Kyverno became a CNCF Graduated project

Kyverno, a Kubernetes-native policy engine originally developed in Nirmata, has become the latest addition to the list of CNCF Graduated projects. About 6 hours ago, the CNCF Technical Oversight Committee completed the relevant voting process for this project.

Today’s Kyverno adopters include Vodafone, Deutsche Telekom, Saxo Bank, LinkedIn, Spotify, US DoD Platform One, OVHcloud, and many other well-known organisations worldwide.

#cncfprojects #news #security

The official Kubernetes image promoter was rewritten

registry.k8s.io is a production OCI registry service for Kubernetes' container image artifacts. Recently, the core system behind it was rewritten to improve performance and add new features (SLSA provenance attestation, vulnerability scanning, SBOM support), and the upgrade was performed seamlessly for users pulling container images from the registry.

Find more technical details about the issues that kpromo, the Kubernetes image promoter, had and how they were solved in this blog post.

#news

Cloud Native Rejekts live streams

KubeCon + CloudNativeCon Europe 2026 is around the corner, and today is the day of its b-side conference organised by the community, Cloud Native Rejekts. This year, it features talks in two rooms, and both of them are streamed online right now. You can watch them here:

- Cloud Native Rejekts EU 2026 Room 1
- Cloud Native Rejekts EU 2026 Room 2

The full event schedule is available here.

#events #video

Ingress2gateway 1.0

The Kubernetes SIG Network just announced the stable version of its official assistant that helps migrate from the soon-to-be-retired Ingress NGINX controller to Gateway API.

With this new release, the tool supports 30+ widely used annotations, covering headers, timeouts, redirects, rewrites, regex, CORS, backend TLS, and IP range control.

Find more details from this announcement and on GitHub.

#news #releases #networking

Here comes our latest digest of the prominent software updates in the Cloud Native ecosystem!

1. Cozystack, a PaaS platform and framework for building clouds (a CNCF Sandbox project), released v1.1 that introduced an OpenBao managed service for secret management, tiered storage pools support for SeaweedFS, a bucket user model with S3 login, and a configurable version selector for RabbitMQ instances.

2. Agentgateway, an agentic proxy for AI agents and MCP servers (a Linux Foundation project), has reached its v1.0.0, which was the first release entirely decoupled from Kgateway and highlighted the project's production readiness. This milestone also promoted the experimental XListenerSet API to the ListenerSet API, introduced the CEL 2.0 implementation, added support for Kubernetes Gateway API 1.5.0, autoscaling policies for the agentgateway controller, simplified LLM configuration, and prerouting-phase support for policies.

3. Backstage, a framework for building developer portals (a CNCF Incubating project), released v1.49.0 that introduced the v1.0 release candidate of the New Frontend System: newly created Backstage apps now use it by default. This update also brought several new additions in Backstage UI, the refactored Backstage CLI that became an extensible module system, a new auth CLI command group, a new predicate-based filtering system for the catalog entities, a new ToastApi for rich notifications, OpenAPI 3.1 support, and other new features.

4. Harbor (a CNCF Graduated project) was updated to v2.15.0, which added the tag deletion option in garbage collection, UI for upstream registry connection limit, OCI type support for JFrog registry, and several other improvements.

5. Argo CD (a CNCF Graduated project) announced its v3.4 Release Candidate, bringing pause reconciliation for a cluster, ApplicationSet cache synchronisation, glob patterns in the values files, annotation-based filtering, a new Operation Status filter, source Hydrator UI improvements, and other new features.

6. k8gb, a Cloud Native Kubernetes global balancer (a CNCF Sandbox project), released v0.19.0 with a strong focus on vendor neutrality thanks to a new vendor-neutral canonical API group and switch to new OCI registry and repository. This release also added Dynamic Zones support with the new cluster-scoped ZoneDelegation resource.

7. OpenChoreo, a developer platform for Kubernetes (a CNCF Sandbox project), released its first production-ready version, v1.0.0. It features a modular architecture, programmable control plane, Backstage-based console, and built-in observability.

#news #releases

Brief news from KubeCon EU 2026

1. This is the biggest KubeCon ever, with ~13500 attendees (up 10% from last year).
2. KubeCon Europe 2027 will be in Barcelona (Mar 15-18), KubeCon NA 2027 in New Orleans (Nov 8-11), and KubeCon Europe 2028 in Berlin (Apr 24-27).
3. New reports unveiled by the CNCF:
- CNCF Technology Radar on Workflow Orchestration, App Delivery and Security & Policy Management
- CNCF + SlashData State of Cloud Native Development Q1 2026

#events #news #reports

The kubernetes/ingress-nginx repository has finally been archived. It happened right on the KubeCon stage just a couple of hours ago.

P.S. Previously, we covered the recent ingress2gateway v1.0 release and some other related tools.

#news #networking

Notable CNCF projects’ news from KubeCon EU 2026

Red Hat donated llm-d to the CNCF Sandbox. This distributed inference serving stack optimised for Kubernetes was created a year ago, together with CoreWeave, IBM, Google, and NVIDIA.

Broadcom donated Velero to the CNCF Sandbox. This backup tool for Kubernetes was formerly known as Heptio Ark and originally created by Heptio, a startup acquired by VMware in 2018.

Tekton, a Kubernetes-native framework for creating continuous integration and delivery (CI/CD) systems, was moved from the CD Foundation to the CNCF as an Incubating project.

#news #cncfprojects

The documentary on Backstage is available

Yesterday, the latest documentary video about a CNCF project, “Backstage: From Spreadsheet to Standard”, landed on YouTube. It happened shortly after its premiere at KubeCon EU 2026.

In 32 minutes, this video tells the story of Backstage, from its origins at Spotify to modern days. It features the interviews with Spotify employees and Backstage maintainers, including Pia Nilsson, Dave Zolotusky, Petter Måhlén, Tyson Singer, Jimmy Mårdel, Fredrik Adelöw, Ben Lambert, and others.

P.S. Previously, the following documentaries were released:

- “Kubernetes: The Documentary”: Part 1 (24:54) and Part 2 (31:18)
- “Prometheus: The Documentary” (27:00)
- “Inside Envoy: The Proxy for the Future” (31:49)
- “Inside Argo: Automating the Future” (32:15)
- “The Making of Flux”: The Origin (22:21), The Rewrite (44:57), The Scale (23:09), The Future (26:52).

#video #cncfprojects

Homelabs are a fun way for engineers to learn, experiment, and innovate. Sharing such setups can bring even more benefits to a wider community! Here’s one of such repos you can try this weekend ;)

Homernetes is a Kubernetes cluster for a homelab based on Talos and Proxmox. It features an automated 8-step bootstrap to provision a cluster on bare metal using Terraform. What else does it have?

- GitOps-driven approach based on Argo CD;
- Preloaded randomly-generated passwords/secrets for all services with Vault;
- Networking with encryption and observability based on Cilium;
- Metrics and logs based on Prometheus, Grafana, and Loki;
- cert-manager to handle certificates, Harbor as container registry, CNPG with PostgreSQL used for internal services, and more.

▶️ GitHub repo
💬 Reddit announcement

License: GPL 3.0 | 142 ⭐️

#tools #IaC #gitops

We’re back online after a short break, and here comes our latest selection of interesting Kubernetes-related articles recently spotted online:

1. "Making Harbor production-ready: Essential considerations for deployment" by Dhruv Tyagi and Daniel Jiang, Broadcom.

While deploying Harbor is straightforward, making it production-ready requires careful consideration of several key aspects. This blog outlines critical factors to ensure your Harbor instance is robust, secure, and scalable for production environments.

2. "Kubernetes Strategic Merge Patch" by Brian Grant, ConfigHub.

If you’ve used Kubernetes kubectl apply, server-side apply, or kustomize, then you may have encountered the “strategic merge patch” feature. “Strategic merge patch” is a mouthful. What does it mean? In what sense is it “strategic”? Why does it exist?

3. "Containers Are Not Automatically Secure" by Luca Cavallin.

Containers changed how we package and ship software, but they did not rewrite the basic security rules. Trust boundaries, privilege, and attack surface are all still there. That's one of the things I learned while digging into container security, partly from Liz Rice's Container Security and partly from spending time with the Linux pieces underneath.

4. "How Reddit Migrated Petabyte-Scale Kafka from EC2 to Kubernetes" by Alex Xu.

The Reddit Engineering Team completed one of the most demanding infrastructure migrations in the company’s history. It moved its entire Apache Kafka fleet, comprising over 500 brokers and more than a petabyte of live data, from Amazon EC2 virtual machines onto Kubernetes. The migration was done with zero downtime and without asking a single client application to change how it connected to Kafka. In this article, we will look at the breakdown of this migration, the challenges the engineering team faced, and how they achieved their goal of a successful migration.

5. "Running Agents on Kubernetes with Agent Sandbox" by Janet Kuo and Justin Santa Barbara.

[..] as AI evolves from short-lived inference requests to long-running, autonomous agents, we are seeing the emergence of a new operational pattern. AI agents, by contrast, are typically isolated, stateful, singleton workloads. [..] SIG Apps is developing agent-sandbox. The project introduces a declarative, standardized API specifically tailored for singleton, stateful workloads like AI agent runtimes.

6. "A one-line Kubernetes fix that saved 600 hours a year" by Braxton Schafer, Cloudflare.

Every time we restarted Atlantis, the tool we use to plan and apply Terraform changes, we’d be stuck for 30 minutes waiting for it to come back up. No plans, no applies, no infrastructure changes for any repository managed by Atlantis. With roughly 100 restarts a month for credential rotations and onboarding, that added up to over 50 hours of blocked engineering time every month, and paged the on-call engineer every time. This was ultimately caused by a safe default in Kubernetes that had silently become a bottleneck as the persistent volume used by Atlantis grew to millions of files. Here’s how we tracked it down and fixed it with a one-line change.

#articles

Kubernetes v1.36 will be released in two weeks. The docs freeze for the related 65 KEPs came into effect less than 30 minutes ago. What are those new features? Learn from:

- “Kubernetes 1.36: Deep dive into new alpha features” (published yesterday by Palark) that covers 20 new features introduced in v1.36.
- “Kubernetes 1.36 – What you need to know” (published by Cloudsmith a month ago).
- The official “Kubernetes v1.36 Sneak Peek” that features biggest deprecations and enhancements.
- The formal “Kubernetes v1.36 Release Information” page with the release schedule and other helpful links.

#articles #releases

KubeCon EU 2026 talks are now available

All videos from KubeCon + CloudNativeCon Europe 2026 have been uploaded to YouTube and are available for everyone interested. Find them in the following playlists:

- KubeCon + CloudNativeCon Europe 2026 (408 videos, including regular talks, keynotes, project lightning talks, Kubernetes SIGs’ updates, Cloud Native University, Data on Kubernetes Day, EnvoyCon, Istio Day, KubeVirt Summit, etc.);
- ArgoCon Europe 2026 (31 videos);
- FluxCon Europe 2026 (10 videos);
- Open Source SecurityCon 2026 (16 videos).

#video #events

Ever noticed that unused resources, such as Secrets and ServiceAccounts, might pile up in your Kubernetes cluster? There is a tool that removes them.

K8s cleaner is a controller that finds stale and unhealthy resources and removes or updates them. Here’s what it offers:

- Identifying various types of unused Kubernetes resources, including ready-to-use examples for ConfigMaps, Secrets, Roles/ClusterRoles, ServiceAccounts, PVs/PVCs, Deployments, and StatefulSets;
- Identifying resources based on annotations for maximum lifespan or expiration date;
- Using Lua scripts to define custom selection criteria;
- Scheduling the scans for finding and removing/updating unused resources;
- Notifications via emails, Slack, Discord, Teams, Telegram, etc.;
- Web UI showing existing issues, cleaners, and Lua scripts.

▶️ GitHub repo

Language: Go | License: Apache 2.0 | 755 ⭐️

#tools