Many teams still treat Kubernetes as secure by default, and that assumption creates risk fast.

Glen Messenger argues that Kubernetes was built for orchestration, not security. His point is that platforms like GKE have to add strong defaults, least privilege, and opinionated controls so teams do not build insecure systems accidentally.



Watch the full interview: https://ku.bz/N5njxPHdY

For regulated environments, open source can be a strength rather than a liability.

Devin Allen explains that visibility into the codebase is what makes open source workable in secure environments. More eyes on the code means problems can be found, understood, and fixed faster, which changes the conversation from blind trust to transparent verification.



Watch the full interview: https://ku.bz/8lKHj1C5d

This tutorial explains how to prevent, detect, and clean up leaked secrets in Git repositories using .env files, Kubernetes Secrets, Gitleaks, GitGuardian, and git-filter-repo.

More: https://ku.bz/PZjTtq9v8

This tutorial shows how to secure an ArgoCD based EKS GitOps workflow with External Secrets Operator, IRSA, and AWS SSM Parameter Store so secrets stay out of Git and sync safely into Kubernetes.

More: https://ku.bz/1qJT8SG1s

🚀 New on LearnKube: "Kubelet Metrics: How cAdvisor and CRI Collect Kubernetes Stats."

Kubernetes metrics often look like a Prometheus topic, but the data originates much lower in the stack.

This guide explains how kubelet collects and exposes pod, container, node, and resource metrics, and how that path changes when stats move from cAdvisor to the container runtime through CRI.

You will learn:

- how Linux cgroups provide the raw counters behind container metrics
- where cAdvisor fits inside kubelet
- what kubelet exposes through /metrics, /metrics/cadvisor, /metrics/resource, and /stats/summary
- how containerd and CRI-O can return pod and container stats through CRI
- why the same kubelet endpoint can hide a different internal collection path

Read the full article:
https://learnkube.com/kubernetes-metrics-cadvisor-kubelet-cri

Node Healthcheck Operator automatically detects unhealthy nodes and triggers pluggable remediators like BMC, ClusterAPI, or software reboots to recover workloads without manual intervention.

More: https://ku.bz/8Y52rJ74q

Using AI to generate YAML is one thing. Letting it touch production operations is another.

YongKang He says the safest starting point is low-risk, high-volume work like anomaly detection, correlation, and remediation suggestions. He is not ready to hand over costly scaling decisions or sensitive policy changes without stronger guardrails.

The practical lesson is that AI should act like a co-pilot for SRE, not a fully autonomous operator.



Watch the full interview: https://ku.bz/8Q7Vy60P7

This tutorial explains TLS and certificate debugging from root CA basics to Kubernetes secrets, with OpenSSL and curl commands for inspecting certs, validating handshakes, and fixing common production errors.

More: https://ku.bz/z-30r6w-V

John Ford from Scout24 SE explains how Scout24 turned a forced OS migration into a chance to rethink Kubernetes autoscaling, node provisioning, and infrastructure efficiency.

You will learn:

- Why two-minute node provisioning forced a 25% capacity buffer
- How Karpenter made the Bottlerocket migration safer
- What broke around EC2 metadata, AWS SDKs, and cgroups
- How the new foundation enables Spot, ARM, and GPU workloads

Watch (or listen to) it here: https://ku.bz/DdmVC2_7v

🌟 This episode is brought to you by LearnKube — get started on your Kubernetes journey through comprehensive online, in-person or remote training: https://learnkube.com/training

With @Birthmarkb

This tutorial shows how to use Cilium and Hubble to enforce HTTP path based network policies in Kubernetes with eBPF, so you can allow or block specific endpoints without sidecars.

More: https://ku.bz/Fl4tzq2J2

This week on Learn Kubernetes Weekly 184:

🔥 Three Weeks Hunting a 4GB Native Memory Leak That .NET Couldn't See
⚠️ Before You Migrate: Five Surprising Ingress-NGINX Behaviors You Need to Know
🔀 Why I Built ctx_: The Context Switcher That Actually Gets DevOps Work
🚀 Migrating Ingress NGINX Controller to Istio in Kubernetes
🐘 Running PostgreSQL on Kubernetes: Operators, Storage and Production Guide

Read it now: https://kube.today/issues/184

⭐️ This newsletter is brought to you by WeAreDevelopers World Congress — The World’s Largest Event for Developers, AI Builders & Tech Leaders https://ku.bz/CvpvW-SG2

Kubeconform is a Kubernetes manifests validation tool.

Similar to Kubeval, but with the following improvements:

1. High performance.
2. Remote or local schema locations
3. Up-to-date schemas for all recent versions of Kubernetes.

More: https://ku.bz/l0kD6R0TS

Harbor is a CNCF-graduated open source container registry that stores, signs, and scans images, with built-in RBAC, LDAP/OIDC support, vulnerability scanning, policy-based replication, and a full REST API.

More: https://ku.bz/GjjZhkvSD

Agent workloads push Kubernetes beyond the assumptions of the standard container model.

Mauricio Salatino explains why Agent Sandbox is useful as teams start running AI agent code in clusters that need stronger isolation and new primitives for this class of workload.



Watch the full interview: https://ku.bz/QXKc1tBFY

This article explains why vanilla Kubernetes has no real login event and shows a practical session-tracking workaround using credential-id fingerprints from audit logs, with a side-by-side comparison against OpenShift OAuth behavior.

More: https://ku.bz/DxYlmDBjQ

🚀 New on LearnKube: “User and workload identities in Kubernetes.”

The Kubernetes API server must identify the caller before it can check permissions.

The article follows that identity through the request path: external users, in-cluster workloads, service account tokens, projected volumes, JWT claims, TokenReview, and AWS IAM federation.

You will learn:

- how authentication differs from authorization
- why human users usually come from OIDC, certificates, webhooks, proxies, or static token files
- how pods authenticate with service accounts
- why TokenRequest and projected volumes replaced automatic long-lived token secrets
- what sub, aud, iss, and exp tell you inside a JWT
- how EKS IRSA uses projected tokens to federate with AWS IAM
- how TokenReview validates Kubernetes-issued tokens inside the cluster

Read the full article:
https://learnkube.com/authentication-kubernetes

This tutorial shows how to set up TLS-terminated ingress on EKS Auto Mode using ACM and an ALB, skipping the traditional AWS Load Balancer Controller installation and OIDC setup.

More: https://ku.bz/sbhYbmWNb

Alessandro Pomponio, Research Software Engineer @ IBM Research, explains his team's strategic approach to selecting open source tools from the CNCF landscape for their research computing platform.

Alessandro details their decision-making process for policy enforcement, comparing Kyverno and Gatekeeper. They ultimately chose Kyverno because it uses YAML and "truly speaks Kubernetes," making it more accessible for researchers who manage clusters as a secondary responsibility rather than their primary job.

Watch the full episode: https://ku.bz/5sK7BFZ-8

This article explains Kubernetes secrets management from an SRE angle by comparing:

- Sealed Secrets,
- External Secrets Operator,
- and Vault-based approaches with examples.

More: https://ku.bz/l5fy3crYf

The right AI governance pattern for Kubernetes is not one agent doing everything. It is multiple agents doing specific work well.

Henrik Rexed of Dynatrace says teams should think in terms of specialized review lanes: one AI system for infrastructure-heavy changes, another for observability concerns, and a human reviewer to confirm the final result. That reduces the chance of subtle platform-specific issues being missed by a generic review pass.





Watch the full interview: https://ku.bz/KGQ_b20nQ

This week on Learn Kubernetes Weekly 185:

🔥 A One-Line Kubernetes Fix That Saved 600 Hours a Year
🔐 Why Kubernetes Has No Login — And How We Solved It for AuditRadar
⚙️ Durable Workflows Beyond Vercel: Version-Safe Orchestration for Kubernetes
🧩 The Missing Layers in Your Kubernetes Operator
🚨 Why Your KServe InferenceService Won't Become Ready: Four Production Failures and Fixes

Read it now: https://kube.today/issues/185

⭐️ This issue is brought to you by Qodo, the AI code integrity platform helping teams review, test, and ship reliable infrastructure code faster https://ku.bz/NvLHsnl-6