This week on Learn Kubernetes Weekly 134:

😳 3000+ Clusters: The Journey to Edge Compute with Talos Linux
📏 Vertical Pod Autoscaler (VPA): A Deep Dive
🥷 OPA Gatekeeper bypass reveals risks in Kubernetes policy engines
💣 OPA memory usage considerations and lessons from our transition to Kyverno
💻 Turn an old laptop into a private Kubernetes cluster — enable others to connect to it

Read it now: https://learnk8s.io/issues/134

⭐️ This newsletter is sponsored by Hydrolix — Keep more log data and get better insights from analytics https://ku.bz/0HtlYKbnw

Learn how to create a precise policy that tracks critical cluster events, secures sensitive data, and provides actionable security insights without overwhelming log volumes.

More: https://ku.bz/DPjh1dj2L

Kubewarden deploys as an admission controller, loading user-defined WebAssembly policies that inspect and validate API requests in real time.

It enforces resource compliance before persistence, supporting custom logic and dynamic updates cluster-wide.

More: https://ku.bz/C4jG7w4J6

Tim Miller CEO and Co-founder at Kusari discusses the misconception of security automation in development.

He explains that while most security tools focus on creating barriers and gates to prevent bad things from happening, this approach often slows down development. Instead, Miller argues that effective security automation should enable teams to move faster and react quickly to threats — shifting the perspective from security as a blocker to security as an enabler.

Watch the full interview: https://ku.bz/-2Sqn9Jb9

Master Kubernetes with Learnk8s' Advanced Kubernetes workshop!

What should you expect?

- Learn how to architect and design clusters from the ground up (in the cloud or on-prem).
- Explore the Kubernetes internal component and how the system is designed with resiliency in mind.
- Deep-dive into the networking components and observe the packets flowing into the cluster.
- Hands-on labs to test the theory with real-world scenarios!
- And more.

The next online course starts in June: https://ku.bz/bRfWBNxJc

We also run in-person courses and corporate training: https://learnk8s.io/corporate-training

ZTM (Zero Trust Mesh) offers a secure, decentralized alternative to Kubernetes service exposure methods like LoadBalancer and Ingress.

It uses encrypted tunnels and zero-trust principles to eliminate open ports and simplify cross-cluster/remote access.

More: https://ku.bz/n-93Zf4Zg

kubectl-rexec enforces auditable pod shell access by blocking native kubectl exec via a ValidatingWebhook and routing sessions through a proxied APIService that logs all activity.

More: https://ku.bz/Pr88Hr6S_

Molly discusses her team's approach to platform engineering. She explains why their initial one-cluster-per-team model became unsustainable and how they're transitioning to multi-tenant architectures.

You will learn:

- The operational reality of cluster proliferation - why managing hundreds of clusters becomes unsustainable
- Practical multi-tenancy implementation strategies including resource quotas, priority classes, and namespace organization patterns
- Better metrics for multi-tenant environments - how to build meaningful SLOs for distributed platform health

Watch it here: https://ku.bz/Rmpl8948_

🌟 This episode is brought to you by Learnk8s — get started on your Kubernetes journey through comprehensive online, in-person or remote training https://learnk8s.io/training

With @Birthmarkb "Free Spanish Lessons" Farrell

Distroless images improve security but lack shell/debug tools.

This article shows two solutions: attach a temporary ephemeral container using kubectl debug, or define a persistent sidecar with a shared PID namespace.

More: https://ku.bz/W2qVr-ffR

This week on Learn Kubernetes Weekly 135:

🛜 The Kubernetes networking guide
🐜 Configuration Management at Ant Group: Generated Manifest and Immutable Desired State
🪵 My favourite Kubernetes audit log policy
🙅‍♂️ Can't NAT after NAT
🥊 Readiness vs Liveness Probes: What is the Difference? (and Startup Probes!)

Read it now: https://learnk8s.io/issues/135

⭐️ This newsletter is brought to you by @arm — Explore learning paths and technical resources to start, accelerate, or complete your cloud migration https://ku.bz/xFNgz9S9h

kpatch enables runtime kernel function patching by injecting precompiled replacement functions directly into the live kernel.

It's built on the CONFIG_LIVEPATCH infrastructure and uses ftrace to reroute function calls at runtime.

More: https://ku.bz/-mXRJ9kzM

Learn how Confidential Containers use Kata Agent Policies to control container execution in secure environments.

This allows administrators to define granular rules restricting images, processes, and actions.

More: https://ku.bz/dcdvjJRry

Why can't you ping a Kubernetes service?

Learnk8s runs a 4-day Advanced Kubernetes course on June 26, and you will get to the bottom of questions like this (spoiler: services only exist in etcd).
You will also learn the nitty-gritty details of Kubernetes networking:

- How to plan and design a cluster network.
- How do the four Kubernetes services extend each other, and what do you gain from each?
- How CoreDNS, Ingress, and kube-proxy consume the Kubernetes currency: endpoints.

This (and much more) is covered on the third day of the course.

You can find the full agenda, a breakdown of the modules and how to sign up here: https://ku.bz/bRfWBNxJc

Are you training your team?
Customize the workshop in full with private training https://learnk8s.io/corporate-training

This guide shows how to detect Kubernetes runtime threats (e.g. sudo misuse, suspicious file access) using Falco + eBPF, forward logs with Fluent Bit, and route them to Parseable log streams like falcowarn or falconotice.

More: https://ku.bz/zTdnws-Fd

Harsha Koushik, a Security Researcher and Technical Product Manager at Palo Alto Networks, discusses the role of the shell in system interaction and security.

He explains that while the shell is a user-friendly interface for interacting with a system, it functions as an abstraction layer, making system calls similar to those made by application libraries.

From a security perspective, he highlights that removing the shell does not inherently protect against attacks, as the same system calls can be executed through different libraries.

Watch the full episode: https://ku.bz/n_sJ04xMY

This article dissects how Kyverno's policy generation, combined with Helm's namespace management, leads to race conditions, deletions, and re-creations that break deterministic behaviour, especially when synchronisation and background are enabled.

More: https://ku.bz/trbB_kp21

Marc breaks down the cost implications, technical constraints, and operational trade-offs between Kubernetes containers and AWS Lambda functions.

You will learn:

- Cost analysis frameworks for comparing Lambda vs Kubernetes across different traffic patterns, including specific examples of 3x savings potential
- Migration complexity factors when moving existing microservices to Lambda, including cold start issues and runtime model changes.
- Decision criteria for choosing between platforms based on traffic consistency, computational requirements, and operational overhead tolerance

Watch (or listen to) it here: https://ku.bz/5gMTkzLhV

🌟 This episode is brought to you by Learnk8s — get started on your Kubernetes journey through comprehensive online, in-person or remote training https://learnk8s.io/training

With @Birthmarkb "Thanking himself" Farrell

This diagram maps core Kubernetes security concepts—from RBAC, PodSecurity, and audit logging to container isolation—helping teams visualize enforcement points.

Built by Telenor for on-prem clusters, it’s ideal for threat modelling or reviews.

More: https://ku.bz/4JP4Yvlmt

This week on Learn Kubernetes Weekly 136:

🍏 How We Integrated Native macOS Workloads with Kubernetes
💉 Why our pods were breaking bad (and how we fixed them)
😊 FacetController: How We Made Infrastructure Changes at Lyft Simple
📦 Operational Considerations for Managing Stateful Workloads
🪔 Can configuration languages (Config DSLs) solve configuration complexity?

Read it now: https://learnk8s.io/issues/136

⭐️ This issue is brought to you by Learnk8s — get started on your Kubernetes journey through comprehensive online, in-person or remote training https://learnk8s.io/training

Learn how a misconfigured container registry can let attackers gain unauthorized access to sensitive applications and credentials by exploiting exposed Docker APIs and pulling images without authentication.

More: https://ku.bz/P7jNKKZlL

RBAC Manager is an operator that supports declarative configuration for RBAC with new custom resources.

Instead of managing role bindings or service accounts directly, you can specify the desired state and RBAC Manager will make the necessary changes.

More: https://ku.bz/QnyklGrTq