push-to-K8s is as a Kubernetes controller that monitors a specified source namespace for secret changes and replicates them across all other namespaces in the cluster.

More: https://ku.bz/bxvYHJTfg

This week on Learn Kubernetes Weekly 132:

🕵️‍♂️ An In-Depth Analysis of the OpenAI's Incident and Mitigation Strategies
👩‍🔬 Taming the wild west of research computing: how policies saved us a thousand headaches
👋 We're leaving Kubernetes
📊 Resource management in Kubernetes
📉 Reducing Pod Startup Time for Java Application on EKS

Read it now: https://learnk8s.io/issues/132

⭐️ This newsletter is sponsored by Dagger — build software engineering workflows and environments https://ku.bz/GPL98fg84

The Kubernetes API server includes an HTTP proxy that allows authorized users to access pods, nodes, and external hosts from the cluster network.

With proxy and node rights, attackers can SSRF into the API server or override pod IPs to exfiltrate data.

More: https://ku.bz/r70-_Vww0

Master Kubernetes with Learnk8s' Advanced Kubernetes workshop!

What should you expect?

- Learn how to architect and design clusters from the ground up (in the cloud or on-prem).
- Explore the Kubernetes internal component and how the system is designed with resiliency in mind.
- Deep-dive into the networking components and observe the packets flowing into the cluster.
- Hands-on labs to test the theory with real-world scenarios!
- And more.

The next online course starts in June: https://ku.bz/bRfWBNxJc

We also run in-person courses and corporate training: https://learnk8s.io/corporate-training

Kleidi is a Kubernetes KMSv2 plugin that enables envelope encryption by offloading data key encryption to external providers like HashiCorp Vault or SoftHSM.

More: https://ku.bz/M8Xx40XfG

This analysis details how Kubernetes' deprecated gitRepo volume enables root-level container escape via Git hook injection using a fake bare repo to exploit default behavior in kubelet.

More: https://ku.bz/X8KN1PdB2

Learn how to use Istio, a service mesh, to manage microservices in Kubernetes.

This article covers traffic control, mTLS security, and observability with Kiali, Prometheus, and Jaeger, using a Garage Management System as a practical example.

More: https://ku.bz/x4c-Bw2K1

kapi is a lightweight proxy that sits in front of the Kubernetes API server.

It logs, inspects, and can mutate API requests and responses, supporting auditing, debugging, and workflow automation without altering the cluster control plane.

More: https://ku.bz/sjrM4Q1ch

Billy Thompson, Head of Global DevOps & Platform Engineering at Akamai Technologies, shares his least favourite Kubernetes feature: a recurring challenge in Cert Manager's HTTP validation when using proxy mode with load balancers.

He explains how this widespread issue impacts observability and security features in Kubernetes clusters, particularly when monitoring web traffic logs.

Watch the full interview: https://ku.bz/bh07VCK23

Stephan Schwarz walks through his systematic approach to performance testing Kubernetes applications.

You will learn:

- Why shared Kubernetes components skew results and how ingress controllers, service meshes, etc. create testing challenges that require careful consideration of the entire request chain
- Practical approaches to HPA configuration, including how to account for scaling latency and planning for spare capacity based on your SLA requirements
- The role of observability tools like OpenTelemetry in production environments where load testing isn't feasible, and how distributed tracing helps isolate performance bottlenecks across interdependent services

Watch (or listen to) it here: https://ku.bz/yY-FnmGfH

🌟 This episode is brought to you by Learnk8s — get started on your Kubernetes journey through comprehensive online, in-person or remote training https://learnk8s.io/training

With @Birthmarkb "Not Open Source" Farrell

This article breaks down a critical RCE flaw in Kubernetes Log Query.

Attackers could inject PowerShell commands through unvalidated pattern input, leading to SYSTEM-level access on Windows nodes.

More: https://ku.bz/nN2VkHfFM

This week on Learn Kubernetes Weekly 133:

🧙‍♀️ A journey of writing my own Kubernetes
📊 Scaling Virtual Machines in Kubernetes Clusters: Insights for Kubernetes Applications
🕵️ Exploring the Kubernetes API Server Proxy
🥋 CVE-2024–10220: Attack and Defense
👧 Exploit me, baby, one more time: command injection in Kubernetes Log Query

Read it now: https://learnk8s.io/issues/133

⭐️ This newsletter is sponsored by Fairwinds — expert-led, fully managed Kubernetes that frees your engineers from infrastructure headaches and puts you on the fast track to production-grade success https://ku.bz/sSRQp8xDH

Namespace Hound is a tool that identifies and assesses potential security vulnerabilities and risks in Kubernetes clusters used by multiple tenants

More: https://ku.bz/pt-TskhHX

Security research exposes critical OPA Gatekeeper vulnerabilities: Attackers can bypass misconfigured repository policies through subdomain manipulation, enabling unauthorized container image deployments across cloud environments.

More: https://ku.bz/8hr1BhMf3

This article investigates container drift in cloud environments by examining forensic methods for detecting unauthorized changes in container images and running instances.

Learn practical approaches for drift detection, response, and incident analysis.

More: https://ku.bz/X-YSMs1DW

Adevinta's SRE team replaced OPA's Gatekeeper with Kyverno to mitigate memory spikes caused by data.inventory syncing in high-churn clusters.

Kyverno’s API-based dynamic context handling slashed Gatekeeper usage from 8GB to 2.7GB.

More: https://ku.bz/gNrNqqbM1

David explains how he built a platform with Kubernetes, Helm, and GitOps workflows, only to see it fail against FTP.

You will learn:

- The hidden costs of sophisticated tooling - How GitOps pipelines with multiple moving parts can create trust issues when developers lose local control and must rely on remote processes
- Cultural factors that trump technical benefits - Why customer expectations, existing infrastructure, and team readiness matter more than the elegance
- Practical strategies for incremental adoption - The importance of starting small, building operational expertise, and ensuring management advocacy at all levels

Watch it here: https://ku.bz/_MWX5m6G_

🌟 This episode is brought to you by Learnk8s — get started on your Kubernetes journey through comprehensive online, in-person or remote training https://learnk8s.io/training

With @Birthmarkb "Amazing with loose hair" Farrell

Overlock is a Kubernetes controller that continuously scans cluster resources and events using custom policies.

It generates alerts or triggers webhooks on violations, enabling automated, real-time detection of misconfigurations and security issues.

More: https://ku.bz/4fssS2nJP

This week on Learn Kubernetes Weekly 134:

😳 3000+ Clusters: The Journey to Edge Compute with Talos Linux
📏 Vertical Pod Autoscaler (VPA): A Deep Dive
🥷 OPA Gatekeeper bypass reveals risks in Kubernetes policy engines
💣 OPA memory usage considerations and lessons from our transition to Kyverno
💻 Turn an old laptop into a private Kubernetes cluster — enable others to connect to it

Read it now: https://learnk8s.io/issues/134

⭐️ This newsletter is sponsored by Hydrolix — Keep more log data and get better insights from analytics https://ku.bz/0HtlYKbnw

Learn how to create a precise policy that tracks critical cluster events, secures sensitive data, and provides actionable security insights without overwhelming log volumes.

More: https://ku.bz/DPjh1dj2L

Kubewarden deploys as an admission controller, loading user-defined WebAssembly policies that inspect and validate API requests in real time.

It enforces resource compliance before persistence, supporting custom logic and dynamic updates cluster-wide.

More: https://ku.bz/C4jG7w4J6