving JSON structure, and supporting Helm based deployment..

More: https://ku.bz/V2B6Gqksv

This week's 6 best Kubernetes vacancies that focus on security are:

DevSecOps Engineer with Anthropic
💰 $405K to $485K a year
Remote from the United States of America
→ https://ku.bz/wrrnmcjDQ

DevSecOps Engineer with OpenAI
💰 $364.5K to $490K a year
Remote from the United States of America
→ https://ku.bz/NXd17JHfV

DevSecOps Engineer with Faire
💰 $268K to $368.5K a year
Remote from the United States of America, Canada, the United Kingdom (+1 more)
→ https://ku.bz/6dD8HVYdT

DevSecOps Engineer with Mercor
💰 $130K to $500K a year
On-site in San Francisco, CA, USA
→ https://ku.bz/Hs5qfr1h2

DevSecOps Engineer with Perplexity
💰 $220K to $405K a year
Fully remote
→ https://ku.bz/rnYh0TMpt

👉 Browse 6817 jobs on Kube Careers https://kube.careers

This case study shows how Unitary built Osmia, an open-source orchestration layer on EKS to run autonomous AI coding agents safely at scale using pod isolation, Karpenter, IRSA-based secrets, and real-time trajectory scoring.

More: https://ku.bz/lyr0QGf1f

Siclaw is an open source AI SRE platform for read-only infrastructure diagnostics, root cause analysis, team workflows, Kubernetes access, and MCP-based investigation without changing live systems directly.

More: https://ku.bz/cSX5czD5y

We published a new page for companies that want to work with LearnKube:
https://learnkube.com/for-marketers

Some LearnKube projects are too large to make alone.

The GPU ebooks we published recently are a good example:
https://learnkube.com/books

They are free because sponsors helped fund the research, writing, production, webinars, and distribution behind them.

We want to keep creating ambitious technical education for Kubernetes and platform engineering teams.

We already have ideas we’d like to develop around AI infrastructure, Kubernetes resource optimization, platform engineering, and general Kubernetes education.

If your company wants to support these efforts and reach Kubernetes practitioners with useful technical content, we’d like to talk:
https://learnkube.com/for-marketers

This tool runs inside Kubernetes and automatically decrypts secrets encrypted with Mozilla SOPS, and then creates standard Kubernetes Secret objects from them.

More: https://ku.bz/fy2bXhv9X