Here comes our newest digest of the prominent software updates in the Cloud Native ecosystem!

Release Spotlight: Cilium 1.17.0

Last week, a new Cilium release arrived, 1.17.0, accumulating an impressive number of 2700+ commits. They resulted in many changes in the project, improving its networking, security, and observability features, as well as scalability.

Some highlights of this release are: protocol differentiation (UDP, TCP) for services, per-service load balancing algorithm selection, Multi-Cluster Service API controller, Pod-level networking QoS classes support, improved network policy performance, ability to select CIDRs by labels, static addresses for gateways, dynamic Hubble metrics and numerous new metrics, rate limiting for eBPF events against CPU usage, and Gateway API 1.2.1 support.

Other noticeable updates in the Cloud Native space:

1. KubeArmor, a Cloud Native runtime security enforcement system (a CNCF Sandbox project), released its v1.5.0 (and subsequent v1.5.x fixes) with several new features. They include support for rules for SCTP protocol, all protocols with raw network socket/domain, and specifying protocol: all for network rules, configurable Docker imagePullSecrets, and special preset rules to handle fileless process execution.

2. Skaffold, a CLI tool for continuous development of applications for Kubernetes, has introduced v2.14.0 (and subsequent v2.14.1 fix), bringing various updates. It got Helm dependencies and concurrency support, faster helm install (by using goroutines), optimised Kaniko builds (by using compression) and imagePullSecret support in Kaniko, as well as a new GCS (Google Cloud Storage) client.

3. External Secrets Operator, a Kubernetes operator that integrates external secret management systems (a CNCF Sandbox project), reached v0.14.0 (and subsequent v0.14.x fixes) introducing stateful generators, with a new Grafana ServiceAccounts generator as its first implementation. Now, ESO can manage user or system accounts for database systems, message brokers, managed service providers, etc.

4. Falco Talon, a no-code solution for a customisable response engine working with Falco (a CNCF Graduated project), was updated to v0.3.0. It features a new actionner called kubernetes:sysdig: when a suspicious event occurs in a Pod, Talon triggers a capture and exports the created artifact to AWS S3 or Minio, which you can later explore via sysdig CLI tool.

5. Crossplane, a framework for building Cloud Native control planes (a CNCF Incubating project), released v1.19.0 just yesterday. It comes with Usage API and Claim server-side apply promoted to Beta (enabled by default now), customisable ports for Crossplane, auto-downgrading feature for packages in the automatic dependency management (Alpha), support for private repositories in the CLI commands downloading Crossplane packages (render, validate), and an API promotion policy.

#news #releases

Have you heard of kgateway? 🤔

It’s a new name for the Gloo Gateway Open Source project. Gloo Gateway is a flexible Kubernetes-native ingress controller and API gateway built on top of Envoy proxy and the Kubernetes Gateway API. Solo.io, the company behind it, decided to make it an independent project by introducing vendor-neutral governance, renaming it, and donating to CNCF.

Find more details about kgateway and its future in the CNCF blog, related CNCF Sandbox application request, and new GitHub repo.

#news #tools #networking #cncfprojects

Here goes our latest bunch of interesting Kubernetes-related articles recently spotted online:

1. "Standardizing App Delivery with Flux and Generic Helm Charts" by Stefan Prodan, ControlPlane.

In this guide we will explore how Flux can be used to standardize the lifecycle management of applications by leveraging the Generic Helm Chart pattern. The big promise of this pattern is that it should reduce the cognitive load on developers, as they only need to focus on the service-specific configuration, while the Generic Helm Chart shields them from the complexity of the Kubernetes API.

2. "The 100 Million Pod Mesh" by John Howard, Solo.io.

In this test, we deploy 100 million pods across 2,000 clusters, proving it can handle extreme scale with minimal resources, near-instant updates, and no manual tuning, resulting in effortless scalability and cost efficiency for enterprises.

3. "The AI Model Showdown – LLaMA 3.3-70B vs. Claude 3.5 Sonnet v2 vs. DeepSeek-R1/V3" by Itiel Shwartz, Komodor.

We tested DeepSeek’s models head-to-head against industry leaders in solving real-world Kubernetes challenges. The results were nothing short of fascinating and quite revealing, particularly regarding DeepSeek’s current capabilities in production environments.

4. "Simplifying Ingress Resource on AWS EKS: A Guide to AWS Load Balancer Controller" by Kenny Ang.

In this article, we will explore the AWS LBC and understand how it works (and doesn’t). To achieve this, I will walk you through installing the AWS LBC on an EKS cluster and observe the behavior after creating an ingress resource.

5. "Managing Secrets at Scale: Why We Chose SOPS for Terraform and Kubernetes Secrets" by Teodor J. Podobnik.

From SSH keys and Kubernetes Secrets to GitHub tokens and API credentials, keeping these secrets secure was vital to our product’s security and compliance. So we looked into several solutions like HashiCorp Vault, SealedSecrets and GCP Secret Manager but none fully met our needs.

6. "EKS vs. GKE Networking" by Jason Umiker.

I find that some of the biggest differences between EKS and GKE (as well as the underlying AWS and GCP) are in their differing approaches to networking. So, this is at the heart of any true comparison of the two services.

#articles

Promtail is now deprecated

Last week, Grafana Loki 3.4 was announced. This release's highlights included “Promtail merged into Alloy”:
- Promtail is a lightweight agent shipping logs to Grafana Loki.
- Grafana Alloy is a distribution of the OpenTelemetry Collector with built-in Prometheus pipelines and support for metrics, logs, traces, and profiles.
- Merging Promtail into Alloy means the former is officially declared deprecated. The project will reach its EOL on March 2, 2026. A guide on migrating from Promtail to Grafana Alloy is available.

#news #releases #observability

According to The State of Kubernetes Jobs in 2024 Q4 report by Kube Careers:

- The average salaries for Kubernetes-related jobs* are $139,056-$200,838 (for North America) and €66,176-€87,720 (Europe).
- 65% of the jobs allow some sort of remote work.
- The most popular technologies mentioned in the jobs are Docker (59%), PostgreSQL (18%), Kafka (17%), MySQL (11%), and Helm (9%).
- The most popular programming languages are Python (56%), Java (36%), JavaScript (34%), and Go (30%).
- The most popular CI/CD tools are Jenkins (35%), GitLab (28%), and GitHub Actions (11%).
- The most popular observability tools are Grafana (20%), Prometheus (19%), and Datadog (11%).

* Note that they include various roles, such as software engineers, DevOps engineers, platform engineers, etc.

#career

Like to experiment with various GUIs for Kubernetes or still looking for the most suitable option? Here’s a project to consider.

KubeUI is a Kubernetes UI featuring a tabbed interface for your desktop based on the Avalonia UI framework for .NET. It supports multi-monitor setups, works on Linux, macOS, and Windows, and allows you to:

- View, create, and edit Kubernetes resources in the YAML format;
- Work with CRDs;
- Filter resources by names and namespaces;
- View overall cluster stats and its events;
- Manage pods by viewing CPU/memory usage, console, logs, and configuring port-forwarding;
- Manage nodes by performing codon and drain.

Language: C# | License: MIT | 163 ⭐️

▶️ GitHub repo

#tools #gui

Here comes our newest digest of the prominent software updates in the Cloud Native ecosystem!

1. Ratify, an artifact security metadata verification engine (a CNCF Sandbox project), released its v1.4.0, introducing revocation checking with Certificate Revocation List (CRL) support based on Notation libraries, more Notary Project trust policy attributes in the Helm chart, and a new authentication provider for the Alibaba Cloud RRSA Store.

2. Kmesh, a high-performance service mesh data plane based on eBPF (a CNCF Sandbox project), reached its v1.0 with numerous significant improvements. They include encrypted communication between nodes via IPsec, authorisation execution offloaded to XDP eBPF, locality load balancing capability, zero-downtime restart support for kernel-native mode, circuit breaking and rate limiting in kernel-native mode, and compatibility with Istio 1.24.

3. Prometheus (a CNCF Graduated project) released its v3.2.0, bringing various improvements in UTF-8 support (for rule names and for the targetLabel field in replace actions when relabeling), support for OTLP delta temporality in the OTLP endpoint, load balancer discovery for OpenStack Octavia, and new too-long-scrape-interval linting option for promtool check config.

4. Backstage, a framework for building developer portals (a CNCF Incubating project), was updated to v1.36.0. Some of its highlights are: support for native ESM in Node.js code, the first version of Canon (a new UI Library designed for Backstage plugins and based on Base UI from MUI), a new auditor service for recording critical actions and events, a new template system in yarn new for defining your own templates in a declarative way, and new permissions for Kubernetes plugins restricting access to K8s clusters and resources.

5. Dex, an OIDC identity and OAuth 2.0 provider with pluggable connectors (a CNCF Sandbox project), released v2.42.0 with allowed localhost equivalent IP addresses, Discovery added to gRPC, support for Base64- and PEM-encoded certs, GitLab additional group with a role in GitLab connector, and other changes.

6. Flux (a CNCF Graduated project) announced v2.5.0. It brought health checks for custom resources in Kustomization API using Common Expression Language (CEL), GitHub app authentication for Git repositories, custom event metadata for notifications, filtering the declared resources via CEL expressions in the Receiver API, and a new flux debug command.

#news #releases

Here goes our latest bunch of interesting Kubernetes-related articles recently spotted online:

1. "My kubernetes pods keep crashing with CrashLoopBackOff but I can’t find any log" by Harold Finch.

When a Kubernetes pod goes into a CrashLoopBackOff state and you can't find any logs, it can be frustrating. Here’s a step-by-step troubleshooting guide to help identify and fix the issue.

2. "What we learned after running Airflow on Kubernetes for 2 years" by Alexandre Magno Lima Martins.

To put it in perspective, we have over 300 DAGs in production, running more than 5.000 tasks per day, on average. So I would say that we have a medium-size Airflow deployment, capable of delivering value for our users. For more than 8 months now we have been running without a single incident or failure in Airflow. With this post, I want to share important aspects of our deployment that helped us to achieve a scalable, and reliable environment.

3. "Falco" by Luc Juggery.

The following gives an overview of Falco, a security tool that provides runtime security across hosts, containers, Kubernetes, and cloud environments. [It covers:] Installing Falco, Enabling falcosidekick, Enabling falcosidekick web UI, and Custom events.

4. "Demo an Automated Canary Deployment on Kubernetes with Argo Rollouts, Istio, and Prometheus" by Whitney Lee, a CNCF Ambassador.

Building stuff is fun! Let’s use Argo Rollouts, Istio, and Prometheus to automate a canary deployment on Kubernetes! The application we’ll run is the Argo Rollouts Demo Application which does a great job of visualizing how traffic is slowly routed from from the older, stable version of the application to the newer “canary” version.

5. "Getting Started with K3s: A Practical Guide to Setup and Scaling" by Joseph Whiteaker.

This post serves as both an introductory guide for those new to K3s and a quick reference for those already familiar with it. We’ll cover installation, adding server and worker nodes, configuring load balancing, etc…

6. "Kubernetes Control Plane Load Balancing (CPLB) Explained" by Juan Luis de Sousa-Valadas, Mirantis.

CPLB, with its evolution to a userspace reverse proxy load balancer, offers a simplified and more compatible approach compared to the previous IPVS-based system. When combined with k0s it is possible to build lightweight, but highly available Kubernetes clusters.

#articles

Kubescape became a CNCF incubating project

Created in ARMO, Kubescape is a security platform for Kubernetes that offers hardening, posture management, and runtime security capabilities. It scans clusters, YAML files, and Helm charts and detects various misconfigurations. In December 2022, CNCF accepted it as a Sandbox project; last month, the CNCF TOC voted to move it to the incubating level.

More details: official announcement; incubation issue.

#news #security #cncfprojects

Managing GenAI workloads on Kubernetes is surely gaining momentum. If it piques your interest as well, consider this new Open Source project.

LLMariner is an extensible platform for hosting and managing LLMs on K8s. It consists of a control plane and worker planes, which can be run in a single or across multiple Kubernetes clusters. Some of the project’s highlights are:

- Support for various inference runtimes, including vLLM, Ollama, and Triton.
- Support for numerous models (Llama 3.1, Gemma, TinyLlama, DeepSeek Coder, Mistral, and more), as well as other models via HuggingFace.
- Works with Retrieval-Augmented Generation (RAG).
- Allows to fine-tune models, run general-purpose training jobs, and run Jupyter Notebooks.
- User management via Dex and access control via organizations and projects.
- Integrates with Open WebUI and other tooling via OpenAI-compatible APIs.

Language: Go | License: Apache 2.0 | 53 ⭐️

▶️ GitHub repo
📢 Reddit announcement

#tools #genai

In January, the CNCF TOC accepted 13 Open Source projects to the CNCF Sandbox. We covered all of them in this post. Last week, another batch of 5 new projects was approved to join CNCF. Here they are:

1. interLink — an abstraction to execute a Kubernetes Pod on any remote resource that can manage the container execution lifecycle. It leverages the Virtual Kubelet technology to simplify the development of provider-specific plugins. [#343]

2. Cozystack — a PaaS platform and framework for building clouds with easily deployed Kubernetes clusters, Database-as-a-Service, virtual machines, load balancers, and more. [#322]

3. kgateway — a Kubernetes-native ingress controller and API gateway that is built on top of Envoy proxy and the Kubernetes Gateway API. As we mentioned, this project originates from Gloo Gateway. [#319]

4. KitOps — a packaging, versioning, and sharing system for AI/ML projects that is built upon the OCI standard and is Kubernetes-ready. [#313]

5. Hyperlight — a lightweight virtual machine manager library for safe execution of untrusted code within micro virtual machines in the applications. [#312]

Welcome aboard! 🤗

#news #cncfprojects

Here comes our newest digest of the prominent software updates in the Cloud Native ecosystem!

1. Semaphore, a CI/CD platform, released the v1 version of its CE edition which went Open Source with this release. You can run it on Kubernetes clusters, and it offers numerous features, such as fast builds and deployments, parallel execution, visual editor, artifacts, self-hosted agents, GitHub and BitBucket support, Slack and webhook notifications, and more.

2. Dapr, a serverless, event-driven runtime for building distributed apps (a CNCF Incubating project), announced 1.15 with numerous updates. These include a stable Workflow engine for writing long-running stateful apps, a rewritten Actor runtime engine, a stable Scheduler service, a new Conversation API to talk to LLM providers (alpha), and a bunch of SDK improvements.

3. Envoy (a CNCF Graduated project) has announced the first version of Envoy AI Gateway — v0.1. This project leverages Envoy Gateway to handle request traffic from application clients to GenAI services through a unified API while managing authorization, cost control, and scalability.

4. Hyperlight, a lightweight virtual machine manager (it became a CNCF Sandbox project just recently), reached its v0.2.0, which added support for Azure Linux 3 and support for Hyperlight KVM guest debugging using gdb, as well as removed custom alloca (in favour of Clang built-in alloca).

5. Istio (a CNCF Graduated project) released its 1.25, featuring DNS proxying by default for ambient mode, default deny policy for waypoints, and zonal routing enhancements.

6. Shipwright, a framework for building container images on Kubernetes (a CNCF Sandbox project), was updated to v0.15. This release allows controlling which nodes a build can run on, tolerate node taints for builds, and use custom Pod schedulers.

#news #releases

Yesterday, Solo.io announced its new Open Source project called kagent. It is a Kubernetes-native framework for DevOps and platform engineers to build and run AI agents that will automate configuration, troubleshooting, and other similar tasks.

kagent uses custom resources to define the AI agents and tools used by those agents, and offers CLI and web UI to manage them. The project also boasts the tools registry, where you can find predefined functions for interacting with Kubernetes, Prometheus, Istio, Argo, Helm, and other projects.

The tool is written in Python, based on the AutoGen framework, and licensed under the Apache 2.0 license. The authors plan to donate the project to the CNCF. Learn more about kagent on its website, GitHub, and in this announcement.

#news #tools #genai

If you’re wondering which Kubernetes features were introduced/stabilised/deprecated/removed in which K8s versions, this new online resource is extremely useful. Using Kaniuse, you can navigate through 370+ K8s features and see their status in Kubernetes 1.19-1.33, as well as see the difference in their status between any two specific releases.

#news

Here goes our latest selection of interesting Kubernetes-related articles recently spotted online:

1. "Securing the Kubernetes Host Operating System" by Rafael Natali.

If the host operating system is breached, the attacker could use it to target other nodes in the cluster, along with all the Pods and applications running on that node. Eventually, the attacker can even access other systems in your network! The next subsections contain the information necessary to secure the host operating system.

2. "Every pod eviction in Kubernetes, explained" by Ahmet Alp Balkan.

There are so many ways Kubernetes terminates workloads, each with a non-trivial (and not always predictable) machinery, and there’s no page that lists out all eviction modes in one place. This article will dig into Kubernetes internals to walk you through all the eviction paths that can terminate your Pods, and why “kubelet restarts don’t impact running workloads” isn’t always true, and finally I’ll leave you with a cheatsheet at the end.

3. "WebAssembly on Kubernetes" by Nicolas Fränkel.

In this post, I showed how to use Webassembly on Kubernetes with the Wasmedge runtime. I created three flavors for comparison purposes: native, embed, and runtime. The first two are "regular" Docker images, while the latter contains only a single Wasm file, which makes it very lightweight and secure.

4. "Yoke is really cool" by Xe Iaso.

With Yoke, you write your infrastructure definitions in Go or Rust, compile it to WebAssembly, and then you take input and output Kubernetes manifests that get applied to the cluster. [..] One of the big advantages of using WebAssembly here is that you can use the same Kubernetes manifest types that Kubernetes itself uses. This means you don't have to write your own types and you can reuse code aggressively.

5. "Exploring Cloud Native projects in CNCF Sandbox. Part 3: 14 arrivals of 2024 H1" by Dmitry Shurupov, Palark.

We’re continuing this series with our brief introductions to the projects added to the Sandbox in April, June, and July of 2024: Radius, Stacker, Score, Bank-Vaults, TrestleGRC, bpfman, Koordinator, KubeSlice, Atlantis, Kubean, Connect, Kairos, Kuadrant, and openGemini.

6. "How to Setup Preview Environments with FluxCD in Kubernetes" by Meysam Azad.

Preview environment is where you see a live state of your changes from your pull request before being merged into the default branch. It gives you a look'n feel of what it would be like if you merged your changes. [..] in this blog post, I will show you how to achieve this using FluxCD Operator.

7. "Container Network Interface (CNI) in Kubernetes: An Introduction" by Homayoon (Hue) Alimohammadi.

In this article, we’re gonna learn about the Container Network Interface (CNI) and CNI plugins, what they’re supposed to do, and how they’re implemented. We’ll also see a simple CNI implementation in Go and Bash, and test it in a Canonical Kubernetes cluster.

#articles

JobSet is a Kubernetes SIG project that provides a unified API for large-scale distributed HPC and ML workloads on Kubernetes. It models a distributed batch workload as a group of Kubernetes Jobs and uses the abstraction of a ReplicatedJob to manage child Jobs. The project is still in its alpha.

Find more details about JobSet in this recent announcement and on GitHub.

#news #tools

Many Kubernetes users liked Lens (or even still do). After it became not Open Source and Lens ID was introduced, many switched to OpenLens. Unfortunately, that fork did not last long and hasn’t issued any releases since July 2023. However, it turned out to be another fork, which is currently active: Freelens.

This project started around January of this year, and released its v1.0.0 in February and further v1.1.0 just five days ago. Today, Freelens:

- is fully compatible with the latest Kubernetes version (1.32);
- comes with kubectl v1.32.3 and Helm v3.17.2;
- is based on Electron 34.3.3 with Node 20.18.3 and Chrome 132.0.6834.210;
- requires GNU C Library 2.34+ for Linux (i.e. Debian 12, Ubuntu 22.04, Fedora 35, openSUSE Leap 15.4), macOS 11+ or Windows 10+ to run.

Language: TypeScript | License: MIT | 607 ⭐️

▶️ GitHub repo

#news #tools #gui

Don’t miss the news regarding five recent critical vulnerabilities in ingress-nginx, including CVE-2025-1974 scored at 9.8 CVSS!

The Kubernetes blog post states that over 40% of Kubernetes administrators rely on ingress-nginx and should take action immediately. Otherwise, a malicious user with no credentials can take over your Kubernetes cluster by exploiting configuration injection vulnerabilities via the Validating Admission Controller.

The latest ingress-nginx releases, v1.12.1 and v1.11.5, are already available with all five vulnerabilities fixed.

Find more details in this post from the Kubernetes Security Response Committee and this detailed article from Wiz.

#news #security

The next Kubernetes release, v1.33, will become available in a month. Currently, this release is scheduled for 23rd April. The project’s blog has published an early “sneak peek” of some changes we might expect when it’s out.

Particularly, it mentions that Linux user namespaces for Pods are becoming stable, ordered namespace deletion is being introduced, and in-place resource resize for Pods vertical scaling is moving into beta. Find more details in this post.

#news