This week on Learn Kubernetes Weekly 171:

🔍 Stop Hunting Logs: How OpenTelemetry Brings Metrics, Logs, and Traces Together
🚀 Continuous Frontend Deployments at Scale: 7000 Deployments per Month with GitOps
⚙️ How We Replaced the Default Kubernetes Scheduler to Optimize Our Continuous Integration Builds
🏗️ Building Production-Ready Micro Frontends in Kubernetes: A Pragmatic Approach
🔐 Detecting Vulnerabilities in Public Helm Charts

Read it now: https://kube.today/issues/171

⭐️ This issue is brought to you by vCluster and LearnKube — join "Multi-Tenancy March" starting Feb 24: a free 3-part hands-on series on namespace isolation, virtual clusters, GPU sharing, and AI agent sandboxing on Kubernetes https://ku.bz/multitenant26

This week's 6 best Kubernetes vacancies that focus on security are:

DevSecOps Engineer with Anthropic
💰 $40.5M to $48.5M a year
🏠 From the office in San Francisco, CA, USA
→ https://ku.bz/wrrnmcjDQ

DevSecOps Engineer with Tailscale
💰 $16.01M to $20.04M a year
🌎 Fully remote
→ https://ku.bz/J9Cs7QBBp

DevSecOps Engineer with Accenture Federal Services
💰 $11.49M to $15.13M a year
👨‍💻 Remote from
→ https://ku.bz/bsl59cPMh

DevSecOps Engineer with OpenAI
💰 $364.5K to $490K a year
👨‍💻 Remote from the United States of America
→ https://ku.bz/NXd17JHfV

DevSecOps Engineer with xAI
💰 $180K to $440K a year
👨‍💻 Remote from
→ https://ku.bz/R4vBYC5mW

👉 Browse 2270 jobs on Kube Careers https://kube.careers

kseal is a kubeseal companion CLI for viewing, exporting, encrypting, and offline decrypting Kubernetes Sealed Secrets without needing live cluster access.

More: https://ku.bz/JbNY0d2Ch

Push-to-K8s is a Kubernetes controller written in Go that automatically synchronizes labeled secrets from a source namespace to all other namespaces in the cluster with real-time change detection propagating updates in 5-10 seconds.

More: https://ku.bz/z-7ytwsb-

Radosław from aleno migrated from ECS to Kubernetes — spot instances broke at 20+ containers, firewalls silently dropped traffic, and the wrong memory metric caused OOM kills.

You will learn:

- Why ECS spot instances have no built-in fallback mechanism — and how Karpenter's flexible instance selection solves it
- How running Flux and Argo CD together gives infra teams git-push workflows while developers get a UI
- Why the default Kubernetes memory metric includes evictable caches — and switching to working set fixed OOM errors
- How jemalloc cut memory usage by 20% and fixed HPA autoscaling for WebSocket containers

Watch (or listen to) it here: https://ku.bz/x6wFMhVsx

🌟 This episode is sponsored by LearnKube — get started on your Kubernetes journey through comprehensive online, in-person, or remote training https://learnkube.com/training

With @Birthmarkb

This article explains how EKS authentication tokens work by pre-signing AWS STS GetCallerIdentity calls, and how you can use this technique to implement IAM-based authentication in your own services.

More: https://ku.bz/3WRXBcqzd

This week on Learn Kubernetes Weekly 172:

🔥 Google Cloud Shell Container Escape
🌐 Azure Kubernetes Service Deep Dive Into Azure CNI Pod Subnet
💭 How I Think About Kubernetes
📦 How We Shrunk a Kubernetes Sidecar from 421MB to 90MB (With No OS Inside)
🎯 Kube Resource Orchestrator: Manage any group of resources as one unit

Read it now: https://kube.today/issues/172

⭐️ This newsletter is brought to you by Kubex — Automated Resource Optimization for Kubernetes, GPUs and AI Workloads https://ku.bz/y98T8bWXP

Guardon is a browser extension that catches Kubernetes security misconfigurations during GitHub/GitLab code reviews, providing instant feedback, actionable YAML fixes, a custom rule engine, and Kyverno policy import, with no CI setup required.

More: https://ku.bz/1dwsMRc7S

This week's 6 best Kubernetes vacancies that focus on security are:

DevSecOps Engineer with Anthropic
💰 $40.5M to $48.5M a year
🏠 From the office in San Francisco, CA, USA
→ https://ku.bz/wrrnmcjDQ

DevSecOps Engineer with Tailscale
💰 $15.95M to $19.97M a year
🌎 Fully remote
→ https://ku.bz/J9Cs7QBBp

DevSecOps Engineer with Accenture Federal Services
💰 $11.49M to $15.13M a year
👨‍💻 Remote from
→ https://ku.bz/bsl59cPMh

DevSecOps Engineer with OpenAI
💰 $364.5K to $490K a year
👨‍💻 Remote from the United States of America
→ https://ku.bz/NXd17JHfV

DevSecOps Engineer with xAI
💰 $180K to $440K a year
👨‍💻 Remote from
→ https://ku.bz/R4vBYC5mW

👉 Browse 2373 jobs on Kube Careers https://kube.careers

This tutorial teaches how to implement layered security in Kubernetes using Kyverno for admission control and KubeArmor for runtime protection to enforce guardrails.

More: https://ku.bz/SnYRwQhFR

Shyam Jeedigunta, Principal Engineer at Amazon Web Services (AWS), explains the security challenges and solutions for onboarding Kubernetes nodes from different infrastructure providers.

He discusses how to handle identity management, certificate issuance, and trust establishment when nodes come from edge locations, on-premises infrastructure, or other cloud providers rather than the same infrastructure as the control plane.

Watch the full interview: https://ku.bz/m89tLbgcq

"I don't want to see AI agents autonomously control clusters right now."

Nick Eberts draws a clear line: AI assistants are valuable for read-only troubleshooting — giving hints, explaining what's wrong. But making changes? That should go through pull requests and human review, especially in a GitOps workflow. He also flags an emerging challenge: securing agent-to-agent communication between MCP servers and clients, and extending Istio authorization policies into the agent layer.

The takeaway: AI should assist, not act — until the guardrails catch up.



Watch the full interview: https://ku.bz/G1QSYQTn2

This interview is a reaction to Mai Nishitani's episode https://ku.bz/3hWvQjXxp

cert-manager-webhook-pdns is a PowerDNS webhook for cert-manager that enables automated Let's Encrypt certificate issuance using DNS-01 challenges by integrating with PowerDNS API for DNS record management.

More: https://ku.bz/x3vxd7ZpJ