The kubernetes/ingress-nginx repository has finally been archived. It happened right on the KubeCon stage just a couple of hours ago.

P.S. Previously, we covered the recent ingress2gateway v1.0 release and some other related tools.

#news #networking

Notable CNCF projects’ news from KubeCon EU 2026

Red Hat donated llm-d to the CNCF Sandbox. This distributed inference serving stack optimised for Kubernetes was created a year ago, together with CoreWeave, IBM, Google, and NVIDIA.

Broadcom donated Velero to the CNCF Sandbox. This backup tool for Kubernetes was formerly known as Heptio Ark and originally created by Heptio, a startup acquired by VMware in 2018.

Tekton, a Kubernetes-native framework for creating continuous integration and delivery (CI/CD) systems, was moved from the CD Foundation to the CNCF as an Incubating project.

#news #cncfprojects

The documentary on Backstage is available

Yesterday, the latest documentary video about a CNCF project, “Backstage: From Spreadsheet to Standard”, landed on YouTube. It happened shortly after its premiere at KubeCon EU 2026.

In 32 minutes, this video tells the story of Backstage, from its origins at Spotify to modern days. It features the interviews with Spotify employees and Backstage maintainers, including Pia Nilsson, Dave Zolotusky, Petter Måhlén, Tyson Singer, Jimmy Mårdel, Fredrik Adelöw, Ben Lambert, and others.

P.S. Previously, the following documentaries were released:

- “Kubernetes: The Documentary”: Part 1 (24:54) and Part 2 (31:18)
- “Prometheus: The Documentary” (27:00)
- “Inside Envoy: The Proxy for the Future” (31:49)
- “Inside Argo: Automating the Future” (32:15)
- “The Making of Flux”: The Origin (22:21), The Rewrite (44:57), The Scale (23:09), The Future (26:52).

#video #cncfprojects

Homelabs are a fun way for engineers to learn, experiment, and innovate. Sharing such setups can bring even more benefits to a wider community! Here’s one of such repos you can try this weekend ;)

Homernetes is a Kubernetes cluster for a homelab based on Talos and Proxmox. It features an automated 8-step bootstrap to provision a cluster on bare metal using Terraform. What else does it have?

- GitOps-driven approach based on Argo CD;
- Preloaded randomly-generated passwords/secrets for all services with Vault;
- Networking with encryption and observability based on Cilium;
- Metrics and logs based on Prometheus, Grafana, and Loki;
- cert-manager to handle certificates, Harbor as container registry, CNPG with PostgreSQL used for internal services, and more.

▶️ GitHub repo
💬 Reddit announcement

License: GPL 3.0 | 142 ⭐️

#tools #IaC #gitops

We’re back online after a short break, and here comes our latest selection of interesting Kubernetes-related articles recently spotted online:

1. "Making Harbor production-ready: Essential considerations for deployment" by Dhruv Tyagi and Daniel Jiang, Broadcom.

While deploying Harbor is straightforward, making it production-ready requires careful consideration of several key aspects. This blog outlines critical factors to ensure your Harbor instance is robust, secure, and scalable for production environments.

2. "Kubernetes Strategic Merge Patch" by Brian Grant, ConfigHub.

If you’ve used Kubernetes kubectl apply, server-side apply, or kustomize, then you may have encountered the “strategic merge patch” feature. “Strategic merge patch” is a mouthful. What does it mean? In what sense is it “strategic”? Why does it exist?

3. "Containers Are Not Automatically Secure" by Luca Cavallin.

Containers changed how we package and ship software, but they did not rewrite the basic security rules. Trust boundaries, privilege, and attack surface are all still there. That's one of the things I learned while digging into container security, partly from Liz Rice's Container Security and partly from spending time with the Linux pieces underneath.

4. "How Reddit Migrated Petabyte-Scale Kafka from EC2 to Kubernetes" by Alex Xu.

The Reddit Engineering Team completed one of the most demanding infrastructure migrations in the company’s history. It moved its entire Apache Kafka fleet, comprising over 500 brokers and more than a petabyte of live data, from Amazon EC2 virtual machines onto Kubernetes. The migration was done with zero downtime and without asking a single client application to change how it connected to Kafka. In this article, we will look at the breakdown of this migration, the challenges the engineering team faced, and how they achieved their goal of a successful migration.

5. "Running Agents on Kubernetes with Agent Sandbox" by Janet Kuo and Justin Santa Barbara.

[..] as AI evolves from short-lived inference requests to long-running, autonomous agents, we are seeing the emergence of a new operational pattern. AI agents, by contrast, are typically isolated, stateful, singleton workloads. [..] SIG Apps is developing agent-sandbox. The project introduces a declarative, standardized API specifically tailored for singleton, stateful workloads like AI agent runtimes.

6. "A one-line Kubernetes fix that saved 600 hours a year" by Braxton Schafer, Cloudflare.

Every time we restarted Atlantis, the tool we use to plan and apply Terraform changes, we’d be stuck for 30 minutes waiting for it to come back up. No plans, no applies, no infrastructure changes for any repository managed by Atlantis. With roughly 100 restarts a month for credential rotations and onboarding, that added up to over 50 hours of blocked engineering time every month, and paged the on-call engineer every time. This was ultimately caused by a safe default in Kubernetes that had silently become a bottleneck as the persistent volume used by Atlantis grew to millions of files. Here’s how we tracked it down and fixed it with a one-line change.

#articles

Kubernetes v1.36 will be released in two weeks. The docs freeze for the related 65 KEPs came into effect less than 30 minutes ago. What are those new features? Learn from:

- “Kubernetes 1.36: Deep dive into new alpha features” (published yesterday by Palark) that covers 20 new features introduced in v1.36.
- “Kubernetes 1.36 – What you need to know” (published by Cloudsmith a month ago).
- The official “Kubernetes v1.36 Sneak Peek” that features biggest deprecations and enhancements.
- The formal “Kubernetes v1.36 Release Information” page with the release schedule and other helpful links.

#articles #releases

KubeCon EU 2026 talks are now available

All videos from KubeCon + CloudNativeCon Europe 2026 have been uploaded to YouTube and are available for everyone interested. Find them in the following playlists:

- KubeCon + CloudNativeCon Europe 2026 (408 videos, including regular talks, keynotes, project lightning talks, Kubernetes SIGs’ updates, Cloud Native University, Data on Kubernetes Day, EnvoyCon, Istio Day, KubeVirt Summit, etc.);
- ArgoCon Europe 2026 (31 videos);
- FluxCon Europe 2026 (10 videos);
- Open Source SecurityCon 2026 (16 videos).

#video #events

Ever noticed that unused resources, such as Secrets and ServiceAccounts, might pile up in your Kubernetes cluster? There is a tool that removes them.

K8s cleaner is a controller that finds stale and unhealthy resources and removes or updates them. Here’s what it offers:

- Identifying various types of unused Kubernetes resources, including ready-to-use examples for ConfigMaps, Secrets, Roles/ClusterRoles, ServiceAccounts, PVs/PVCs, Deployments, and StatefulSets;
- Identifying resources based on annotations for maximum lifespan or expiration date;
- Using Lua scripts to define custom selection criteria;
- Scheduling the scans for finding and removing/updating unused resources;
- Notifications via emails, Slack, Discord, Teams, Telegram, etc.;
- Web UI showing existing issues, cleaners, and Lua scripts.

▶️ GitHub repo

Language: Go | License: Apache 2.0 | 755 ⭐️

#tools

Kubernetes updates its AI usage policy

Earlier this month, the Kubernetes Steering Committee announced an update to the project’s policy on the use of AI tools for contributors. While the policy allows AI-assisted contributions, it’s essential to follow a few rules when creating such PRs:

- There should always be a human who is responsible for understanding all the suggested changes. This author should reply to the reviewers’ comments personally, without engaging AI tools.
- AI tools shouldn’t be used for so-signing commits, specified as co-authors or within assisted-by/co-developed commit trailers. (Using this metadata leads to unwanted marketing behaviour.)

You can find the latest version of the updated Kubernetes AI policy at kubernetes.dev.

#news #genai

Kubernetes rewritten in Rust is not a joke anymore

There is a new project called Rusternetes, written by a single enthusiast (Chris Alfonso from Red Hat), with assistance from Claude. With 216k lines of code in Rust, implementing 31 controllers and 3.1k tests, and even its own Web dashboard, it’s quite an impressive effort. Moreover, the project claims to pass 90% of conformance tests from the official Kubernetes e2e test suite. However, these numbers are challenged by the community (see comments in LinkedIn here).

The project also opens a wide community debate over whether anyone might need this implementation for real-world workloads. Anyway, the author seemed to start Rusternetes out of his own research and curiosity.

#news #fun

Kubernetes 1.36 is released

The release was announced in the blog and nicknamed "Haru". It comes with 70 enhancements, 18 of which are graduated to stable (GA). They include fine-grained API authorisation, volume group snapshots, several DRA features, mutating admission policies, node log query, support for user namespaces, OCI volume source, and
PSI (Pressure Stall Information) metrics based on cgroup v2.

Find more details about the changes introduced in Kubernetes 1.36 by following the links from our previous post.

#news #releases

Here comes our newest digest of the prominent software updates in the Cloud Native ecosystem!

1. Headlamp, a Kubernetes web UI developed by the Kubernetes SIG, released 0.41.0, adding rollback for several resources, cluster deletion in browser, support for Traefik and other reverse proxies to handle auth, and MCP server support for plugins.

2. KubeVirt, implementing virtual machine management for Kubernetes (a CNCF Incubating project), reached its v1.8.0. New features include ContainerPath volumes (mapping container paths for VM storage), incremental backups with CBT (Changed Block Tracking), PCIe NUMA-aware topology placement for GPU, Hypervisor Abstraction Layer (enabling KubeVirt to integrate multiple hypervisor backends beyond KVM), and live updates to NAD references without VM restarts.

3. CloudNativePG, a platform designed to manage PostgreSQL in Kubernetes (a CNCF Sandbox project), released 1.29.0, which highlighted the integration of Image Catalogs with a new, dedicated ecosystem for PostgreSQL extensions via the postgres-extensions-containers project. It also introduced dynamic network access control via Pod selectors, shared ServiceAccount support, and granular TLS configuration for PgBouncer. Finally, the project started signing all its release artifacts and container images.

4. ExternalDNS, which synchronises exposed Kubernetes Services and Ingresses with DNS providers (a Kubernetes SIG project), released v0.21.0. This update added client flags for Kubernetes client rate limiting, a new unstructured source for DNS records, a new annotation to request a specific DNS record type for a source, improved Gateway API support, and more new features.

5. Kube-OVN, which integrates OVN-based network virtualisation with Kubernetes (a CNCF Sandbox project), was updated to v1.16.0. It brought provider-scoped policies for multi-network Pods in NetworkPolicy, IPv6 and dual-stack support in the MetalLB underlay integration, several improvements to VPC Egress Gateway (BGP and EVPN support, custom resources and bandwidth limits) and VPC NAT Gateway (user-defined annotations on NAT gateway, SNAT EIP to FIP EIP traffic).

6. kagent, a Kubernetes native framework for building AI agents (a CNCF Sandbox project), was updated to v0.9.0, which added agent sandbox support, UI for prompt templates, token exchange for model auth, and SAP AI Core as a new model provider.

7. Cozystack, a PaaS platform and framework for building clouds (a CNCF Sandbox project), released v1.3, featuring storage-aware scheduling via LINSTOR Extender, a GUI for LINSTOR, a new vm-default-images package for out-of-the-box VM provisioning, improved application observability, and a RestoreJob experience for backups in the dashboard.

#news #releases

Where do ingress-nginx users migrate?

According to a recent Reddit poll, Traefik and Envoy Gateway are the leading alternatives for those who previously relied on ingress-nginx in their production Kubernetes clusters. Other options (HAProxy, F5 NGINX, and Kong) got much fewer votes.

As for even more other solutions mentioned in the comments, Kgateway and specific Envoy implementations (namely, in Istio and Cilium) got the most upvotes.

#networking

OpenTelemetry graduates, Microcks incubates

Two days ago, the CNCF TOC voted to graduate the OpenTelemetry project. Today, OpenTelemetry is used "at hundreds (potentially thousands) of organizations worldwide", with dozens of them listed here. It's also supported by major observability vendors, including Dash0, Datadog, Dynatrace, Grafana, Honeycomb, New Relic, Splunk, and many more.

A week ago, another CNCF project, Microcks, was officially moved to the Incubating status. Microcks is a tool for API mocking and testing. It was created by an individual in 2015 and accepted to the CNCF Sandbox in 2023. Its public adopters include Amadeus, Amway, BNP PARIBAS, Michelin, and Nordic Semiconductor.

#news #cncfprojects

This project is a Kubernetes operator that implements a so-called health-check platform.

Canary checker is a monitoring tool that includes 35+ ready-to-use health checks for various Kubernetes workloads. It works as a K8s operator that has no dependencies and offers:

- checks for popular protocols (HTTP, DNS, ICMP, TCP), databases (SQL-based, MongoDB, Redis, Elasticsearch), infrastructure components (such as Kubernetes resources and EC2 instances), file systems (NFS, S3, SMB), and more;
- alert aggregation from Prometheus, AWS CloudWatch, and Dynatrace;
- integration testing support for JMeter, JUnit, K6, Newman and Playwright;
- Prometheus exporter replacement with custom metrics from the check’s results;
- built-in Web dashboard displaying existing checks and their stats.

▶️ GitHub repo

Language: Go | License: Apache 2.0 | 326 ⭐️

#tools #observability

Sharing our latest selection of interesting Kubernetes-related articles recently spotted online:

1. "ingress-nginx to Envoy Gateway migration on CNCF internal services cluster" by Koray Oksay, CNCF/Kubermatic.

CNCF hosts a Kubernetes cluster to run some services for internal purposes [..] The migration from ingress-nginx to Envoy Gateway required careful attention to: certificate ownership and cross-namespace access; cloud load balancer integration (NodePort, health checks, externalTrafficPolicy); backend TLS configuration for services requiring HTTPS upstream connections.

2. "Duolingo's Kubernetes Leap" by Franka Passing, Duolingo.

Previously, the 500-plus backend services that I mentioned at the beginning are running on AWS ECS. We have some workloads that are running on different infrastructure, but for the mass majority, they're on ECS. That's what I'm going to be focusing on. We're going to be moving from ECS to EKS.

3. "How does the Kubernetes controller manager work?" by Daniele Polencic, LearnKube.

When you delete a Pod in a Deployment, Kubernetes creates a replacement. But who creates it? It's not the API server. The API server stores resources and notifies watchers, but it doesn't decide what should run. It's not the scheduler either. The scheduler assigns Pods to nodes, but it doesn't create them. The answer is a controller: a loop that watches for changes in the cluster and takes action to move the current state closer to the desired state.

4. "From Kubernetes Dev Setup to Production: What Actually Changes" by Georg Schwarz.

Moving towards a production deployment changed the operating model. Delivery moved to GitOps, secrets moved to SOPS, object storage moved outside the cluster, database backups became restore-tested, identity flows were customized, and observability gave us a baseline for operating the application. This article is not about how to deploy an app to Kubernetes. It walks through what had to change after it already ran there.

5. "Securing CI/CD for an open source project: lessons from Cilium" by André Martins and Feroz Salam, Isovalent at Cisco.

Cilium runs in the kernel-level networking path of millions of Kubernetes pods. If our supply chain were compromised, the blast radius would not be small. Hardening the project against that scenario is something we work on continuously, and we wanted to write down what we actually do, in detail. Most of what follows isn't Cilium-specific: any open source project running CI/CD on GitHub Actions can apply these patterns. We've also called out where we still fall short, in case any of it makes a useful starting point for someone else.

6. "Kubernetes is migrating from SPDY to WebSockets" by Henrique Cavarsan.

How Kubernetes is replacing SPDY with WebSockets for kubectl exec, attach, cp, and port-forward. I maintain an app that builds on top of Kubernetes port forwarding, so I track KEP-4006 because the streaming protocol underneath keeps changing.

7. "Back up and restore your Amazon EKS cluster resources using Velero" by Sapeksh Madan and Shalabh Srivastava, AWS.

In this post, you’ll learn to back up and restore Amazon EKS cluster resources and persistent volume data using Velero. You’ll deploy a sample stateful application, back it up, and restore it to a different namespace within the same cluster. Along the way, you’ll configure least-privilege AWS Identity and Access Management (AWS IAM) roles using Amazon EKS Pod Identity and scope Velero’s Kubernetes permissions with a custom ClusterRole.

#articles