Warden is an open source runtime access gateway that lets AI agents, pods, pipelines, and services use identity-based policies to reach cloud APIs, databases, and storage without storing long-lived credentials.

More: https://ku.bz/KTFVJj-Tv

This article introduces KubeUser, an open source Kubernetes operator that automates user certificate, RBAC, and kubeconfig creation from a declarative custom resource.

More: https://ku.bz/t3c88n2-h

Trupositive is a wrapper that automatically tags Terraform and CloudFormation resources with Git commit SHA, branch, and repository metadata for auditability and infrastructure traceability.

More: https://ku.bz/jy_MxscNM

We published a Kubernetes production-readiness checklist for teams preparing workloads for production.

The checklist is designed to help platform and application teams review the Kubernetes-specific behavior that affects an application before it goes live.

It includes:

- An interactive checklist
- Detailed explanations for each production-readiness check
- A downloadable PDF worksheet

It walks through five areas:

- The contract between your application and Kubernetes
- The manifests that define how Kubernetes should run it
- The workload security posture
- Scaling behavior under load
- Operational checks after launch

Open the checklist:
https://learnkube.com/production-best-practices

If you want a guided review, LearnKube also offers a Kubernetes Production Readiness Review with one of our instructors:
https://learnkube.com/production-readiness-review

Stefan Roman explains how to implement network security in a multi-tenant Kubernetes learning platform. He describes the evolution from a single-namespace architecture to a dual-namespace system that separates the control plane from worker nodes. The discussion covers:

- Implementing NetworkPolicies to create strict namespace isolation and control traffic flow
- Managing cross-namespace communication between the control plane and worker nodes
- Using NodePort services to dynamically expose SSH access only when needed
- Configuring Kubernetes DNS for essential component communication
- Securing public access through a single API server endpoint until lab initialization

Watch the full episode: https://ku.bz/Xz-TrmX2F

This article shows how to maintain VM-level network security during KubeVirt live migration by using Calico labels and policy enforcement rather than node or pod IPs.

More: https://ku.bz/mggD2nXf6

Brian Stack from Render explains why Kubernetes scaling can break along a dimension most teams ignore: namespaces.

At Render scale, hundreds of thousands of namespaces made common DaemonSet patterns expensive. Calico and Vector were list-watching namespace data across every node, multiplying memory usage and putting pressure on the API server during restarts and rollouts.

You will learn:

- Why namespaces can become a hidden scaling bottleneck
- How DaemonSets multiply memory and control-plane pressure
- How profiling, staging clusters, and upstream collaboration freed 7 TiB
- Why pushing from an 80% fix to a complete fix can make teams faster

Watch (or listen to) it here: https://ku.bz/0mrvCsXrV

🌟 This episode is brought to you by LearnKube — comprehensive Kubernetes training. https://learnkube.com/training

With @Birthmarkb

Nicholaos Mouzourakis, Staff Product Security Engineer at Gusto, explains how batch authorization significantly improves Open Policy Agent (OPA) performance in Kubernetes environments. He shares how packing multiple authorization requests into a single HTTP call dramatically reduces network latency overhead.

The performance gains are substantial - batch requests process approximately 18 times faster than individual requests. Nicholaos explains that while adding requests to an existing batch is "negligible and basically free," teams should carefully consider dependencies between authorization requests.

Watch the full episode: https://kube.fmhttps://ku.bz/S-2vQ_j-4

This tutorial explains how Amazon EKS Pod Identity session policies let teams restrict pod IAM permissions with inline policies.

More: https://ku.bz/NtVpLWQ60

This week on Learn Kubernetes Weekly 183:

🔥 Autoscaling Hid Our LLM Cost Regression (85% → 4% Cache Hit Rate)
🔥 Mount Mayhem at Netflix: Scaling Containers on Modern CPUs
🗄️ DocumentDB on Kubernetes: Resilient, Highly Available Databases with Automatic Failover
🛡️ We Brought Skew Protection to Your Kubernetes
🔒 Keeping Your Security Model Intact When Running VMs in Kubernetes

Read it now: https://kube.today/issues/183

⭐️ This newsletter is brought to you by LearnKube — master Kubernetes with hands-on training designed for engineers who want to learn the smart way https://ku.bz/hypSbyc-V

This tutorial teaches how to deploy Crossview on Kubernetes with Helm and secure it for enterprise use with session auth, SSO, proxy header auth, RBAC, TLS, and high-availability settings.

More: https://ku.bz/hwQDK693G

Many teams still treat Kubernetes as secure by default, and that assumption creates risk fast.

Glen Messenger argues that Kubernetes was built for orchestration, not security. His point is that platforms like GKE have to add strong defaults, least privilege, and opinionated controls so teams do not build insecure systems accidentally.



Watch the full interview: https://ku.bz/N5njxPHdY

For regulated environments, open source can be a strength rather than a liability.

Devin Allen explains that visibility into the codebase is what makes open source workable in secure environments. More eyes on the code means problems can be found, understood, and fixed faster, which changes the conversation from blind trust to transparent verification.



Watch the full interview: https://ku.bz/8lKHj1C5d

This tutorial explains how to prevent, detect, and clean up leaked secrets in Git repositories using .env files, Kubernetes Secrets, Gitleaks, GitGuardian, and git-filter-repo.

More: https://ku.bz/PZjTtq9v8

This tutorial shows how to secure an ArgoCD based EKS GitOps workflow with External Secrets Operator, IRSA, and AWS SSM Parameter Store so secrets stay out of Git and sync safely into Kubernetes.

More: https://ku.bz/1qJT8SG1s

🚀 New on LearnKube: "Kubelet Metrics: How cAdvisor and CRI Collect Kubernetes Stats."

Kubernetes metrics often look like a Prometheus topic, but the data originates much lower in the stack.

This guide explains how kubelet collects and exposes pod, container, node, and resource metrics, and how that path changes when stats move from cAdvisor to the container runtime through CRI.

You will learn:

- how Linux cgroups provide the raw counters behind container metrics
- where cAdvisor fits inside kubelet
- what kubelet exposes through /metrics, /metrics/cadvisor, /metrics/resource, and /stats/summary
- how containerd and CRI-O can return pod and container stats through CRI
- why the same kubelet endpoint can hide a different internal collection path

Read the full article:
https://learnkube.com/kubernetes-metrics-cadvisor-kubelet-cri

Node Healthcheck Operator automatically detects unhealthy nodes and triggers pluggable remediators like BMC, ClusterAPI, or software reboots to recover workloads without manual intervention.

More: https://ku.bz/8Y52rJ74q

Using AI to generate YAML is one thing. Letting it touch production operations is another.

YongKang He says the safest starting point is low-risk, high-volume work like anomaly detection, correlation, and remediation suggestions. He is not ready to hand over costly scaling decisions or sensitive policy changes without stronger guardrails.

The practical lesson is that AI should act like a co-pilot for SRE, not a fully autonomous operator.



Watch the full interview: https://ku.bz/8Q7Vy60P7

This tutorial explains TLS and certificate debugging from root CA basics to Kubernetes secrets, with OpenSSL and curl commands for inspecting certs, validating handshakes, and fixing common production errors.

More: https://ku.bz/z-30r6w-V

John Ford from Scout24 SE explains how Scout24 turned a forced OS migration into a chance to rethink Kubernetes autoscaling, node provisioning, and infrastructure efficiency.

You will learn:

- Why two-minute node provisioning forced a 25% capacity buffer
- How Karpenter made the Bottlerocket migration safer
- What broke around EC2 metadata, AWS SDKs, and cgroups
- How the new foundation enables Spot, ARM, and GPU workloads

Watch (or listen to) it here: https://ku.bz/DdmVC2_7v

🌟 This episode is brought to you by LearnKube — get started on your Kubernetes journey through comprehensive online, in-person or remote training: https://learnkube.com/training

With @Birthmarkb

This tutorial shows how to use Cilium and Hubble to enforce HTTP path based network policies in Kubernetes with eBPF, so you can allow or block specific endpoints without sidecars.

More: https://ku.bz/Fl4tzq2J2