Dilshan discusses a real incident where migrating EKS nodes to AL2023 caused the cluster autoscaler to lose AWS permissions silently.

You will learn:

- Why AL2023 blocks pod access to instance metadata by default, breaking components that relied on node IAM roles
- How to implement IRSA correctly by configuring IAM roles, Kubernetes service accounts, and OIDC trust relationships, and why both AWS IAM and Kubernetes RBAC must be configured independently
- How to audit which pods currently rely on node roles and clean up legacy IAM permissions to reduce attack surface after migration

Watch (or listen to) it here: https://ku.bz/T_YPfTfDb

🌟 This episode is brought to you by LearnKube — join their 4-day hands-on Advanced Kubernetes course starting January 29th and finally get comfortable with production clusters. https://learnkube.com/training

With @Birthmarkb "Keep Working Harder" Farrell

This article outlines 12 best practices for hardening a Kubernetes cluster, focusing on non-root containers, avoiding hostPath volumes, and configuring Security Contexts properly.

More: https://ku.bz/CT-gDz3Gm

This week on Learn Kubernetes Weekly 166:

🚀 How We Moved a 2 Million RPM WebSocket Service to EKS and Fixed a Critical Bottleneck
🔒 Beyond the Surface: Exploring Attacker Persistence Strategies in Kubernetes
📊 Standardizing CRD Condition Metrics in Kubernetes Operators
⚡ Scaling Dagster on Kubernetes: Best Practices for 50+ Code Locations
🌐 An Introduction to Envoy AI Gateway

Read it now: https://kube.today/issues/166

⭐️ This issue is brought to you by LearnKube — master Kubernetes with hands-on training designed for engineers who want to learn the smart way https://ku.bz/hypSbyc-V

This week's 6 best Kubernetes vacancies that focus on security are:

DevSecOps Engineer with OpenAI
💰 $364.5K to $490K a year
👨‍💻 Remote from the United States of America
→ https://ku.bz/NXd17JHfV

DevSecOps Engineer with Postman
💰 $250K to $275K a year
🏠🏃🏻‍♂️🌎 San Francisco, CA; Boston, MA; New York, NY, USA
→ https://ku.bz/gWd2ppTCm

Security Architect with Dexterity
💰 $200K to $300K a year
🏠 From the office in Redwood, CA, USA
→ https://ku.bz/-Tx02LFF4

DevSecOps Engineer with Corelight
💰 $221K to $268K a year
👨‍💻 Remote from North America.
→ https://ku.bz/_D5yTqnHk

👉 Browse 1228 jobs on Kube Careers https://kube.careers

Sveltos installs as a controller in a management cluster, deploying add-ons and policies (Helm charts, Kustomize, raw YAML) to target clusters by label selectors and sync rules, automating multi-cluster resource management and compliance.

More: https://ku.bz/j_ZZTyYqy

John Howard, Senior Software Engineer at Solo.io, explains what Mutual TLS (mTLS) is and its importance in Kubernetes environments.

This two-way authentication is valuable in Kubernetes infrastructure, allowing workload-to-workload traffic to be properly authenticated. John illustrates how in a front-end to back-end scenario, the front-end service would present its own certificate to the back-end, enabling verification of identity and origin - a fundamental component for implementing zero-trust security in Kubernetes clusters.

Watch the full episode: https://kube.fmhttps://ku.bz/sk-ZF1PG9

This week on Learn Kubernetes Weekly 167:

⚖️ Kubernetes & KEDA: Avoiding System Failures from Imbalanced Scaling
🔐 Why DevOps should Sec: making a case for DevOps Engineers to transition to DevSecOps
🌐 Optimizing Pod IP Allocation in AWS EKS with Amazon VPC CNI Prefix Delegation
🎮 GPU Starvation in Kubernetes: How Dynamic MIG Partitioning Saved Our GPU Budget
🔄 Migrating from F5 NGINX ingress controller to the F5 NGINX gateway fabric

Read it now: https://kube.today/issues/167

⭐️ This newsletter is brought to you by LearnKube — master Kubernetes with hands-on training designed for engineers who want to learn the smart way https://ku.bz/hypSbyc-V

This week's 6 best Kubernetes vacancies that focus on security are:

DevSecOps Engineer with Tailscale
💰 $15.8M to $19.77M a year
🌎 Fully remote
→ https://ku.bz/J9Cs7QBBp

DevSecOps Engineer with OpenAI
💰 $364.5K to $490K a year
👨‍💻 Remote from the United States of America
→ https://ku.bz/NXd17JHfV

DevSecOps Engineer with Scale AI
💰 $264K to $330K a year
👨‍💻 Remote from
→ https://ku.bz/BdXCcJX58

Security Architect with Dexterity
💰 $200K to $300K a year
🏠 From the office in Redwood, CA, USA
→ https://ku.bz/-Tx02LFF4

DevSecOps Engineer with Corelight
💰 $221K to $268K a year
👨‍💻 Remote from North America.
→ https://ku.bz/_D5yTqnHk

👉 Browse 1282 jobs on Kube Careers https://kube.careers

Pinniped provides identity services to Kubernetes by integrating external identity providers (OIDC, LDAP, Active Directory) with clusters for secure, unified login across on-premises and cloud environments.

More: https://ku.bz/Zb8ms9RlY

Most developers assume Kubernetes requires an enterprise budget. Varnit Goyal proves otherwise — he built a full three-node Kubernetes cluster for $2.16/month using Rackspace Spot Instances.

You will learn:

- How Spot Instance bidding works and which strategies keep costs and preemption low
- Using Tailscale Kubernetes operator as a free alternative to traditional load balancers
- Running real development dependencies (Kafka, Elasticsearch, Postgres) on a budget cluster

Watch (or listen to) it here: https://ku.bz/HpVyQMVv0

🌟 This episode is sponsored by LearnKube — join the 4-day Advanced Kubernetes workshop on Jan 29.(https://learnkube.com/training)

With @Birthmarkb "Vivacious voice" Farrell

traefik-oidc-auth is a Traefik plugin that secures upstream services using OpenID Connect authentication acting as a relying party for identity providers like ZITADEL, Keycloak, Microsoft EntraID, and Authentik.

More: https://ku.bz/18rD29Nlh

This week on Learn Kubernetes Weekly 168:

🗑️ What Happens When You Delete a Kubernetes CustomResourceDefinition?
🌱 Making ML Training Carbon-Aware with Compute Gardener
⚡ 8 vLLM Serving Setups That Handle Spiky Traffic
🛡️ How I Prevent My Kubernetes Resources from Being Deleted When Argo Apps Are Removed
🔄 Reproducible Kubernetes Infrastructure with NixOS and OKD

Read it now: https://kube.today/issues/168

⭐️ This newsletter is brought to you by Kubex — Automated Resource Optimization for Kubernetes, GPUs and AI Workloads https://ku.bz/y98T8bWXP

This tutorial teaches how to deploy KubeArmor runtime security on Huawei Cloud Container Engine (CCE) using BPF-LSM for dynamic kernel-level policy enforcement without static profiles or reboots.

More: https://ku.bz/vnqpX_3yc

This week's 6 best Kubernetes vacancies that focus on security are:

DevSecOps Engineer with Tailscale
💰 $16.04M to $20.08M a year
🌎 Fully remote
→ https://ku.bz/J9Cs7QBBp

DevSecOps Engineer with OpenAI
💰 $364.5K to $490K a year
👨‍💻 Remote from the United States of America
→ https://ku.bz/NXd17JHfV

DevSecOps Engineer with Scale AI
💰 $264K to $330K a year
👨‍💻 Remote from
→ https://ku.bz/BdXCcJX58

Security Architect with Dexterity
💰 $200K to $300K a year
🏠 From the office in Redwood, CA, USA
→ https://ku.bz/-Tx02LFF4

DevSecOps Engineer with Corelight
💰 $221K to $268K a year
👨‍💻 Remote from North America.
→ https://ku.bz/_D5yTqnHk

👉 Browse 1298 jobs on Kube Careers https://kube.careers

Dockadvisor is a lightweight Dockerfile linter built in Go that validates your Dockerfiles with over 60 rules covering syntax, security, and best practices.

More: https://ku.bz/2DT4TqRRk

This article explains a critical security issue where AWS CSI drivers gave DaemonSet service accounts the ability to patch nodes, completely breaking node isolation in multi-tenant clusters.

More: https://ku.bz/xGP7ymMvW

Kaniop is a Kubernetes operator written in Rust for managing Kanidm identity management clusters, providing declarative identity management through GitOps workflows.

More: https://ku.bz/D1JBBy0B3

Ziv Yatzik manages 600+ Postgres clusters in a closed network environment with no public cloud. After existing backup solutions proved unreliable — causing downtime when disks filled up — his team built a new architecture using pgBackRest, Argo CD, and Kubernetes CronJobs.

You will learn:

- Why storing WAL files on shared NAS storage prevents backup failures from cascading into database outages
- How GitOps with Argo CD lets them manage backups for hundreds of clusters by adding a single YAML file

Watch (or listen to) it here: https://ku.bz/Rg_sQYSmw

🌟 This episode is sponsored by LearnKube — get started on your Kubernetes journey through comprehensive online, in-person, or remote training https://learnkube.com/training

With @Birthmarkb

This tutorial teaches how to deploy HashiCorp Vault Secrets Operator on Google Kubernetes Engine to synchronize Vault secrets into Kubernetes Secret resources automatically.

More: https://ku.bz/QnvFmQp8h

This week on Learn Kubernetes Weekly 169:

🔥 When High Availability Brings Downtime
🔄 Upgrade AWS CSI Drivers in Your Multi-Tenant Kubernetes Cluster
🤖 How We Serve AI/ML Models at Scale in SAP AI Core
✅ Container Readiness Checks for Spring Boot Deployments
🌐 CoreDNS in OpenShift

Read it now: https://kube.today/issues/169

⭐️ This newsletter is brought to you by LearnKube — master Kubernetes with hands-on training designed for engineers who want to learn the smart way https://ku.bz/hypSbyc-V

Nicholaos Mouzourakis, Staff Product Security Engineer at Gusto, explains how Open Policy Agent (OPA) integrates with Kubernetes for authorization. He highlights OPA's versatility and performance characteristics, noting that a single node can handle numerous requests with proper optimization.

He describes multiple deployment options, including:

- Standing up multiple OPA instances
- Setting up auto-scaling groups
- Co-locating OPA with server pods
- Running OPA as a WASM module for lower latency

Watch the full episode: https://kube.fmhttps://ku.bz/S-2vQ_j-4