Forwarded from LearnKube news
This week on Learn Kubernetes Weekly 159:
🔥 Kubernetes CPU Limits: Scylla and Charybdis
🧭 Kubernetes v1.34: Finer-Grained Control Over Container Restarts
🗂️ Understanding Kubernetes Cached Clients: How They Work and Why They Matter
💸 Understanding the True Cost of a Kubernetes Workload
🪙 Cloud Cost Optimization: A Senior Engineer’s Guide
Read it now: https://kube.today/issues/159
⭐️ This newsletter is brought to you by Heroku. Discover the thriving ecosystem of contributors, companies, and career paths in the Kubernetes World book https://ku.bz/bhlMdNf61
🔥 Kubernetes CPU Limits: Scylla and Charybdis
🧭 Kubernetes v1.34: Finer-Grained Control Over Container Restarts
🗂️ Understanding Kubernetes Cached Clients: How They Work and Why They Matter
💸 Understanding the True Cost of a Kubernetes Workload
🪙 Cloud Cost Optimization: A Senior Engineer’s Guide
Read it now: https://kube.today/issues/159
⭐️ This newsletter is brought to you by Heroku. Discover the thriving ecosystem of contributors, companies, and career paths in the Kubernetes World book https://ku.bz/bhlMdNf61
Forwarded from KubeFM
Media is too big
VIEW IN TELEGRAM
Gordon Myers explains why thorough testing is critical when implementing webhooks in Kubernetes.
He shares a real-world example of building a Mutating Webhook that injects secrets from HashiCorp Vault into running applications using pod annotations. The discussion covers:
- How a
- The implementation of a custom entry point noscript for injecting secrets as environment variables
- Why webhooks require extensive unit testing due to their cluster-wide impact
The example demonstrates how seemingly simple webhook implementations can have significant consequences for the entire Kubernetes cluster if not properly tested.
Watch the full episode: https://ku.bz/Dmn93dd7M
He shares a real-world example of building a Mutating Webhook that injects secrets from HashiCorp Vault into running applications using pod annotations. The discussion covers:
- How a
500 error in webhooks can prevent pods from launching entirely- The implementation of a custom entry point noscript for injecting secrets as environment variables
- Why webhooks require extensive unit testing due to their cluster-wide impact
The example demonstrates how seemingly simple webhook implementations can have significant consequences for the entire Kubernetes cluster if not properly tested.
Watch the full episode: https://ku.bz/Dmn93dd7M
Forwarded from KubeFM
Media is too big
VIEW IN TELEGRAM
Alex Arnell, Principal Member of Technical Staff at Heroku, shares three Kubernetes tools he's actively monitoring from both production experience and personal interest.
He provides insights into the OpenTelemetry Operator, which Heroku uses extensively for managing collectors and auto-instrumentation, particularly highlighting the target allocator feature for dynamic collector configuration.
Alex also discusses SPIFFE and Spire for identity management, noting the quality of their Kubernetes implementation and certificate provisioning capabilities for workload identity verification. Finally, he covers KEDA (Kubernetes Event-Driven Autoscaler), explaining its appeal for platform-as-a-service providers due to its scale-to-zero capabilities and telemetry integrations, even though Heroku isn't currently using it in production.
Watch the full interview: https://ku.bz/Lsr8gltrH
He provides insights into the OpenTelemetry Operator, which Heroku uses extensively for managing collectors and auto-instrumentation, particularly highlighting the target allocator feature for dynamic collector configuration.
Alex also discusses SPIFFE and Spire for identity management, noting the quality of their Kubernetes implementation and certificate provisioning capabilities for workload identity verification. Finally, he covers KEDA (Kubernetes Event-Driven Autoscaler), explaining its appeal for platform-as-a-service providers due to its scale-to-zero capabilities and telemetry integrations, even though Heroku isn't currently using it in production.
Watch the full interview: https://ku.bz/Lsr8gltrH
Forwarded from KubeFM
This media is not supported in your browser
VIEW IN TELEGRAM
Harsha Koushik, a Security Researcher and Technical Product Manager at Palo Alto Networks, explores the evolving landscape of cybersecurity attack surfaces.
He explains the shift from traditional perimeter-focused defenses to more sophisticated attackers' methods, such as targeting supply chains and transient dependencies.
Harsha emphasizes the critical need to sign artifacts, including image layers and libraries, to safeguard against these advanced threats.
Watch the full episode: https://ku.bz/n_sJ04xMY
He explains the shift from traditional perimeter-focused defenses to more sophisticated attackers' methods, such as targeting supply chains and transient dependencies.
Harsha emphasizes the critical need to sign artifacts, including image layers and libraries, to safeguard against these advanced threats.
Watch the full episode: https://ku.bz/n_sJ04xMY
This tool lets your Kubernetes cluster automatically issue TLS certificates for pods by handling
More: https://ku.bz/9l1Dq8skJ
PodCertificateRequest resources with a custom signer controller.More: https://ku.bz/9l1Dq8skJ
Forwarded from KubeFM
Media is too big
VIEW IN TELEGRAM
Fabián walks through a real engineering investigation that started with a simple request: allowing cluster tenants to use third-party Kafka services. What seemed straightforward turned into a complex DNS resolution problem that required testing seven different approaches before a working solution was found.
You will learn:
- How to implement the final solution using node-local DNS and CoreDNS templating with practical details including ndots configuration and Kyverno automation
- Platform engineering evaluation criteria for assessing solutions based on maintainability, self-service capability, and evolvability in multi-tenant environments
Watch (or listen to) it here: https://ku.bz/NsBZ-FwcJ
🌟 This episode is sponsored by LearnKube — get started on your Kubernetes journey through comprehensive online, in-person or remote training.https://learnkube.com/training
With @Birthmarkb "Performance reviewer" Farrell
You will learn:
- How to implement the final solution using node-local DNS and CoreDNS templating with practical details including ndots configuration and Kyverno automation
- Platform engineering evaluation criteria for assessing solutions based on maintainability, self-service capability, and evolvability in multi-tenant environments
Watch (or listen to) it here: https://ku.bz/NsBZ-FwcJ
🌟 This episode is sponsored by LearnKube — get started on your Kubernetes journey through comprehensive online, in-person or remote training.https://learnkube.com/training
With @Birthmarkb "Performance reviewer" Farrell
This article explains how to enforce security and compliance by validating Kubernetes resource configs using Open Policy Agent (OPA) and Rego policies, with deployment tips for Gatekeeper and sidecars.
More: https://ku.bz/nVYydLnDP
More: https://ku.bz/nVYydLnDP
Forwarded from KubeFM
This media is not supported in your browser
VIEW IN TELEGRAM
Ritesh Patel, Co-founder @ Nirmata, announces the recent launch of Nirmata's AI Platform Engineering Assistant.
He explains how platform engineering teams are currently overwhelmed by the need to master multiple new technologies, creating a significant productivity bottleneck. The AI assistant acts as a dedicated teammate that accelerates critical tasks in security, policy, and governance - areas that typically consume substantial time and expertise.
Watch the interview: https://ku.bz/8nkrRSG_Z
Read the announcement: https://ku.bz/8_yYZZMG4
He explains how platform engineering teams are currently overwhelmed by the need to master multiple new technologies, creating a significant productivity bottleneck. The AI assistant acts as a dedicated teammate that accelerates critical tasks in security, policy, and governance - areas that typically consume substantial time and expertise.
Watch the interview: https://ku.bz/8nkrRSG_Z
Read the announcement: https://ku.bz/8_yYZZMG4
Forwarded from LearnKube news
This week on Learn Kubernetes Weekly 160:
🌐 Kubernetes Networking from Packets to Pods
⚙️ Seamless Istio Upgrades at Scale
🔍 How I find and fix Kubernetes Exit Codes and Misconfigurations for free
🔒 Kubernetes security fundamentals: networking
📊 A Step-by-Step Guide to Jaeger Tracing on Kubernetes
Read it now: https://kube.today/issues/160
⭐️ This issue is brought to you by vCluster Labs and Learnkube. To explore the architecture from hardware to runtime and understand why GPU scheduling is different, join the free webinar on GPU Sharing Mechanisms in Kubernetes https://ku.bz/8GzcKPzzF
🌐 Kubernetes Networking from Packets to Pods
⚙️ Seamless Istio Upgrades at Scale
🔍 How I find and fix Kubernetes Exit Codes and Misconfigurations for free
🔒 Kubernetes security fundamentals: networking
📊 A Step-by-Step Guide to Jaeger Tracing on Kubernetes
Read it now: https://kube.today/issues/160
⭐️ This issue is brought to you by vCluster Labs and Learnkube. To explore the architecture from hardware to runtime and understand why GPU scheduling is different, join the free webinar on GPU Sharing Mechanisms in Kubernetes https://ku.bz/8GzcKPzzF
This tool provides a Model Context Protocol (MCP) server for querying Kubernetes Audit Logs across cloud providers using AWS CloudWatch, GCP Logging, and Alibaba SLS.
More: https://ku.bz/Hm_CMFF66
More: https://ku.bz/Hm_CMFF66
This tutorial walks you through enabling, running, and monitoring IPv6 networking on Kubernetes clusters using Cilium
More: https://ku.bz/b6RFcGQjF
More: https://ku.bz/b6RFcGQjF
Kube No Trouble (kubent) is a tool to check whether you're using any deprecated APIs in your cluster and therefore should upgrade your workloads first, before upgrading your Kubernetes cluster.
More: https://ku.bz/zMyZdL3w6
More: https://ku.bz/zMyZdL3w6
This article explores why using Kubernetes namespaces alone is not a sufficient isolation or security boundary.
It shows common pitfalls and many attack paths that let a tenant escape isolation even if you only gave them access to a single namespace.
More: https://ku.bz/PCmRjmB57
It shows common pitfalls and many attack paths that let a tenant escape isolation even if you only gave them access to a single namespace.
More: https://ku.bz/PCmRjmB57
Tetragon enables powerful real-time, eBPF-based security observability and runtime enforcement.
It is Kubernetes-aware and understands identities, allowing security event detection to be configured in relation to individual workloads.
More: https://ku.bz/WrhnVyd2p
It is Kubernetes-aware and understands identities, allowing security event detection to be configured in relation to individual workloads.
More: https://ku.bz/WrhnVyd2p
Forwarded from LearnKube news
This week on Learn Kubernetes Weekly 161:
🔥 Kubernetes Informers Are So Easy... To Misuse!
🎤 KubeCon 2025: Three Things This Year’s Conversations Told Me About Kubernetes Optimization
🛑 Importance of Graceful Shutdown in Kubernetes
🚪 Breaking Boundaries: Kubernetes Namespaces and Multi-tenancy
🎯 Centralizing Helm Charts: Moving Beyond Ingress with HTTPProxy
Read it now: https://kube.today/issues/161
⭐️ This newsletter is brought to you by StormForge by CloudBolt — ML-powered Kubernetes rightsizing that keeps clusters fast, efficient, and under control https://ku.bz/2CSC8dH38
🔥 Kubernetes Informers Are So Easy... To Misuse!
🎤 KubeCon 2025: Three Things This Year’s Conversations Told Me About Kubernetes Optimization
🛑 Importance of Graceful Shutdown in Kubernetes
🚪 Breaking Boundaries: Kubernetes Namespaces and Multi-tenancy
🎯 Centralizing Helm Charts: Moving Beyond Ingress with HTTPProxy
Read it now: https://kube.today/issues/161
⭐️ This newsletter is brought to you by StormForge by CloudBolt — ML-powered Kubernetes rightsizing that keeps clusters fast, efficient, and under control https://ku.bz/2CSC8dH38
kubelogin is a kubectl plugin for Kubernetes OpenID Connect (OIDC) authentication, also known as kubectl oidc-login.
More: https://ku.bz/tVhnrW9MG
More: https://ku.bz/tVhnrW9MG
This article explains how to remove permission checks from microservices and build a centralized authorization layer with Kong OSS and OpenFGA.
More: https://ku.bz/50Pf5hFcV
More: https://ku.bz/50Pf5hFcV
This open-source tool helps you manage authentication and access across servers, databases and Kubernetes clusters via API or CLI.
More: https://ku.bz/VYnDyMT1h
More: https://ku.bz/VYnDyMT1h
This article shows how to use the Kong OIDC plugin together with Keycloak to secure cluster services and HTTP routes at the API gateway level.
More: https://ku.bz/2Q103hfW1
More: https://ku.bz/2Q103hfW1
This tool delivers real-time node/pod-level process, file and network visibility for Kubernetes and bare-metal environments, with rule-based alerts, dashboards and hybrid cloud support.
More: https://ku.bz/7lk94WvMv
More: https://ku.bz/7lk94WvMv
Forwarded from LearnKube news
This week on Learn Kubernetes Weekly 162:
🐍 Kubernetes Needs Its Python Moment
☁️ Migrating Kubernetes out of the Big Cloud Providers
📦 Kubernetes v1.34: DRA Consumable Capacity
🛠️ Managing APIs in Kubernetes with Kong Ingress Controller
🚑 Fixing Upstream Connect Errors (Docker, Kubernetes, Spring Boot & More)
Read it now: https://kube.today/issues/162
⭐️ This newsletter is brought to you by Depot — Speed up your Docker builds by up to 40x with Depot's cloud-based builders https://ku.bz/bnY9lr632
🐍 Kubernetes Needs Its Python Moment
☁️ Migrating Kubernetes out of the Big Cloud Providers
📦 Kubernetes v1.34: DRA Consumable Capacity
🛠️ Managing APIs in Kubernetes with Kong Ingress Controller
🚑 Fixing Upstream Connect Errors (Docker, Kubernetes, Spring Boot & More)
Read it now: https://kube.today/issues/162
⭐️ This newsletter is brought to you by Depot — Speed up your Docker builds by up to 40x with Depot's cloud-based builders https://ku.bz/bnY9lr632