Following the announced retirement of the ingress-nginx project, the CNCF migrated its internal services cluster to Envoy Gateway (an implementation of the Gateway API). Rather than a generic tutorial, the post details their specific architectural decisions, such as utilizing a shared Gateway object across multiple HTTPRoutes to optimize cloud load balancer costs and operational simplicity. It also covers the migration strategies they used for maintaining the same IP address, handling legacy certificates, and conducting "Day 2" operations with cert-manager.

https://www.cncf.io/blog/2026/04/13/ingress-nginx-to-envoy-gateway-migration-on-cncf-internal-services-cluster/

The article addresses the "broken" scale of AI model distribution, where transferring massive models (like a 130GB DeepSeek-V3) to hundreds of GPU nodes simultaneously bottlenecks network bandwidth and hits rate limits on hubs like Hugging Face. The solution is the CNCF project Dragonfly, which uses a Peer-to-Peer (P2P) architecture to ensure a model is fetched from the origin only once. It details new native protocol support for hf:// and modelscope://, allowing dfget (Dragonfly's download tool) to natively understand these hubs, reducing origin traffic by up to 99.5% and enabling wire-speed distribution across clusters.

https://www.cncf.io/blog/2026/04/06/peer-to-peer-acceleration-for-ai-model-distribution-with-dragonfly/

Red Hat critiques a recent VMware study that claimed VMware Cloud Foundation (VCF) with vSphere Kubernetes Service (VKS) offers a "5.6x pod density" advantage over Red Hat OpenShift. The benchmark as an architectural mismatch rather than an accurate performance evaluation, noting that VMware compared 300 overcommitted virtual worker nodes against 4 bare-metal OpenShift nodes.

https://www.redhat.com/en/blog/precision-over-perception-why-architecture-matters-benchmarking

Microsoft is so jealous of Claude Code's success that they decided to include a "co-author" credit for GitHub Copilot, even if Copilot has done nothing.

https://github.com/orgs/community/discussions/194075

The proliferation of AI coding models has drastically lowered the barrier to discovering software vulnerabilities, resulting in a massive influx of automated, low-quality, and false-positive vulnerability reports. This volume is overwhelming open-source maintainers and security teams. The article outlines how the industry must adapt, offering specific strategies for companies, maintainers, and external bug hunters to manage triage, improve report quality, and prevent ecosystem burnout.

https://www.cncf.io/blog/2026/04/16/the-ai-driven-shift-in-vulnerability-discovery-what-maintainers-and-bug-finders-need-to-know/

Uber engineered native gRPC endpoints directly into OpenSearch to eliminate inefficient REST/JSON translation layers within their architecture. Their automated pipeline for syncing JSON APIs with Protobuf schemas, their internal integration strategy, and the resulting performance gains in production environments for high-throughput ingestion and vector search workloads.

- Uber implemented gRPC as an OpenSearch module
- To prevent divergence between REST and gRPC, Uber built a three-stage automated pipeline
- Removing the JSON-to-Protobuf translation layer reduced p99 index write latency by 60% for Uber’s M3 metrics system and decreased batch indexing job runtimes by 20-35%.
- Large vector searches, which serialize poorly in JSON, saw a 53% reduction in p50 latency and a 43% reduction in p95 latency.
- Combining gRPC with binary document formats like SMILE proved highly effective, executing 30% faster than REST JSON and 45% faster than gRPC JSON.

https://www.uber.com/us/en/blog/high-performance-grpc/

It's time to update your kernel

An unprivileged local user can write 4 controlled bytes into the page cache of any readable file on a Linux system, and use that to gain root.

https://copy.fail/

⚰️ Minio was archived on Apr 25, 2026
https://github.com/minio/minio

🚀2.3x faster than MinIO for 4KB object payloads. RustFS is an open-source, S3-compatible high-performance object storage system supporting migration and coexistence with other S3-compatible platforms such as MinIO and Ceph.

https://github.com/rustfs/rustfs

Any user with Argo CD application get permissions can extract real Kubernetes Secret values including service account tokens, TLS certificates, database credentials, and API keys. On Applications where IncludeMutationWebhook=true is already set, exploitation requires only read-only Argo CD access.

https://github.com/argoproj/argo-cd/security/advisories/GHSA-3v3m-wc6v-x4x3

Kubernetes Goat is a "Vulnerable by Design" cluster environment to learn and practice Kubernetes security using an interactive hands-on playground 🚀

https://github.com/madhuakula/kubernetes-goat

The article features an interview with Landon Clipp, who built a multi-tenant GPU-based CaaS platform.
- Bypassing the NVIDIA GPU Operator
- Why gVisor Fails for GPUs
- VM Boot Delays
- Firmware and Memory Security
- Ideal Workload

https://kube.fm/gpu-containers-as-a-service-landon

Bulk port forwarding Kubernetes services for local development.
https://github.com/txn2/kubefwd

the Dirty Frag vulnerability class, first discovered and reported by Hyunwoo Kim (@v4bel), which can obtain root privileges on major Linux distributions by chaining the xfrm-ESP Page-Cache Write vulnerability and the RxRPC Page-Cache Write vulnerability.

https://github.com/V4bel/dirtyfrag

The article explains that while Kubernetes excels at scheduling and isolating workloads, it lacks the context to secure Large Language Models (LLMs), which process untrusted natural language inputs. Highlighting four key risks from the OWASP Top 10 for LLMs, the author argues that security controls shouldn't live within the model runtime (like Ollama). Instead, organizations need a dedicated, LLM-aware policy layer (such as LiteLLM, Kong AI Gateway, or Portkey) in front of the model to enforce validation, filtering, and authorization.

https://www.cncf.io/blog/2026/03/30/llms-on-kubernetes-part-1-understanding-the-threat-model/

Uber engineered an automated approach to migrate its massive Java monorepo (over 600,000 tests, 15 million lines of code) from the deprecated JUnit 4 to JUnit 5. Facing challenges like the lack of native JUnit 5 support in their Bazel build system and custom test configurations, they successfully migrated over 75,000 test classes and 1.25 million lines of code in just four months without disrupting developer workflows.

https://www.uber.com/us/en/blog/junit-migration/

Claude Code gave me three "tickets" for a free week. You can grab them using this link: https://claude.ai/referral/NXtyf-cgbQ

The observability market is shifting from volume-based data ingestion to a value-driven model due to the unsustainable costs of scaling cloud-native and AI workloads. Driven by innovations like Chronosphere’s "Logs 2.0" and its subsequent acquisition by Palo Alto Networks, the industry is prioritizing "signal discipline"—retaining only actionable telemetry—and integrating observability directly into broader AI and security platforms.

https://siliconangle.com/2026/02/05/observability-cost-ai-scale-chronosphere-opensourcesummit/

A popular & widely deployed Open Source Container Native Storage platform for Stateful Persistent Applications on Kubernetes.

https://github.com/openebs/openebs

Managing expenses in the cloud requires a strategic approach beyond just looking at bills. A senior engineer shares valuable insight into optimizing costs effectively in this detailed read.
https://medium.com/@razkevich8/cloud-cost-optimization-a-senior-engineers-guide-d49ed4606de1

This informative post details a clever method for securing Grafana dashboards when using Google Cloud Identity-Aware Proxy. You will learn how to seamlessly integrate these two powerful technologies for enhanced access control.
https://www.vidbregar.com/blog/grafana-gcp-iap