Here goes our latest bunch of interesting Kubernetes-related articles recently spotted online:

1. "Kafka vs NATS: A Comparison for Message Processing" by Josson Paul Kalapparambath.

Kafka and NATS are two popular tools for handling streaming and messaging. They have different architectures and different performance characteristics. They are suitable for specific use cases. In this article, we will compare the features of NATS with Kafka and explain the use cases I addressed at work.

2. "Kubectl-r[ex]ec: A kubectl plugin for auditing kubectl exec commands" by Marton Natko, Adyen.

With this minimalistic application, we can easily audit exec commands, and we only have to install a few manifests on the Kubernetes side while distributing our plugin to our engineers.

3. "Kubernetes Best Practices I Wish I Had Known Before" by Engin Diri, Pulumi.

In this post, I will highlight some crucial Kubernetes best practices. They are from my years of experience with Kubernetes in production. Think of this as the curated “Kubernetes cheat sheet” you wish you had from Day 1. Buckle up; it’s going to be an exciting ride.

4. "Configuration Management at Ant Group: Generated Manifest & Immutable Desired State" by KusionStack.

In this first article, we will examine the specific challenges we encountered over the years, the strategies we devised to address them, and the resulting patterns that have emerged as what we believe to be best practices — Generated Manifest & Immutable Desired State. Through this exploration, we aim to provide valuable insights and practical guidance for navigating the complexities of configuration management in a dynamic and highly regulated environment.

5. "So you wanna write Kubernetes controllers?" by Ahmet Alp Balkan.

Low barrier to entry combined with good intentions and the “illusion of working implementation” is not a recipe for success while developing production-grade controllers. I’ve seen the real-world consequences of controllers developed without adequate understanding of Kubernetes and the controller machinery at multiple large companies. We went back to the drawing board and rewritten nascent controller implementations a few times to observe which mistakes people new to controller development make.

6. "Kubernetes RBAC: A Comprehensive Guide" by Oshrat Nir.

Kubernetes RBAC is a method used to manage user access rights to resources within a Kubernetes cluster. It enables administrators to grant users or applications only the permissions they need to perform their tasks, and no more. RBAC uses authentication and authorization to achieve its purpose by verifying the identity of a user or system trying to access the Kubernetes API server.

#articles

There are many ways to run a Kubernetes cluster at home. This project produces a beginner-friendly ISO image loaded with ready-to-use software.

k4all provides a pre-configured Fedora CoreOS image, which you can boot on your home device to install Kubernetes and essential add-ons. Here’s what it offers:

* Fully automated installation process. (Note that it will format your disk.)
* Kubernetes dashboard, metrics server, Calico or Cilium for networking, NGINX Ingress Controller, and TopoLVM (a CSI plugin to use LVM for Kubernetes).
* Optional add-ons: KubeVirt to run virtual machines and Argo CD.

Language: Shell | License: GPL 3.0 | 22 ⭐️

▶️ GitHub repo
📢 Reddit announcement

#tools

Kubernetes History Inspector (KHI) from Google Cloud is Open Source now.

As its description states, “KHI transforms vast quantities of logs into an interactive, comprehensive timeline view.” This tool collects the Kubernetes logs and visualises them providing SREs with an interactive Web-based GUI.

KHI displays the status of resources on a timeline, correlates various types of logs (event logs, audit logs, network, etc.) to help you find their relationships and dependencies, and allows you to interactively apply various filters. Currently, the Kubernetes clusters in Google Cloud (i.e. GKE) are supported only, with more options to follow.

▶️ GitHub repo

#tools #GCP #observability #news

Our selection of the latest prominent software updates from the Cloud Native ecosystem:

1. Kargo, an application lifecycle orchestration platform for Kubernetes, was updated to v1.2.0, featuring Promotion Tasks to define reusable sets of specific actions across multiple Promotion Templates. It also introduced the soak time for Stages to wait for a certain period of time before any Freight is promoted, as well as new Promotion Steps and improvements in UI and charts.

2. KitOps, a DevOps tool for packaging and versioning AI/ML models, datasets, code, and configuration into reproducible artifacts, has reached its v1.0.0. It came with a new kit import command to import models from Huggingface and a new kit init command to automatically generate Kitfiles.

3. Coroot, an Open Source APM & observability tool, has released its v1.7 and v1.8 versions, which added support for ClickHouse and ZooKeeper, enabled API keys configuration for projects, introduced its own configuration file and a new dashboard displaying security risks.

4. Falco, a Cloud Native runtime security tool (a CNCF Graduated project), received a major update with 0.40.0, which merged 50+ pull requests. It came with streamlined Docker images (less image size, optimised layers, and enhanced security), numerous new process filters (including proc.pgid), support for sendmmsg and recvmmsg syscalls parameters, and suggested output fields in plugins.

5. MariaDB Operator 0.37.0 was released, introducing the TLS support (enabled by default), native integration with cert-manager, and automatic updates when Galera options are changed.

6. Grafana 11.5 brought an improved sharing experience for dashboards (including a new Export option) and panel images (including a new Panel preview section), Private Data Source Connect (PDC), redesigned ad-hoc filters for dashboards, Elasticsearch’s cross-cluster search feature in the relevant data source plugin, and RBAC improvements (support for notification policies and alerting notifications).

7. Argo Rollouts, a Kubernetes controller with advanced deployment capabilities (a part of Argo, a CNCF Graduated project), released its 1.8. New features include Canary step plugins (to create a plugin and execute customised steps during the canary analysis), analysis consecutive success limit, full annotations support for nginx canary ingresses, and pprof profiling support.

#news #releases

Whether you're exploring your current Kubernetes environment or some new third-party software, you can benefit from having a quick diagram visualising all K8s resources. This new tool does just that.

KubeDiagrams generates architecture diagrams presenting Kubernetes resources, their interrelationships, and the relevant higher-level layers (namespaces, applications, etc.). The tool’s highlights include:

- Support for manifest files, Helm charts, Kustomization files, and actual cluster state.
- Support for 42 resource types and any custom resources.
- Grouping resources based on namespaces and labels (e.g., app.kubernetes.io/name or helm.sh/chart).
- Various output formats, including PNG, SVG, PDF, etc.

Language: Python | License: GPL 3.0 | 43 ⭐️

▶️ GitHub repo
📢 Reddit announcement

#tools

Weave GitOps is a Flux-based developer platform that simplifies continuous delivery adoption and scaling and provides insights into application deployments. It’s an Open Source project created in Weaveworks, the company that shut down in February 2024.

It hasn’t seen any releases since December 2023, but now the community formed from the Weaveworks ex-staff members and other users is reviving Weave GitOps. Just 9 hours ago, a 0.39.0-rc.1 release landed in the project’s GitHub repo. It brings numerous improvements, including support for Flux 2.4.0, updated UI and dependencies, enabled OpenTofu compatibility, and a new domain with the project’s documentation.

Find more details about this release here and the project’s documentation here.

P.S. Weave GitOps Enterprise, an enterprise solution based on Weave GitOps, became Open Source in April 2024.

#news #releases #gitops

Here goes our latest bunch of interesting Kubernetes-related articles recently spotted online:

1. "How I Supercharged My Local Kubernetes Setup" by Joseph Whiteaker.

Setting up a local Kubernetes cluster with Kind, MetalLB, and Istio takes some effort, but the payoff is a highly flexible, production-like environment that runs entirely on your local machine. Through this process, I’ve explored custom networking, pull-through registries, certificate management, and domain-based routing — all things that bring local Kubernetes closer to how real-world clusters operate.

2. "Vulnerability management in the microservice era: From zero to hero" by Nigel Douglas, Sysdig.

Kubernetes vulnerability scanning is the process of systematically inspecting a Kubernetes cluster, including its container images and configurations, to detect security misconfigurations or vulnerabilities that could compromise the platform’s security posture. It’s an essential practice for organizations to maintain a strong security posture and it offers several critical benefits.

3. "OpenTelemetry Collector deployment modes in Kubernetes" by Reese Lee & Brad Schmitt, New Relic.

A good way to simplify this process [deploying the OpenTelemetry Collector] is to familiarize yourself with "Collector deployment modes"—the various methods for setting up and managing the Collector to gather, process, and export application and system data within Kubernetes. It’s important to note that “deployment modes” differ from “deployment patterns,” a distinction that can be confusing. This blog post guides you through these key concepts so you’ll have the foundational knowledge you need to choose the right deployment mode for your observability strategy.

4. "Cluster API + Talos + Proxmox = ❤️" by Quentin Joly.

Today, I am tackling another aspect of Talos: provisioning Kubernetes clusters on Proxmox VMs via the Cluster API. I do not have the expertise to write a comprehensive article on the Cluster API, nor have I tested multiple providers or clouds. In this article, I will instead present my journey to deploy a Talos cluster on Proxmox via the Cluster API, detailing the steps, encountered issues, and solutions found.

5. "OpenTelemetry: A Guide to Observability with Go" by Luca Cavallin, a CNCF Ambassador.

In this post, I'll walk through how to integrate OpenTelemetry in a Go application. By the end, you'll have a reusable telemetry package that sets up logging, metrics, and tracing - all without cluttering your application code! I've published the package, complete with tests and examples, on GitHub: gotel. Feel free to use it as a starting point for your own projects.

6. "How to Build a Multi-Tenancy Internal Developer Platform with GitOps and vCluster" by Artem Lajko.

Here’s what you can expect from this blog:
- Introduction to Kubernetes and Internal Developer Platforms
- The Role of Platform Engineering in Building and Managing an IDP
- Implementing GitOps with Argo CD to Manage Your IDP Seamlessly
- Cost-Efficient Strategies for Multi-Tenant IDPs
- Hands-On Guide and GitHub Resources

#articles

Do you validate your Prometheus and other observability-related rules? Sometimes, you want to check them thoroughly and reviewing their syntax is not enough. Here’s when this tool comes in handy.

Promruval (Prometheus Rule Validator) validates rules metadata and expression properties against your actual setup and requirements. To benefit from it, you’ll need to create a YAML configuration defining allowed values, limits, and other constraints and then invoke promruval validate in your CI pipeline. Some of the tool’s highlights are:

- Support for Prometheus, Thanos, Mimir, and Loki rules formats.
- Support for rule files in YAML and Jsonnet formats.
- A huge list of available validators, which cover rule groups, labels, PromQL & LogQL expressions, and more.
- An ability to have multiple configuration files.

Language: Go | License: Apache 2.0 | 140 ⭐️

▶️ GitHub repo

#tools #observability

Here comes our newest digest of the prominent software updates in the Cloud Native ecosystem!

Release Spotlight: Cilium 1.17.0

Last week, a new Cilium release arrived, 1.17.0, accumulating an impressive number of 2700+ commits. They resulted in many changes in the project, improving its networking, security, and observability features, as well as scalability.

Some highlights of this release are: protocol differentiation (UDP, TCP) for services, per-service load balancing algorithm selection, Multi-Cluster Service API controller, Pod-level networking QoS classes support, improved network policy performance, ability to select CIDRs by labels, static addresses for gateways, dynamic Hubble metrics and numerous new metrics, rate limiting for eBPF events against CPU usage, and Gateway API 1.2.1 support.

Other noticeable updates in the Cloud Native space:

1. KubeArmor, a Cloud Native runtime security enforcement system (a CNCF Sandbox project), released its v1.5.0 (and subsequent v1.5.x fixes) with several new features. They include support for rules for SCTP protocol, all protocols with raw network socket/domain, and specifying protocol: all for network rules, configurable Docker imagePullSecrets, and special preset rules to handle fileless process execution.

2. Skaffold, a CLI tool for continuous development of applications for Kubernetes, has introduced v2.14.0 (and subsequent v2.14.1 fix), bringing various updates. It got Helm dependencies and concurrency support, faster helm install (by using goroutines), optimised Kaniko builds (by using compression) and imagePullSecret support in Kaniko, as well as a new GCS (Google Cloud Storage) client.

3. External Secrets Operator, a Kubernetes operator that integrates external secret management systems (a CNCF Sandbox project), reached v0.14.0 (and subsequent v0.14.x fixes) introducing stateful generators, with a new Grafana ServiceAccounts generator as its first implementation. Now, ESO can manage user or system accounts for database systems, message brokers, managed service providers, etc.

4. Falco Talon, a no-code solution for a customisable response engine working with Falco (a CNCF Graduated project), was updated to v0.3.0. It features a new actionner called kubernetes:sysdig: when a suspicious event occurs in a Pod, Talon triggers a capture and exports the created artifact to AWS S3 or Minio, which you can later explore via sysdig CLI tool.

5. Crossplane, a framework for building Cloud Native control planes (a CNCF Incubating project), released v1.19.0 just yesterday. It comes with Usage API and Claim server-side apply promoted to Beta (enabled by default now), customisable ports for Crossplane, auto-downgrading feature for packages in the automatic dependency management (Alpha), support for private repositories in the CLI commands downloading Crossplane packages (render, validate), and an API promotion policy.

#news #releases

Have you heard of kgateway? 🤔

It’s a new name for the Gloo Gateway Open Source project. Gloo Gateway is a flexible Kubernetes-native ingress controller and API gateway built on top of Envoy proxy and the Kubernetes Gateway API. Solo.io, the company behind it, decided to make it an independent project by introducing vendor-neutral governance, renaming it, and donating to CNCF.

Find more details about kgateway and its future in the CNCF blog, related CNCF Sandbox application request, and new GitHub repo.

#news #tools #networking #cncfprojects

Here goes our latest bunch of interesting Kubernetes-related articles recently spotted online:

1. "Standardizing App Delivery with Flux and Generic Helm Charts" by Stefan Prodan, ControlPlane.

In this guide we will explore how Flux can be used to standardize the lifecycle management of applications by leveraging the Generic Helm Chart pattern. The big promise of this pattern is that it should reduce the cognitive load on developers, as they only need to focus on the service-specific configuration, while the Generic Helm Chart shields them from the complexity of the Kubernetes API.

2. "The 100 Million Pod Mesh" by John Howard, Solo.io.

In this test, we deploy 100 million pods across 2,000 clusters, proving it can handle extreme scale with minimal resources, near-instant updates, and no manual tuning, resulting in effortless scalability and cost efficiency for enterprises.

3. "The AI Model Showdown – LLaMA 3.3-70B vs. Claude 3.5 Sonnet v2 vs. DeepSeek-R1/V3" by Itiel Shwartz, Komodor.

We tested DeepSeek’s models head-to-head against industry leaders in solving real-world Kubernetes challenges. The results were nothing short of fascinating and quite revealing, particularly regarding DeepSeek’s current capabilities in production environments.

4. "Simplifying Ingress Resource on AWS EKS: A Guide to AWS Load Balancer Controller" by Kenny Ang.

In this article, we will explore the AWS LBC and understand how it works (and doesn’t). To achieve this, I will walk you through installing the AWS LBC on an EKS cluster and observe the behavior after creating an ingress resource.

5. "Managing Secrets at Scale: Why We Chose SOPS for Terraform and Kubernetes Secrets" by Teodor J. Podobnik.

From SSH keys and Kubernetes Secrets to GitHub tokens and API credentials, keeping these secrets secure was vital to our product’s security and compliance. So we looked into several solutions like HashiCorp Vault, SealedSecrets and GCP Secret Manager but none fully met our needs.

6. "EKS vs. GKE Networking" by Jason Umiker.

I find that some of the biggest differences between EKS and GKE (as well as the underlying AWS and GCP) are in their differing approaches to networking. So, this is at the heart of any true comparison of the two services.

#articles

Promtail is now deprecated

Last week, Grafana Loki 3.4 was announced. This release's highlights included “Promtail merged into Alloy”:
- Promtail is a lightweight agent shipping logs to Grafana Loki.
- Grafana Alloy is a distribution of the OpenTelemetry Collector with built-in Prometheus pipelines and support for metrics, logs, traces, and profiles.
- Merging Promtail into Alloy means the former is officially declared deprecated. The project will reach its EOL on March 2, 2026. A guide on migrating from Promtail to Grafana Alloy is available.

#news #releases #observability

According to The State of Kubernetes Jobs in 2024 Q4 report by Kube Careers:

- The average salaries for Kubernetes-related jobs* are $139,056-$200,838 (for North America) and €66,176-€87,720 (Europe).
- 65% of the jobs allow some sort of remote work.
- The most popular technologies mentioned in the jobs are Docker (59%), PostgreSQL (18%), Kafka (17%), MySQL (11%), and Helm (9%).
- The most popular programming languages are Python (56%), Java (36%), JavaScript (34%), and Go (30%).
- The most popular CI/CD tools are Jenkins (35%), GitLab (28%), and GitHub Actions (11%).
- The most popular observability tools are Grafana (20%), Prometheus (19%), and Datadog (11%).

* Note that they include various roles, such as software engineers, DevOps engineers, platform engineers, etc.

#career

Like to experiment with various GUIs for Kubernetes or still looking for the most suitable option? Here’s a project to consider.

KubeUI is a Kubernetes UI featuring a tabbed interface for your desktop based on the Avalonia UI framework for .NET. It supports multi-monitor setups, works on Linux, macOS, and Windows, and allows you to:

- View, create, and edit Kubernetes resources in the YAML format;
- Work with CRDs;
- Filter resources by names and namespaces;
- View overall cluster stats and its events;
- Manage pods by viewing CPU/memory usage, console, logs, and configuring port-forwarding;
- Manage nodes by performing codon and drain.

Language: C# | License: MIT | 163 ⭐️

▶️ GitHub repo

#tools #gui

Here comes our newest digest of the prominent software updates in the Cloud Native ecosystem!

1. Ratify, an artifact security metadata verification engine (a CNCF Sandbox project), released its v1.4.0, introducing revocation checking with Certificate Revocation List (CRL) support based on Notation libraries, more Notary Project trust policy attributes in the Helm chart, and a new authentication provider for the Alibaba Cloud RRSA Store.

2. Kmesh, a high-performance service mesh data plane based on eBPF (a CNCF Sandbox project), reached its v1.0 with numerous significant improvements. They include encrypted communication between nodes via IPsec, authorisation execution offloaded to XDP eBPF, locality load balancing capability, zero-downtime restart support for kernel-native mode, circuit breaking and rate limiting in kernel-native mode, and compatibility with Istio 1.24.

3. Prometheus (a CNCF Graduated project) released its v3.2.0, bringing various improvements in UTF-8 support (for rule names and for the targetLabel field in replace actions when relabeling), support for OTLP delta temporality in the OTLP endpoint, load balancer discovery for OpenStack Octavia, and new too-long-scrape-interval linting option for promtool check config.

4. Backstage, a framework for building developer portals (a CNCF Incubating project), was updated to v1.36.0. Some of its highlights are: support for native ESM in Node.js code, the first version of Canon (a new UI Library designed for Backstage plugins and based on Base UI from MUI), a new auditor service for recording critical actions and events, a new template system in yarn new for defining your own templates in a declarative way, and new permissions for Kubernetes plugins restricting access to K8s clusters and resources.

5. Dex, an OIDC identity and OAuth 2.0 provider with pluggable connectors (a CNCF Sandbox project), released v2.42.0 with allowed localhost equivalent IP addresses, Discovery added to gRPC, support for Base64- and PEM-encoded certs, GitLab additional group with a role in GitLab connector, and other changes.

6. Flux (a CNCF Graduated project) announced v2.5.0. It brought health checks for custom resources in Kustomization API using Common Expression Language (CEL), GitHub app authentication for Git repositories, custom event metadata for notifications, filtering the declared resources via CEL expressions in the Receiver API, and a new flux debug command.

#news #releases

Here goes our latest bunch of interesting Kubernetes-related articles recently spotted online:

1. "My kubernetes pods keep crashing with CrashLoopBackOff but I can’t find any log" by Harold Finch.

When a Kubernetes pod goes into a CrashLoopBackOff state and you can't find any logs, it can be frustrating. Here’s a step-by-step troubleshooting guide to help identify and fix the issue.

2. "What we learned after running Airflow on Kubernetes for 2 years" by Alexandre Magno Lima Martins.

To put it in perspective, we have over 300 DAGs in production, running more than 5.000 tasks per day, on average. So I would say that we have a medium-size Airflow deployment, capable of delivering value for our users. For more than 8 months now we have been running without a single incident or failure in Airflow. With this post, I want to share important aspects of our deployment that helped us to achieve a scalable, and reliable environment.

3. "Falco" by Luc Juggery.

The following gives an overview of Falco, a security tool that provides runtime security across hosts, containers, Kubernetes, and cloud environments. [It covers:] Installing Falco, Enabling falcosidekick, Enabling falcosidekick web UI, and Custom events.

4. "Demo an Automated Canary Deployment on Kubernetes with Argo Rollouts, Istio, and Prometheus" by Whitney Lee, a CNCF Ambassador.

Building stuff is fun! Let’s use Argo Rollouts, Istio, and Prometheus to automate a canary deployment on Kubernetes! The application we’ll run is the Argo Rollouts Demo Application which does a great job of visualizing how traffic is slowly routed from from the older, stable version of the application to the newer “canary” version.

5. "Getting Started with K3s: A Practical Guide to Setup and Scaling" by Joseph Whiteaker.

This post serves as both an introductory guide for those new to K3s and a quick reference for those already familiar with it. We’ll cover installation, adding server and worker nodes, configuring load balancing, etc…

6. "Kubernetes Control Plane Load Balancing (CPLB) Explained" by Juan Luis de Sousa-Valadas, Mirantis.

CPLB, with its evolution to a userspace reverse proxy load balancer, offers a simplified and more compatible approach compared to the previous IPVS-based system. When combined with k0s it is possible to build lightweight, but highly available Kubernetes clusters.

#articles

Kubescape became a CNCF incubating project

Created in ARMO, Kubescape is a security platform for Kubernetes that offers hardening, posture management, and runtime security capabilities. It scans clusters, YAML files, and Helm charts and detects various misconfigurations. In December 2022, CNCF accepted it as a Sandbox project; last month, the CNCF TOC voted to move it to the incubating level.

More details: official announcement; incubation issue.

#news #security #cncfprojects

Managing GenAI workloads on Kubernetes is surely gaining momentum. If it piques your interest as well, consider this new Open Source project.

LLMariner is an extensible platform for hosting and managing LLMs on K8s. It consists of a control plane and worker planes, which can be run in a single or across multiple Kubernetes clusters. Some of the project’s highlights are:

- Support for various inference runtimes, including vLLM, Ollama, and Triton.
- Support for numerous models (Llama 3.1, Gemma, TinyLlama, DeepSeek Coder, Mistral, and more), as well as other models via HuggingFace.
- Works with Retrieval-Augmented Generation (RAG).
- Allows to fine-tune models, run general-purpose training jobs, and run Jupyter Notebooks.
- User management via Dex and access control via organizations and projects.
- Integrates with Open WebUI and other tooling via OpenAI-compatible APIs.

Language: Go | License: Apache 2.0 | 53 ⭐️

▶️ GitHub repo
📢 Reddit announcement

#tools #genai

In January, the CNCF TOC accepted 13 Open Source projects to the CNCF Sandbox. We covered all of them in this post. Last week, another batch of 5 new projects was approved to join CNCF. Here they are:

1. interLink — an abstraction to execute a Kubernetes Pod on any remote resource that can manage the container execution lifecycle. It leverages the Virtual Kubelet technology to simplify the development of provider-specific plugins. [#343]

2. Cozystack — a PaaS platform and framework for building clouds with easily deployed Kubernetes clusters, Database-as-a-Service, virtual machines, load balancers, and more. [#322]

3. kgateway — a Kubernetes-native ingress controller and API gateway that is built on top of Envoy proxy and the Kubernetes Gateway API. As we mentioned, this project originates from Gloo Gateway. [#319]

4. KitOps — a packaging, versioning, and sharing system for AI/ML projects that is built upon the OCI standard and is Kubernetes-ready. [#313]

5. Hyperlight — a lightweight virtual machine manager library for safe execution of untrusted code within micro virtual machines in the applications. [#312]

Welcome aboard! 🤗

#news #cncfprojects