This week on Learn Kubernetes Weekly 157:

⚙️ gRPC with ALB and Traefik: Building Reliable End-to-End Connectivity
🧭 How to Prevent Failures with Kubernetes Topology Spread Constraints
📜 Demystifying Kubernetes YAML: Structure, Patterns, and Best Practices
🔗 Shared Socket: Enhancing Kubernetes Pod Communication with eBPF
🌐 Kubernetes Networking Tutorial: A Complete Guide for Developers

Read it now: https://kube.today/issues/157

⭐️ This newsletter is brought to you by Testkube — your app is Kubernetes-native, your testing should be too. Run any kind of test automation with the help of the platform built for it https://ku.bz/Zfrty_fcC

This case study explains how BioCatch migrated their Vault environment from costly external storage to Raft, enabling high availability, easy disaster recovery, and lower operational costs in Kubernetes.

More: https://ku.bz/zPwwpmMyV

Kviklet provides a secure, self-hosted tool for engineering teams to request, review, and approve production database queries with a workflow inspired by code reviews.

More: https://ku.bz/blQ6ybFXN

This article explains how a Security Context in Kubernetes works.

More: https://ku.bz/jgGTq6n99

Tim Miller CEO and Co-founder at Kusari challenges the common belief that minimal container images automatically mean better security.

He explains that while removing unnecessary binaries and shells is a good practice, the real focus should be on validating each component's purpose in the container. Tim emphasizes two key aspects of container security: ensuring transparency (knowing what's inside) and verification (confirming the image is truly minimal).

Watch the full interview: https://ku.bz/-2Sqn9Jb9

This interview is a reaction to Harsha Koushik's episode https://ku.bz/n_sJ04xMY

Sealed Secrets provides declarative Kubernetes Secret Management in a secure way.

Since the Sealed Secrets are encrypted, they can be safely stored in a code repository.

More: https://ku.bz/M_ZTLCWtB

Tanat shares the complete journey of replacing EKS Managed Node Groups and Cluster Autoscaler with Karpenter.

You will learn:

- How to decouple control plane and data plane upgrades using Karpenter's asynchronous node rollout capabilities
- Cost optimization strategies including flexible instance selection, automated AMD migration, and performance considerations
- Policy automation and operational practices using Kyverno for user experience simplification, implementing proper Pod Disruption Budgets

Watch (or listen to) it here: https://ku.bz/T6hDSWYhb

🌟 Speaking of Pod Disruption Budgets — we're running a deep dive webinar with StormForge next week on Kubernetes Scheduling: Priority, Preemption & Resource Requests.

Learn why high-priority pods evict workloads and how the scheduler decides which pods to kill under pressure: https://ku.bz/chJZ7bb-l

With @Birthmarkb "60+ interviews" Farrell

This open-source platform lets you run a self-hosted zero-trust secure access solution supporting VPN-like WireGuard/QUIC, ZTNA, API/AI gateways, homelab access and Kubernetes ingress on your own infrastructure.

More: https://ku.bz/JWMdMH_J8

This week on Learn Kubernetes Weekly 158:

🔥 From Linux Primitives to Kubernetes Security Contexts
🚀 Migrating OpenShift Stateful Workloads to Azure Kubernetes Service (AKS)
🧠 Tuning Linux Swap for Kubernetes: A Deep Dive
💻 Remote Development Environment Supercharged with MCP Servers
🔍 Tracing Strategies for LLMs Running on Google Cloud Run

Read it now: https://kube.today/issues/158

⭐️ This issue is brought to you by StormForge by CloudBolt and LearnKube. Join "Kubernetes Scheduling Deep Dive: Priority, Preemption, and Resource Requests" and learn how to protect critical workloads under resource pressure https://ku.bz/jTvQKH2sn

OpenBao provides an open-source solution to manage, store, and distribute secrets, certificates, and keys with secure encryption, dynamic secrets, automated leasing, and detailed revocation.

More: https://ku.bz/qg3j1t67t

Alex Chircop, Chief Architect @ Akamai, discusses three emerging Kubernetes tools he's tracking that address sophisticated workload challenges.

He explores KCP for scaling Kubernetes as a control plane to handle massive orchestration numbers, the ongoing challenges with OpenTelemetry for observability and, finally, and advanced access control systems beyond traditional CEL and OPA.

Watch the full interview: https://ku.bz/jHLJL8H6t

This tutorial walks you through deploying SPIFFE and SPIRE in Kubernetes to issue cryptographically secure, auto-rotating identities to workloads, enabling mTLS and zero-trust communication.

More: https://ku.bz/HsWb7TCYL

Ratan Tipirneni, President & CEO @ Tigera, announces Calico AI, a new AI-powered initiative designed to unlock the value of Tigera's existing Calico platform.

He explains how Calico serves as a unified platform for Kubernetes networking, network security, and observability, and describes their strategy to leverage AI as an umbrella term for innovation over the next couple of years

Watch the interview: https://ku.bz/fwFG0jZNk

Read the announcement: https://ku.bz/1nljhB1vQ

Amos walks through his production incident where adding a home computer as a Kubernetes node caused TLS certificate renewals to fail.

You will learn:

- How Kubernetes networking assumptions break when mixing cloud VMs with nodes behind consumer routers, and why cert-manager challenges fail in NAT environments
- The differences between CNI plugins like Flannel and Calico, particularly how they handle IPv6 translation
- Debugging techniques for network issues using tools like netshoot, K9s, and iproute2
- Best practices for mixed infrastructure including proper node labeling, taints, and scheduling controls

Watch (or listen to) it here: https://ku.bz/6Ll_7slr9

🌟 This episode is sponsored by LearnKube — get started on your Kubernetes journey through comprehensive online, in-person or remote training https://learnkube.com/training

With @Birthmarkb "50 off grid YT shorts" Farrell

This week on Learn Kubernetes Weekly 159:

🔥 Kubernetes CPU Limits: Scylla and Charybdis
🧭 Kubernetes v1.34: Finer-Grained Control Over Container Restarts
🗂️ Understanding Kubernetes Cached Clients: How They Work and Why They Matter
💸 Understanding the True Cost of a Kubernetes Workload
🪙 Cloud Cost Optimization: A Senior Engineer’s Guide

Read it now: https://kube.today/issues/159

⭐️ This newsletter is brought to you by Heroku. Discover the thriving ecosystem of contributors, companies, and career paths in the Kubernetes World book https://ku.bz/bhlMdNf61

Gordon Myers explains why thorough testing is critical when implementing webhooks in Kubernetes.

He shares a real-world example of building a Mutating Webhook that injects secrets from HashiCorp Vault into running applications using pod annotations. The discussion covers:

- How a 500 error in webhooks can prevent pods from launching entirely
- The implementation of a custom entry point noscript for injecting secrets as environment variables
- Why webhooks require extensive unit testing due to their cluster-wide impact

The example demonstrates how seemingly simple webhook implementations can have significant consequences for the entire Kubernetes cluster if not properly tested.

Watch the full episode: https://ku.bz/Dmn93dd7M

Alex Arnell, Principal Member of Technical Staff at Heroku, shares three Kubernetes tools he's actively monitoring from both production experience and personal interest.

He provides insights into the OpenTelemetry Operator, which Heroku uses extensively for managing collectors and auto-instrumentation, particularly highlighting the target allocator feature for dynamic collector configuration.

Alex also discusses SPIFFE and Spire for identity management, noting the quality of their Kubernetes implementation and certificate provisioning capabilities for workload identity verification. Finally, he covers KEDA (Kubernetes Event-Driven Autoscaler), explaining its appeal for platform-as-a-service providers due to its scale-to-zero capabilities and telemetry integrations, even though Heroku isn't currently using it in production.

Watch the full interview: https://ku.bz/Lsr8gltrH

Harsha Koushik, a Security Researcher and Technical Product Manager at Palo Alto Networks, explores the evolving landscape of cybersecurity attack surfaces.

He explains the shift from traditional perimeter-focused defenses to more sophisticated attackers' methods, such as targeting supply chains and transient dependencies.

Harsha emphasizes the critical need to sign artifacts, including image layers and libraries, to safeguard against these advanced threats.

Watch the full episode: https://ku.bz/n_sJ04xMY

This tool lets your Kubernetes cluster automatically issue TLS certificates for pods by handling PodCertificateRequest resources with a custom signer controller.

More: https://ku.bz/9l1Dq8skJ

Fabián walks through a real engineering investigation that started with a simple request: allowing cluster tenants to use third-party Kafka services. What seemed straightforward turned into a complex DNS resolution problem that required testing seven different approaches before a working solution was found.

You will learn:

- How to implement the final solution using node-local DNS and CoreDNS templating with practical details including ndots configuration and Kyverno automation
- Platform engineering evaluation criteria for assessing solutions based on maintainability, self-service capability, and evolvability in multi-tenant environments

Watch (or listen to) it here: https://ku.bz/NsBZ-FwcJ

🌟 This episode is sponsored by LearnKube — get started on your Kubernetes journey through comprehensive online, in-person or remote training.https://learnkube.com/training

With @Birthmarkb "Performance reviewer" Farrell

This article explains how to enforce security and compliance by validating Kubernetes resource configs using Open Policy Agent (OPA) and Rego policies, with deployment tips for Gatekeeper and sidecars.

More: https://ku.bz/nVYydLnDP