Kubesploit

Gordon Myers explains why thorough testing is critical when implementing webhooks in Kubernetes. He shares a real-world example of building a Mutating Webhook that injects secrets from HashiCorp Vault into running applications using pod annotations. The discussion covers: - How a 500 error in webhooks can prevent pods from launching entirely - The implementation of a custom entry point script for injecting secrets as environment variables - Why webhooks require extensive unit testing due to their cluster-wide impact The example demonstrates how seemingly simple webhook implementations can have significant consequences for the entire Kubernetes cluster if not properly tested. Watch the full episode: https://ku.bz/Dmn93dd7M

This week on Learn Kubernetes Weekly 159: 🔥 Kubernetes CPU Limits: Scylla and Charybdis 🧭 Kubernetes v1.34: Finer-Grained Control Over Container Restarts 🗂️ Understanding Kubernetes Cached Clients: How They Work and Why They Matter 💸 Understanding the True Cost of a Kubernetes Workload 🪙 Cloud Cost Optimization: A Senior Engineer’s Guide Read it now: https://kube.today/issues/159 ⭐️ This newsletter is brought to you by Heroku. Discover the thriving ecosystem of contributors, companies, and career paths in the Kubernetes World book https://ku.bz/bhlMdNf61

Amos walks through his production incident where adding a home computer as a Kubernetes node caused TLS certificate renewals to fail. You will learn: - How Kubernetes networking assumptions break when mixing cloud VMs with nodes behind consumer routers, and why cert-manager challenges fail in NAT environments - The differences between CNI plugins like Flannel and Calico, particularly how they handle IPv6 translation - Debugging techniques for network issues using tools like netshoot, K9s, and iproute2 - Best practices for mixed infrastructure including proper node labeling, taints, and scheduling controls Watch (or listen to) it here: https://ku.bz/6Ll_7slr9 🌟 This episode is sponsored by LearnKube — get started on your Kubernetes journey through comprehensive online, in-person or remote training https://learnkube.com/training With @Birthmarkb "50 off grid YT shorts" Farrell

Ratan Tipirneni, President & CEO @ Tigera, announces Calico AI, a new AI-powered initiative designed to unlock the value of Tigera's existing Calico platform. He explains how Calico serves as a unified platform for Kubernetes networking, network security, and observability, and describes their strategy to leverage AI as an umbrella term for innovation over the next couple of years Watch the interview: https://ku.bz/fwFG0jZNk Read the announcement: https://ku.bz/1nljhB1vQ

This tutorial walks you through deploying SPIFFE and SPIRE in Kubernetes to issue cryptographically secure, auto-rotating identities to workloads, enabling mTLS and zero-trust communication. More: https://ku.bz/HsWb7TCYL

Alex Chircop, Chief Architect @ Akamai, discusses three emerging Kubernetes tools he's tracking that address sophisticated workload challenges. He explores KCP for scaling Kubernetes as a control plane to handle massive orchestration numbers, the ongoing challenges with OpenTelemetry for observability and, finally, and advanced access control systems beyond traditional CEL and OPA. Watch the full interview: https://ku.bz/jHLJL8H6t

OpenBao provides an open-source solution to manage, store, and distribute secrets, certificates, and keys with secure encryption, dynamic secrets, automated leasing, and detailed revocation. More: https://ku.bz/qg3j1t67t

This week on Learn Kubernetes Weekly 158: 🔥 From Linux Primitives to Kubernetes Security Contexts 🚀 Migrating OpenShift Stateful Workloads to Azure Kubernetes Service (AKS) 🧠 Tuning Linux Swap for Kubernetes: A Deep Dive 💻 Remote Development Environment Supercharged with MCP Servers 🔍 Tracing Strategies for LLMs Running on Google Cloud Run Read it now: https://kube.today/issues/158 ⭐️ This issue is brought to you by StormForge by CloudBolt and LearnKube. Join "Kubernetes Scheduling Deep Dive: Priority, Preemption, and Resource Requests" and learn how to protect critical workloads under resource pressure https://ku.bz/jTvQKH2sn

This open-source platform lets you run a self-hosted zero-trust secure access solution supporting VPN-like WireGuard/QUIC, ZTNA, API/AI gateways, homelab access and Kubernetes ingress on your own infrastructure. More: https://ku.bz/JWMdMH_J8

Tanat shares the complete journey of replacing EKS Managed Node Groups and Cluster Autoscaler with Karpenter. You will learn: - How to decouple control plane and data plane upgrades using Karpenter's asynchronous node rollout capabilities - Cost optimization strategies including flexible instance selection, automated AMD migration, and performance considerations - Policy automation and operational practices using Kyverno for user experience simplification, implementing proper Pod Disruption Budgets Watch (or listen to) it here: https://ku.bz/T6hDSWYhb 🌟 Speaking of Pod Disruption Budgets — we're running a deep dive webinar with StormForge next week on Kubernetes Scheduling: Priority, Preemption & Resource Requests. Learn why high-priority pods evict workloads and how the scheduler decides which pods to kill under pressure: https://ku.bz/chJZ7bb-l With @Birthmarkb "60+ interviews" Farrell

Sealed Secrets provides declarative Kubernetes Secret Management in a secure way. Since the Sealed Secrets are encrypted, they can be safely stored in a code repository. More: https://ku.bz/M_ZTLCWtB

Tim Miller CEO and Co-founder at Kusari challenges the common belief that minimal container images automatically mean better security. He explains that while removing unnecessary binaries and shells is a good practice, the real focus should be on validating each component's purpose in the container. Tim emphasizes two key aspects of container security: ensuring transparency (knowing what's inside) and verification (confirming the image is truly minimal). Watch the full interview: https://ku.bz/-2Sqn9Jb9 This interview is a reaction to Harsha Koushik's episode https://ku.bz/n_sJ04xMY

This article explains how a Security Context in Kubernetes works. More: https://ku.bz/jgGTq6n99

Kviklet provides a secure, self-hosted tool for engineering teams to request, review, and approve production database queries with a workflow inspired by code reviews. More: https://ku.bz/blQ6ybFXN

This case study explains how BioCatch migrated their Vault environment from costly external storage to Raft, enabling high availability, easy disaster recovery, and lower operational costs in Kubernetes. More: https://ku.bz/zPwwpmMyV

This week on Learn Kubernetes Weekly 157: ⚙️ gRPC with ALB and Traefik: Building Reliable End-to-End Connectivity 🧭 How to Prevent Failures with Kubernetes Topology Spread Constraints 📜 Demystifying Kubernetes YAML: Structure, Patterns, and Best Practices 🔗 Shared Socket: Enhancing Kubernetes Pod Communication with eBPF 🌐 Kubernetes Networking Tutorial: A Complete Guide for Developers Read it now: https://kube.today/issues/157 ⭐️ This newsletter is brought to you by Testkube — your app is Kubernetes-native, your testing should be too. Run any kind of test automation with the help of the platform built for it https://ku.bz/Zfrty_fcC

This open-source tool lets you analyze connectivity, inspect applied NetworkPolicies, and generate policy YAMLs, all with an interactive fuzzy-finder UI and JSON/table outputs. More: https://ku.bz/HJpY-dbmG

Festus walks through his project of building a lightweight version of Kubernetes from scratch in Go. You will learn: - How the reconciliation loop works - The core concept of desired state vs current state that drives all Kubernetes operations - What the scheduler actually does - Beyond simple round-robin assignment, understanding node affinity, resource requirements, and the complex scoring algorithms that determine pod placement - The complete pod lifecycle - Step-by-step walkthrough from kubectl command to running pod, showing how independent components work together like an orchestra Watch (or listen to) it here: https://ku.bz/pf5kK9lQF 🌟 This episode is sponsored by StormForge by CloudBolt — automatically rightsize your Kubernetes workloads with ML-powered optimization https://ku.bz/Br1jCHcL7 With @Birthmarkb "protein bars diet" Farrell

🤖 Nirmata at KubeCon: Policy as Code, AI Agents, and the First-Ever KyvernoCon Nirmata is bringing policy-as-code solutions to Booth 1340 at KubeCon Atlanta, where Head of Community Cortney Nickerson and the team will demonstrate how Kyverno helps platform engineers automate security, compliance, and governance across Kubernetes environments. The company is launching a new AI platform engineering agent designed to reduce the toil of repetitive tasks, while its open-source Kyverno project is moving to CEL for more flexible policy management. Stop by for Kyverno and Nirmata t-shirts, tumblers, and creative barbecue-themed stickers, plus enter raffles for Ray-Ban and Google Band sunglasses. Don't miss the first in-person KyvernoCon on November 10th, featuring talks on AI policies, visual learning sessions, and real-world use cases from IBM and Cisco—followed by a joint celebration party with the FluxCon community. Stop by the Nirmata Booth: https://ku.bz/NcwTKq1jh

This week on Learn Kubernetes Weekly 156: 🔥 AI Infrastructure on Kubernetes 🏠 Achieving High Availability with Distributed Databases on Kubernetes at Airbnb ⚡ Optimizing Node and Pod Startup Performance 🎯 How Kubernetes Pod Priority and Preemption Work ⚖️ Kubernetes Pod Scheduling: Balancing Cost and Resilience Read it now: https://kube.today/issues/156 ⭐️ This newsletter is brought to you by StormForge by CloudBolt — ML-powered Kubernetes rightsizing that keeps clusters fast, efficient, and under control https://ku.bz/2CSC8dH38