Gazal hinted at a 40% reduction in compute capacity when combining Bottlerocket OS and Karpenter (and 30% lower response times).

This and more on the new episode of the KubeFM podcast with Bart Farrell!

👉 https://kube.fm/gazal-eks-bottlerocket-karpenter

Are logs enough to troubleshoot your deployment and infrastructure?

Perhaps — but there's a better way to observe, monitor and debug your stack: embracing observability

This and more in this episode of KubeFM with Bart & Adriana

👉 https://kube.fm/adriana-hannah-unpacking-o11y

How do you upgrade a Kubernetes cluster to the latest release without breaking anything?

And what if you had to upgrade hundreds of clusters simultaneously?

In this episode, Pierre explains the process, tooling and testing strategy in upgrading clusters at scale.

You will learn:

- How the team at Qovery keeps updated with the latest (vanilla) Kubernetes changes and managed services changelogs.
- How to upgrade Helm charts gradually and safely. Pierre has some tips for Custom Resource Definitions (CRDs).
- How to test API deprecations with end-to-end testing.
- How to automate the process of upgrading clusters.

You will also learn from Pierre's experience in managing stateful applications in Kubernetes with 4500 nodes on bare metal.

Watch it here: https://kube.fm/upgrading-100s-clusters-pierre

Listen on:

- Apple Podcast https://kube.fm/apple
- Spotify https://kube.fm/spotify
- Amazon Music https://kube.fm/amazon
- Overcast https://kube.fm/overcast
- Pocket casts https://kube.fm/pocket-casts

"The key to managing Kubernetes clusters at scale is tooling."

Learn how Pierre and the team at Qovery manage hundreds of cluster upgrades for every Kubernetes release and Helm chart in this KubeFM episode.

Watch it here: https://kube.fm/upgrading-100s-clusters-pierre

Listen on:

- Apple Podcast https://kube.fm/apple
- Spotify https://kube.fm/spotify
- Amazon Music https://kube.fm/amazon
- Overcast https://kube.fm/overcast
- Pocket casts https://kube.fm/pocket-casts

What does it take to build a Kubernetes cluster on bare metal?

In this episode of KubeFM, you will learn how to plan and execute a successful setup for a bare-metal Kubernetes cluster.

You will follow Mathias' journey as he rebuilt his cluster several times and learn how to:

- Identify dependencies and priorities between components to avoid incidents in the future.
- Leverage FluxCD to have a predictable and documented setup.
- Secure the nodes from external traffic with firewalls and Cilium cluster-wide network policies.
- Use Talos to have a self-contained Kubernetes operating system.

Mathias also shared tips and advice for other engineers embarking on the same process.

Watch it here: https://kube.fm/bare-metal-kubernetes-mathias

Listen on:

- Apple Podcast https://kube.fm/apple
- Spotify https://kube.fm/spotify
- Amazon Music https://kube.fm/amazon
- Overcast https://kube.fm/overcast
- Pocket casts https://kube.fm/pocket-casts
- Deezer https://kube.fm/deezer

By default, Kubernetes Secrets are not encrypted; values are merely base64 encoded.

And this is fine — at least, this is what Mac argues in this episode of KubeFM.

Mac says it all comes down to thinking strategically about security and where the Secrets could be leaked.

In this episode, you will learn:

- How to define a threat model to inform your security posture and mitigations.
- How Kubernetes Secrets offer sufficient guarantees for most common threat models.
- If you should use Hashicorp Vault or Kubernetes Secrets (and when not to use auto-unsealing).

Mac also covers tips and advice on becoming a security expert.

Watch it here: https://kube.fm/kubernetes-secrets-mac

Listen on:

- Apple Podcast https://kube.fm/apple
- Spotify https://kube.fm/spotify
- Amazon Music https://kube.fm/amazon
- Overcast https://kube.fm/overcast
- Pocket casts https://kube.fm/pocket-casts
- Deezer https://kube.fm/deezer

Helm is a popular tool for templating and packaging Kubernetes resources, but does it mean it's the best?

In this episode of KubeFM, Jacco draws a parallel between Helm and PHP and the similarity in which both tools became a success despite their focus on templating strings.

You will also learn:

- Helm's flaws and how you can avoid them.
- Alternative tools that can (partially) replace Helm.
- How to manage third-party packages and templating internal YAML resources.

Jacco shared several examples demonstrating duplication in Helm charts and a lack of structured typing.

Watch it here: https://kube.fm/helm-flawed-jacco

Listen on:

- Apple Podcast https://kube.fm/apple
- Spotify https://kube.fm/spotify
- Amazon Music https://kube.fm/amazon
- Overcast https://kube.fm/overcast
- Pocket casts https://kube.fm/pocket-casts
- Deezer https://kube.fm/deezer

Network Policy usage is inverted.

It's easier to list the services that you want to connect to, but Network Policy forces you to list all clients that can connect to your pod.

How would you even know that another team plans to connect your apps?

But if Network Policy is not the right tool, then what should you use?

In this KubeFM podcast, you will explore:

- How Network Policies are not as bad as you might think, but they are low-level APIs that are not always practical to use directly.
- Intent-based Access Control (IBAC) as a higher-level abstraction to describe your network segmentation requirements.
- How you can use IBAC to generate Network Policies, Istio Authorization Policies, AWS IAM & Roles, and more.

Watch it here: https://kube.fm/network-policies-ori

Listen on:

- Apple Podcast https://kube.fm/apple
- Spotify https://kube.fm/spotify
- Amazon Music https://kube.fm/amazon
- Overcast https://kube.fm/overcast
- Pocket casts https://kube.fm/pocket-casts
- Deezer https://kube.fm/deezer

You can keep updated with the latest Kubernetes news, events, job opportunities and podcasts on Mastodon!

We've been on Mastodon for a while now, but since December 2023, we decided to migrate all our accounts to a private Mastodon instance: Learnk8s.news

Here's the list of all accounts and their handles:

- Learnk8s (Kubernetes news) https://learnk8s.news/@learnk8s
- Kubernetes Architect (K8s architecting and developing apps) https://learnk8s.news/@k8sarchitect
- Kubesploit (K8s Security) https://learnk8s.news/@kubesploit
- K3sDaily (K3s news) https://learnk8s.news/@k3sdaily
- Kube Careers (K8s Jobs) https://learnk8s.news/@KubeCareers
- Kube Events (K8s events) https://learnk8s.news/@k8sevents
- KubeFM (K8s podcast) https://learnk8s.news/@k8sfm

Of course, you can also find us on X/Twitter, LinkedIn, Facebook and Telegram. You can find all the links here: https://learnk8s.io/news-events-jobs

What if Kubernetes was so easy to install and manage to be foolproof?

In this KubeFM, Mat argues that GKE is the only Kubernetes managed service that offers a beginner-friendly and thought-through experience in running a Kubernetes cluster.

Follow Mat's journey to AKS, GKE and EJS and learn:

- How GKE autopilot can help you optimize costs and reduce underutilized node resources.
- How the GKE container-optimized OS prevents and eliminates an entire set of security misconfigurations in node management.
- How GCP's application of machine learning on the IAM permissions can help you gradually refine security permissions as applications are deployed.

Watch it here: https://kube.fm/foolproof-gke-mat

Listen on:

- Apple Podcast https://kube.fm/apple
- Spotify https://kube.fm/spotify
- Amazon Music https://kube.fm/amazon
- Overcast https://kube.fm/overcast
- Pocket casts https://kube.fm/pocket-casts
- Deezer https://kube.fm/deezer

The best way to learn something is to break it or to build it yourself.

And that's precisely what Luca did to understand how Linux containers (and Docker) work: he built his own, Barco.

In this episode of KubeFM, you will learn:

- Why Linux containers "don't exist" but are the product of several Linux features you can put together and configure properly to get what we know as containers.
- How Kernel features such as cgroups and namespaces isolate a process.
- How you can use seccomp and capabilities to secure the container.
- How to make the right syscall from C to build your own container engine.

Watch it here: https://kube.fm/barco-luca

How do Linux containers work?

And how do you build a tool like Docker?

Luca decided to find out and built his own container engine from scratch: Barco.

In this episode of KubeFM, you will learn:

- Why Linux containers "don't exist" but are the product of several Linux features you can put together and configure properly to get what we know as containers.
- How Kernel features such as cgroups and namespaces isolate a process.
- How you can use seccomp and capabilities to secure the container.
- How to make the right syscall from C to build your own container engine.

Watch it here: https://kube.fm/barco-luca

Get ready for a 3-part, free educational program on building Kubernetes platforms with Learnk8s and Loft labs!

Each session comes with a webinar, code samples and a step-by-step article:

- Unit 1: Architecting Kubernetes clusters: single shared cluster or to each their own.
- Unit 2: Kubernetes namespaces offer no isolation, and how you can work around it
- Unit 3: Building a self-serve Kubernetes platform from scratch

You can register here (it's free): https://www.vcluster.com/building-a-multi-tenant-kubernetes-platform/

On average, Kubernetes nodes running on ARM instances are 20% cheaper than their AMD counterpart.

Optimising your cloud bill is tempting, but how do you seamlessly migrate existing workloads to a different architecture?

And how do you do it at scale, with more than 1500 engineers and 30 clusters in 4 regions?

In this episode of KubeFM, Thibault and Miguel explain how Adevinta built an internal platform on Kubernetes for mixed AMD and ARM workloads.

You will learn:

- The challenges they faced with validating containers for mixed architecture with a mutating webhook and the open source solution they came up with: noe.
- Building an internal platform requires careful planning and designing simple interfaces that are backwards compatible.
- How to not DDoS your container registries.

Watch it here: https://kube.fm/arm-nodes-thibault-miguel

In this KubeFM episode, you will learn how to reduce your cloud bill by using mixed pools with AMD and ARM nodes in an EKS cluster.

Watch it here: https://kube.fm/arm-nodes-thibault-miguel

Pod Topology Spread Constraints is a convenient feature to control how pods are spread across your cluster among failure domains such as regions, zones, nodes, etc.

You can also choose the pod distribution (skew), what happens when the constraint is unfulfillable (schedule anyway vs don't) and the interaction with pod affinity and taints.

It's a great and straightforward feature, so what could possibly go wrong?

In this episode of KubeFM, you will follow Martin and his team's journey in discovering and fixing a production incident (on a Friday afternoon) due to a misconfiguration.

You will also learn:

- What are Pod Topology Spread Constraints, and how to use them?
- How unfulfillable scheduling requirements could lead to un-schedulable pods.
- How to detect and alert on unscheduled pods.
- How to manage your team during an incident to keep them calm and focused.

Watch (or listen to) it here: https://kube.fm/pod-topology-martin

What are Pod Topology Spread Constraints, and why are they useful to ensure high availability for your apps?

In this episode of KubeFM, you will follow Martin and his team's journey in discovering and fixing a production incident (on a Friday afternoon) due to a pod topology spread constraint misconfiguration.

You will also learn:

- What are Pod Topology Spread Constraints, and how to use them?
- How unfulfillable scheduling requirements could lead to un-schedulable pods.
- How to detect and alert on unscheduled pods.

Watch (or listen to) it here: https://kube.fm/pod-topology-martin

How hard could it be to debug a network issue where pod connections time out?

It could take weeks if you are (un)fortunate like Alex.

But Alex and his team didn't despair and found strength in adversity while learning several Kubernetes networking and kubespray lessons.

In this KubeFM episode, you'll follow their journey and learn:

- How a simple connection refused led to debugging the kernel syscalls.
- How MetalLB works and uses Dynamic Admission webhooks.
- How Calico works and assigns a range of IP addresses to pods (and what you should watch out for).
- How to use tcpdump and strace to debug network traffic.

Watch (or listen to) it here: https://kube.fm/troubleshooting-kernel-alex

Is sharing a cluster with multiple tenants worth it?

Should you share or have a single dedicated cluster per team?

In this KubeFM episode, Artem revisits his journey into Kubernetes multi-tenancy and discusses how the landscapes (and opinions) on multi-tenancy have changed over the years.

Here's what you will learn:

- The trade-offs of multi-tenancy and the tooling necessary to make it happen (e.g. vCluster, Argo CD, Kamaji, etc.).
- The challenges of providing isolated monitoring and logging for tenants.
- How to design and architect a platform on Kubernetes to optimise your developer's experience.

Watch (or listen to) it here: https://kube.fm/multitenancy-artem

When planning your infrastructure, one of the fundamental questions is: how many Kubernetes clusters should you have?

One big cluster or multiple smaller clusters?

Should the team share resources, or to each their own?

This Thursday, Dan investigates the pros and cons of different approaches and compares cost efficiency, ease of management resilience and security for different setups.

In this session, you will learn:

- How Kubernetes design is intended for sharing resources and the consequence for isolation and security.
- How can you isolate your workloads with different security trade-offs depending on how trustworthy your tenants are?
- How to estimate costs and efforts in building a single shared cluster vs multiple clusters.

📆 Thu, 29th Feb
⏰ 8am PT | 5pm CET

👉 https://www.vcluster.com/event/workshop-series-1/

Structured Authentication Config is the most significant Kubernetes authentication system update in the last six years.

In this KubeFM episode, Maksim explains how this is going to affect you:

1. You can use multiple authentication providers simultaneously (e.g., Okta, Keycloak, GitLab) — no need for Dex.
2. You can change the configuration dynamically without restarting the API server.
3. You can use any JWT-compliant token for authentication.
4. You can use CEL (Common Expression Language) to determine whether the token's claims match the user's attributes in Kubernetes (username, group).

Watch (or listen to) it here: https://kube.fm/structured-authentication-maksim