DevOps&SRE Library

Upgrade AWS CSI Drivers in your Multi-Tenant Kubernetes Cluster

Since 2023, AWS CSI drivers can be misused to bypass node isolation in multi-tenant clusters.

https://soc-inspiration.medium.com/upgrade-aws-csi-drivers-in-your-multi-tenant-kubernetes-cluster-a2cbc47e47f8

When high availability brings downtime https://medium.com/learnings-from-the-paas/when-high-availability-brings-downtime-7a6261b0ef1c

siper

Siper is a high-performance, XDP-based IP blacklist firewall built with Go and C (eBPF). It allows you to drop malicious traffic at the earliest possible stage in the Linux networking stack—the network driver level. By leveraging XDP (Express Data Path), Siper processes packets before they even reach the kernel's heavy networking subsystem, providing extreme performance even under heavy DDoS conditions.

https://github.com/fksvs/siper

ing-switch: Migrate from Ingress NGINX to Traefik or Gateway API in Minutes, Not Days

Migrate Kubernetes Ingress NGINX to Traefik or Gateway API — CLI + web UI

https://blog.kubesimplify.com/ing-switch-migrate-from-ingress-nginx-to-traefik-or-gateway-api-in-minutes-not-days

Spegel for p2p docker registries in k3s https://ellie.wtf/notes/spegel

Before You Migrate: Five Surprising Ingress-NGINX Behaviors You Need to Know

As announced November 2025, Kubernetes will retire Ingress-NGINX in March 2026. Despite its widespread usage, Ingress-NGINX is full of surprising defaults and side effects that are probably present in your cluster today. This blog highlights these behaviors so that you can migrate away safely and make a conscious decision about which behaviors to keep. This post also compares Ingress-NGINX with Gateway API and shows you how to preserve Ingress-NGINX behavior in Gateway API. The recurring risk pattern in every section is the same: a seemingly correct translation can still cause outages if it does not consider Ingress-NGINX's quirks. I'm going to assume that you, the reader, have some familiarity with Ingress-NGINX and the Ingress API. Most examples use httpbin as the backend. Also, note that Ingress-NGINX and NGINX Ingress are two separate Ingress controllers. Ingress-NGINX is an Ingress controller maintained and governed by the Kubernetes community that is retiring March 2026. NGINX Ingress is an Ingress controller by F5. Both use NGINX as the dataplane, but are otherwise unrelated. From now on, this blog post only discusses Ingress-NGINX.

https://kubernetes.io/blog/2026/02/27/ingress-nginx-before-you-migrate

Инфраструктура современного сервиса — это не только код, но и стабильность его работы под нагрузкой. Если вы отвечаете за DevOps-процессы или эксплуатацию распределенных систем, стоит посмотреть на новую observability-платформу от Yandex B2B Tech. Monium — это инструмент для мониторинга состояния ИТ-систем, анализа телеметрии в реальном времени и быстрого поиска причин инцидентов. Платформа объединяет метрики, логи и трейсы в одном интерфейсе, поддерживает Prometheus и OpenTelemetry, а также рассчитана на highload-нагрузки уровня enterprise. Исторически решение было разработано командой Yandex Infrastructure для мониторинга критических сервисов внутри Яндекса, а сейчас оно уже доступно всем пользователям и подходит для работы с облачными и on-prem инфраструктурами. Среди сценариев использования — мониторинг приложений, сервисов и цифровых продуктов с гибкой настройкой алертинга и эскалаций. Если вы хотите сократить время реакции на инциденты и получить более полную картину состояния системы — подробнее о платформе можно узнать по ссылке.

Kyverno killed my API Server. Again. https://blog.zwindler.fr/en/2026/02/26/kyverno-killed-my-api-server.-again./

Wozz: Kubernetes Cost Tool

Wozz is a Kubernetes cost optimization tool that catches expensive resource changes before they merge.

https://github.com/WozzHQ/wozz

How We Shrunk a Kubernetes Sidecar from 421MB to 90MB (With No OS Inside)

This article explains how to reduce a Kubernetes sidecar container from 421MB to 90MB by building a statically linked Go binary and using a FROM scratch base image.

https://medium.com/@soumya-rout/how-we-shrunk-a-kubernetes-sidecar-from-421mb-to-90mb-with-no-os-inside-8757eaefc3ed

Harness engineering: leveraging Codex in an agent-first world https://openai.com/index/harness-engineering

How I think about Kubernetes

This article explains how to think about Kubernetes as a runtime for declarative infrastructure with a type system rather than just a container orchestrator.

https://garnaudov.com/writings/how-i-think-about-kubernetes

tapes

tapes is an Agentic telemetry system for content-addressable LLM interactions. It provides durable storage of agent sessions, plug-and-play OpenTelemetry instrumentation, and deterministic replay of past agent messages.

https://github.com/papercomputeco/tapes

zvec

Zvec is an open-source, in-process vector database — lightweight, lightning-fast, and designed to embed directly into applications. Built on Proxima (Alibaba's battle-tested vector search engine), it delivers production-grade, low-latency, scalable similarity search with minimal setup.

https://github.com/alibaba/zvec

diffnav

A git diff pager based on delta but with a file tree, à la GitHub.

https://github.com/dlvhdr/diffnav

upright

Upright is a self-hosted synthetic monitoring system. It provides a framework for running health check probes from multiple geographic sites and reporting metrics via Prometheus. Alerts can then be configured with AlertManager.

https://github.com/basecamp/upright

GPU-accelerated headless Chromium on Kubernetes: a practical guide

This guide covers enabling GPU-accelerated headless Chromium on EKS by wiring host drivers and handling virtual GPU constraints.

https://medium.com/@misterdev/gpu-accelerated-headless-chromium-on-kubernetes-a-practical-guide-b4171c72e87e

Detecting vulnerabilities in public Helm charts

The article shows how to identify insecure RBAC, secret leakage, and risky Helm template behavior using Trivy, GitHub search, and OPA.

https://allthingsopen.org/articles/detecting-vulnerabilities-public-helm-charts

Building Production-Ready Micro Frontends in Kubernetes: A Pragmatic Approach

This guide walks through deploying micro frontends on Kubernetes with ingress routing and CI/CD patterns for team-isolated delivery.

https://medium.com/@tamer-abdulghani/building-production-ready-micro-frontends-in-kubernetes-a-pragmatic-approach-708134467b02

How we replaced the default Kubernetes scheduler to optimize our continuous integration builds

Codefresh explains a custom Kubernetes scheduler and ballast pods strategy to pack CI workloads and reduce build-start delays.

https://codefresh.io/blog/custom-k8s-scheduler-continuous-integration