This article explains the governance differences between AWS Config and Kubernetes native policy engines and their complementary roles in cloud environments.

More: https://ku.bz/ttgXTYdrZ

Phil Estes, Principal Engineer at Amazon Web Services (AWS), explains why container security extends far beyond using minimal images.

He emphasizes examining the entire supply chain including dependencies, software composition analysis, and software bill of materials (SBOM).

He discusses the importance of image signing, package signing, and certificate management initiatives, including the OpenSSF's work providing maintainers with physical keys for proper package signing.

Watch the full interview: https://ku.bz/K4LmmL2NN

This interview is a reaction to Harsha Koushik's episode https://ku.bz/n_sJ04xMY

This week on Learn Kubernetes Weekly 149:

🔥 More DevOps than I Bargained For
🧪 Testing to See if You Can Run a MariaDB Cluster on a $150 Kubernetes Lab
⚡ Ceph on NVMe Made No Sense to Us — So We Built a 40x Better Alternative
🌐 Observing Egress Traffic with Istio
🐍 Trying to Break Out of the Python REPL Sandbox in a Kubernetes Environment: A Practical Journey

Read it now: https://learnkube.com/issues/149

⭐️ This newsletter is brought to you by Tigera, the Creators of Project Calico — Learn how Calico uses eBPF for high performance, low latency, & enhanced networking https://ku.bz/b7Nm3GkwL

Andy Suderman, CTO @ Fairwinds, discusses the transition from playground to production Kubernetes environments. He agrees that clusters only feel real once they're serving actual customer traffic, but expands beyond just Ingress and DNS to emphasize the broader ecosystem requirements.

Andy explains that vanilla Kubernetes clusters are not 100% functional out of the box. Production readiness requires a comprehensive suite of add-ons including ingress controllers, DNS controllers, cert managers, and various operators.

The key insight is that the ecosystem of add-ons is crucial to any functional Kubernetes platform, and once these components are in place serving production workloads, the cluster graduates from playground status to a real operational environment.

Watch the full interview: https://ku.bz/ZQTRkMpz5

This interview is a reaction to Dan Garfield's episode https://ku.bz/m3YNgCh1W

KubeLinter is a static analysis tool that checks Kubernetes YAML files and Helm charts to ensure that applications adhere to best practices.

More: https://ku.bz/yCpPFTs73

Blixt is an early-stage, sandbox-only Layer 4 load balancer project written in Rust.

It integrates eBPF via Aya and manages routing logic via Kube-RS.

It supports Gateway API objects like TCPRoute and UDPRoute, with KIND-based local testing only.

More: https://ku.bz/1cZxMK7Ck

Harsha Koushik, a Security Researcher and Technical Product Manager at Palo Alto Networks, discusses the nuanced decision of using empty scratch containers.

He emphasizes that while experienced developers might manage fine with these minimalistic containers, less experienced developers could face significant issues due to missing essential libraries and configurations.

Koushik points out that missing elements like C libraries, /etc/passwd files, and timezone defaults can lead to failures in logging, cron jobs, and other system functions.

Watch the full episode: https://ku.bz/n_sJ04xMY

This tutorial explains Kubernetes authentication (“who you are”) and authorization (“what you can do”) workflows.

It shows how to issue user certificates, create a CertificateSigningRequest, approve it, and bind RBAC roles.

More: https://ku.bz/mN0GKSR_c

Danyl, a veteran .NET engineer and architect at Eneco, presents his controversial thesis that 90% of teams don't actually need Kubernetes.

You will learn:

- The COST decision framework - How to evaluate infrastructure choices based on Complexity, Ownership, Skills, and Time rather than industry hype
- Platform engineering vs. managed services - How to honestly assess whether your team can compete with AWS, Azure, and Google's managed container platforms
- Evolutionary architecture approach - Why modular monoliths with clear boundaries often provide better foundations than distributed systems from day one

Watch (or listen to) it here: https://ku.bz/BYhFw8RwW

🌟 This episode is brought to you by Testkube—the ultimate Continuous Testing Platform for Cloud Native applications. Scale fast, test continuously, and ship confidently https://ku.bz/lnxYK3s0L

With @Birthmarkb "DSA hero" Farrell

This week on Learn Kubernetes Weekly 150:

📊 From utilization to PSI: Rethinking resource starvation monitoring in Kubernetes
🔀 Inside Intra-Node Pod Traffic in Kubernetes: How Kindnet with PTP Moves Packets
💬 The story behind the great sidecar debate
🤖 Scalable ML with Azure, Kubernetes and KEDA: Generating Inputs with 500 Pods

Read it now: https://learnkube.com/issues/150

⭐️ This newsletter is brought to you by AWS — reduce the costs of your AI infrastructure with Amazon EKS https://ku.bz/gdkVpKB3H

argocd-vault-plugin is an Argo CD plugin that retrieves secrets from Secret Management tools and injects them into Kubernetes.

More: https://ku.bz/XbpB666ql

This tutorial shows how to enable passwordless kubectl access to an Oracle Kubernetes Engine (OKE) cluster by using OCI Instance Principals, dynamic groups, scoped IAM policies, and the OCI CLI exec plugin.

More: https://ku.bz/ZpCQLpM4V

Ben walks through Faire's complete CI transformation, from a single Jenkins instance struggling with thousands of lines of Groovy to a distributed Buildkite system running across multiple Kubernetes clusters.

You will learn:

- How to architect CI systems that match team ownership and eliminate shared failure points across services
- Kubernetes scaling patterns for CI workloads, including multi-cluster strategies, predictive node provisioning, and handling API throttling
- Performance optimization techniques like Git mirroring, node-level caching, and spot instance management for variable CI demands

Watch (or listen to) it here: https://ku.bz/klBmzMY5-

🌟 This episode is brought to you by Testkube—the ultimate Continuous Testing Platform for Cloud Native applications. Scale fast, test continuously, and ship confidently https://ku.bz/lnxYK3s0L

With @Birthmarkb "Creatine lover" Farrell

This week on Learn Kubernetes Weekly 151:

📊 Kubernetes observability from day one – mixins on Grafana, mimir and alloy
🕵️ Troubleshooting packet drops in a Kubernetes-based observability platform
🌍 How We Migrated 30+ Kubernetes Clusters to Terraform
🚪 Gateway API v1.3.0: Advancements in Request Mirroring, CORS, Gateway Merging, and Retry Budgets
🧩 Introducing Gateway API Inference Extension

Read it now: https://kube.today/issues/151

⭐️ This newsletter is brought to you by @KubeToday — a daily feed of Kubernetes news, events, jobs, announcements, and more! https://kube.today

Vitalii Horbachov explains how Agoda built macOS VZ Kubelet, a custom solution that registers macOS hosts as Kubernetes nodes handles 20,000 iOS tests at scale.

You will learn:

- How to build hybrid runtime pods that combine macOS VMs with Docker sidecar containers for complex CI/CD workflows
- Custom OCI image format implementation for managing 55-60GB macOS VM images with layered copy-on-write disks
- Networking and security challenges, including Apple ennoscriptments, direct NIC access, and implementing kubectl exec over SSH

Watch (or listen to) it here: https://ku.bz/q_JS76SvM

🌟 This episode is brought to you by Testkube—the ultimate Continuous Testing Platform for Cloud Native applications. Scale fast, test continuously, and ship confidently https://ku.bz/lnxYK3s0L

With @Birthmarkb "Rugby referee" Farrell

This week on Learn Kubernetes Weekly 152:

🌀 A Journey Through Kafkian SplitDNS in a Multitenant Kubernetes Offering
⚙️ Under the hood: Amazon EKS Auto Mode
👩‍💻 Most Cloud-Native Roles are Software Engineers
🚀 Start Sidecar First: How To Avoid Snags
📈 Enhancing Kubernetes Event Management with Custom Aggregation
⚡ Non-HA Kubernetes Gotchas: Downtime and Autoscaling Pitfalls with Single Replica Workloads

Read it now: https://kube.today/issues/152

⭐️ This newsletter is brought to you by AWS — Fully automate your Kubernetes clusters with Amazon EKS Auto Mode https://ku.bz/xZWD-2-Rk

Andrei Kvapil, CEO and Founder of Aenix, explains how GitOps tools handle access control and restrict deployments. He highlights that GitOps provides:

- Real-time inspection of changes before deployment
- Visibility of exact differences between desired and existing cluster states
- Control at both deployment and review phases

Andrei outlines a strategy using a pull request model to manage access:

1. Configure the GitOps operator to watch the main branch
2. Restrict direct pushes to the main branch
3. Implement a pull/merge request workflow
4. Review all changes before they reach the main branch

This approach allows companies to predict and control what will be deployed, leveraging GitOps principles while maintaining strict access control.

Watch the full episode: https://ku.bz/0mvh5s4Ld

From hitting the "scaling wall" to achieving operational excellence—this is how two global enterprises transformed their Kubernetes operations.

In Episode 3 of The Making of Flux, our KubeFM original series, Philippe Ensarguet from Orange and Arnab Chatterjee from Nomura share their GitOps journey with Flux, from initial challenges to production victories at massive scale.

You will learn:

- How Orange uses Flux to manage bare-metal Kubernetes through its SYLVR project.
- Why Nomura relies on GitOps to balance agility with governance in financial services.
- How Flux helps enterprises achieve resilience, compliance, and repeatability at scale.

Watch (or listen to) it here: https://ku.bz/tWcHlJm7M

🌟 Join the Flux maintainers and community at FluxCon, November 11th in Salt Lake City— https://ku.bz/L843kg0CK

With @Birthmarkb

How much does a Kubernetes engineer earn in Q3 2025?

Is Platform Engineering really eating DevOps' lunch?

We analyzed 509 Kubernetes job denoscriptions and discovered:

💰 North American salaries average $177,983 (€92,113 in Europe)
🚀 Platform Engineer roles jumped to 9% of positions (vs 4-7% last year)
👨‍💻 43% of jobs are for Software Engineers, but DevOps roles offer the best remote flexibility (56%)
🏠 Remote work paradox: 67% allow remote, but only 0.29% are truly location-independent

Dive into the complete State of Kubernetes Job Market Q3 2025 report: https://kube.careers/state-of-kubernetes-jobs-2025-q3

⭐️ This report is brought to you by LearnKube — get started on your Kubernetes journey through comprehensive online, in-person, or remote training. https://learnkube.com/training

Niels Claeys shares how his team built a data platform processing up to 1.5 million core hours monthly. He explains the specific optimizations they discovered through production experience, from scheduler changes to achieving 97% spot instance usage without reliability issues.

You will learn:

- How to achieve 97% spot instance adoption through strategic instance type diversification, region selection, and Spark-specific techniques
- Node pool design principles that balance Kubernetes overhead with workload efficiency
- Platform-specific gotchas like AWS cross-AZ data transfer costs that can spike bills unexpectedly

Watch (or listen to) it here: https://ku.bz/hGRfkzDJW

🌟 This episode is brought to you by Testkube—the ultimate Continuous Testing Platform for Cloud Native applications. Scale fast, test continuously, and ship confidently https://ku.bz/lnxYK3s0L

With @Birthmarkb "Almost 40" Farrell

Project Quay runs as a service inside or outside Kubernetes, storing images in S3 or local storage.

It scans images for vulnerabilities with Clair, supports image signing, and enforces repository access and security policies via webhooks and RBAC.

More: https://ku.bz/mXXL2JPl4