Tibo on why Kubernetes isn't just for enterprise scale — it can be a practical choice for solo self-hosters too.

You will learn:

- Why Ansible's declarative promise fell short with the Podman collection, forcing sequential imperative steps instead of desired-state definitions
- How community Helm charts replace the need to write and maintain every manifest yourself
- Why GitOps isn't just a deployment workflow — it's a disaster recovery strategy when your infrastructure lives in your living room

Watch (or listen to) it here: https://ku.bz/Xk5S7VqXz

🌟 This episode is brought to you by LearnKube — get started on your Kubernetes journey through comprehensive online, in-person, or remote training https://learnkube.com/training

With @Birthmarkb

Guardon is a Kubernetes admission controller that enforces security and compliance policies in real-time before resources are created in your cluster.

More: https://ku.bz/d4hT8s9Sw

This week on Learn Kubernetes Weekly 170:

📦 Could lockfiles just be SBOMs?
🌐 Dynamic Istio Ingress Gateway Management with Kyverno
🎮 Factorio in Kubernetes? Well, why not?
🤖 Running DeepSeek Models on Kubernetes: A Backend Engineer's Experiment
⚡ Ephemeral Infrastructure: Why Short-Lived is a Good Thing

Read it now: https://kube.today/issues/170

⭐️ This issue is brought to you by vCluster and LearnKube — join "Multi-Tenancy March" starting Feb 24: a free 3-part hands-on series on namespace isolation, virtual clusters, GPU sharing, and AI agent sandboxing on Kubernetes https://ku.bz/multitenant26

This article shows how to scan Helm charts for insecure RBAC, secret leaks, and malicious templates using tools like Trivy, GitHub Search, and OPA.

More: https://ku.bz/k4MpGVLyZ

This week's 6 best Kubernetes vacancies that focus on security are:

DevSecOps Engineer with Tailscale
💰 $16.15M to $20.21M a year
🌎 Fully remote
→ https://ku.bz/J9Cs7QBBp

DevSecOps Engineer with Accenture Federal Services
💰 $11.49M to $15.13M a year
👨‍💻 Remote from
→ https://ku.bz/bsl59cPMh

DevSecOps Engineer with OpenAI
💰 $364.5K to $490K a year
👨‍💻 Remote from the United States of America
→ https://ku.bz/NXd17JHfV

DevSecOps Engineer with Anthropic
💰 $300K to $405K a year
👨‍💻 Remote from
→ https://ku.bz/LzVjTfYNp

DevSecOps Engineer with Point72
💰 $225K to $300K a year
👨‍💻 Remote from
→ https://ku.bz/gG67-vdCY

👉 Browse 2029 jobs on Kube Careers https://kube.careers

Self-service and governance aren't competing forces — they work together.

Peter Kelly explains how Tigera's tiered network policies in Project Calico let platform teams lock down critical rules at an upper layer while giving developers a lower tier to manage their own policies. Security stays immutable at the top, and developers get autonomy within those guardrails.

The key: treat policy tiers like layers — compulsory at the top, flexible at the bottom.

Full interview: https://ku.bz/xgqZJhdyn





Watch the full interview: https://ku.bz/xgqZJhdyn

This interview is a reaction to Ben Poland's episode https://ku.bz/klBmzMY5-

Jan Ludvik on how he cut EKS node startup from 65 to 45 seconds and reduced P90 pod startup by 30 seconds across ~1,000 nodes.

You will learn:

- Why Kubelet's serial image pull default quietly blocks pod startup, and how parallel pulls fix it
- How EBS lazy loading can silently negate image caching in AMIs — and the critical path workaround
- A Lambda-based automation that temporarily boosts EBS throughput during startup, then reverts to save cost
- The kubelet metrics and logs that expose pod and node startup latency, most teams never monitor

Watch (or listen to) it here: https://ku.bz/B7TzKXyxf

🌟 This episode is brought to you by LearnKube — get started on your Kubernetes journey through comprehensive online, in-person, or remote training https://learnkube.com/training

With @Birthmarkb

This week on Learn Kubernetes Weekly 171:

🔍 Stop Hunting Logs: How OpenTelemetry Brings Metrics, Logs, and Traces Together
🚀 Continuous Frontend Deployments at Scale: 7000 Deployments per Month with GitOps
⚙️ How We Replaced the Default Kubernetes Scheduler to Optimize Our Continuous Integration Builds
🏗️ Building Production-Ready Micro Frontends in Kubernetes: A Pragmatic Approach
🔐 Detecting Vulnerabilities in Public Helm Charts

Read it now: https://kube.today/issues/171

⭐️ This issue is brought to you by vCluster and LearnKube — join "Multi-Tenancy March" starting Feb 24: a free 3-part hands-on series on namespace isolation, virtual clusters, GPU sharing, and AI agent sandboxing on Kubernetes https://ku.bz/multitenant26

This week's 6 best Kubernetes vacancies that focus on security are:

DevSecOps Engineer with Anthropic
💰 $40.5M to $48.5M a year
🏠 From the office in San Francisco, CA, USA
→ https://ku.bz/wrrnmcjDQ

DevSecOps Engineer with Tailscale
💰 $16.01M to $20.04M a year
🌎 Fully remote
→ https://ku.bz/J9Cs7QBBp

DevSecOps Engineer with Accenture Federal Services
💰 $11.49M to $15.13M a year
👨‍💻 Remote from
→ https://ku.bz/bsl59cPMh

DevSecOps Engineer with OpenAI
💰 $364.5K to $490K a year
👨‍💻 Remote from the United States of America
→ https://ku.bz/NXd17JHfV

DevSecOps Engineer with xAI
💰 $180K to $440K a year
👨‍💻 Remote from
→ https://ku.bz/R4vBYC5mW

👉 Browse 2270 jobs on Kube Careers https://kube.careers

kseal is a kubeseal companion CLI for viewing, exporting, encrypting, and offline decrypting Kubernetes Sealed Secrets without needing live cluster access.

More: https://ku.bz/JbNY0d2Ch

Push-to-K8s is a Kubernetes controller written in Go that automatically synchronizes labeled secrets from a source namespace to all other namespaces in the cluster with real-time change detection propagating updates in 5-10 seconds.

More: https://ku.bz/z-7ytwsb-

Radosław from aleno migrated from ECS to Kubernetes — spot instances broke at 20+ containers, firewalls silently dropped traffic, and the wrong memory metric caused OOM kills.

You will learn:

- Why ECS spot instances have no built-in fallback mechanism — and how Karpenter's flexible instance selection solves it
- How running Flux and Argo CD together gives infra teams git-push workflows while developers get a UI
- Why the default Kubernetes memory metric includes evictable caches — and switching to working set fixed OOM errors
- How jemalloc cut memory usage by 20% and fixed HPA autoscaling for WebSocket containers

Watch (or listen to) it here: https://ku.bz/x6wFMhVsx

🌟 This episode is sponsored by LearnKube — get started on your Kubernetes journey through comprehensive online, in-person, or remote training https://learnkube.com/training

With @Birthmarkb

This article explains how EKS authentication tokens work by pre-signing AWS STS GetCallerIdentity calls, and how you can use this technique to implement IAM-based authentication in your own services.

More: https://ku.bz/3WRXBcqzd

This week on Learn Kubernetes Weekly 172:

🔥 Google Cloud Shell Container Escape
🌐 Azure Kubernetes Service Deep Dive Into Azure CNI Pod Subnet
💭 How I Think About Kubernetes
📦 How We Shrunk a Kubernetes Sidecar from 421MB to 90MB (With No OS Inside)
🎯 Kube Resource Orchestrator: Manage any group of resources as one unit

Read it now: https://kube.today/issues/172

⭐️ This newsletter is brought to you by Kubex — Automated Resource Optimization for Kubernetes, GPUs and AI Workloads https://ku.bz/y98T8bWXP

Guardon is a browser extension that catches Kubernetes security misconfigurations during GitHub/GitLab code reviews, providing instant feedback, actionable YAML fixes, a custom rule engine, and Kyverno policy import, with no CI setup required.

More: https://ku.bz/1dwsMRc7S

This week's 6 best Kubernetes vacancies that focus on security are:

DevSecOps Engineer with Anthropic
💰 $40.5M to $48.5M a year
🏠 From the office in San Francisco, CA, USA
→ https://ku.bz/wrrnmcjDQ

DevSecOps Engineer with Tailscale
💰 $15.95M to $19.97M a year
🌎 Fully remote
→ https://ku.bz/J9Cs7QBBp

DevSecOps Engineer with Accenture Federal Services
💰 $11.49M to $15.13M a year
👨‍💻 Remote from
→ https://ku.bz/bsl59cPMh

DevSecOps Engineer with OpenAI
💰 $364.5K to $490K a year
👨‍💻 Remote from the United States of America
→ https://ku.bz/NXd17JHfV

DevSecOps Engineer with xAI
💰 $180K to $440K a year
👨‍💻 Remote from
→ https://ku.bz/R4vBYC5mW

👉 Browse 2373 jobs on Kube Careers https://kube.careers

This tutorial teaches how to implement layered security in Kubernetes using Kyverno for admission control and KubeArmor for runtime protection to enforce guardrails.

More: https://ku.bz/SnYRwQhFR

Shyam Jeedigunta, Principal Engineer at Amazon Web Services (AWS), explains the security challenges and solutions for onboarding Kubernetes nodes from different infrastructure providers.

He discusses how to handle identity management, certificate issuance, and trust establishment when nodes come from edge locations, on-premises infrastructure, or other cloud providers rather than the same infrastructure as the control plane.

Watch the full interview: https://ku.bz/m89tLbgcq

"I don't want to see AI agents autonomously control clusters right now."

Nick Eberts draws a clear line: AI assistants are valuable for read-only troubleshooting — giving hints, explaining what's wrong. But making changes? That should go through pull requests and human review, especially in a GitOps workflow. He also flags an emerging challenge: securing agent-to-agent communication between MCP servers and clients, and extending Istio authorization policies into the agent layer.

The takeaway: AI should assist, not act — until the guardrails catch up.



Watch the full interview: https://ku.bz/G1QSYQTn2

This interview is a reaction to Mai Nishitani's episode https://ku.bz/3hWvQjXxp

cert-manager-webhook-pdns is a PowerDNS webhook for cert-manager that enables automated Let's Encrypt certificate issuance using DNS-01 challenges by integrating with PowerDNS API for DNS record management.

More: https://ku.bz/x3vxd7ZpJ