Kubesploit

Agent workloads push Kubernetes beyond the assumptions of the standard container model. Mauricio Salatino explains why Agent Sandbox is useful as teams start running AI agent code in clusters that need stronger isolation and new primitives for this class of workload. Watch the full interview: https://ku.bz/QXKc1tBFY

Harbor is a CNCF-graduated open source container registry that stores, signs, and scans images, with built-in RBAC, LDAP/OIDC support, vulnerability scanning, policy-based replication, and a full REST API. More: https://ku.bz/GjjZhkvSD

Kubeconform is a Kubernetes manifests validation tool. Similar to Kubeval, but with the following improvements: 1. High performance. 2. Remote or local schema locations 3. Up-to-date schemas for all recent versions of Kubernetes. More: https://ku.bz/l0kD6R0TS

This week on Learn Kubernetes Weekly 184: 🔥 Three Weeks Hunting a 4GB Native Memory Leak That .NET Couldn't See ⚠️ Before You Migrate: Five Surprising Ingress-NGINX Behaviors You Need to Know 🔀 Why I Built ctx_: The Context Switcher That Actually Gets DevOps Work 🚀 Migrating Ingress NGINX Controller to Istio in Kubernetes 🐘 Running PostgreSQL on Kubernetes: Operators, Storage and Production Guide Read it now: https://kube.today/issues/184 ⭐️ This newsletter is brought to you by WeAreDevelopers World Congress — The World’s Largest Event for Developers, AI Builders & Tech Leaders https://ku.bz/CvpvW-SG2

This tutorial shows how to use Cilium and Hubble to enforce HTTP path based network policies in Kubernetes with eBPF, so you can allow or block specific endpoints without sidecars. More: https://ku.bz/Fl4tzq2J2

John Ford from Scout24 SE explains how Scout24 turned a forced OS migration into a chance to rethink Kubernetes autoscaling, node provisioning, and infrastructure efficiency. You will learn: - Why two-minute node provisioning forced a 25% capacity buffer - How Karpenter made the Bottlerocket migration safer - What broke around EC2 metadata, AWS SDKs, and cgroups - How the new foundation enables Spot, ARM, and GPU workloads Watch (or listen to) it here: https://ku.bz/DdmVC2_7v 🌟 This episode is brought to you by LearnKube — get started on your Kubernetes journey through comprehensive online, in-person or remote training: https://learnkube.com/training With @Birthmarkb

This tutorial explains TLS and certificate debugging from root CA basics to Kubernetes secrets, with OpenSSL and curl commands for inspecting certs, validating handshakes, and fixing common production errors. More: https://ku.bz/z-30r6w-V

Using AI to generate YAML is one thing. Letting it touch production operations is another. YongKang He says the safest starting point is low-risk, high-volume work like anomaly detection, correlation, and remediation suggestions. He is not ready to hand over costly scaling decisions or sensitive policy changes without stronger guardrails. The practical lesson is that AI should act like a co-pilot for SRE, not a fully autonomous operator. Watch the full interview: https://ku.bz/8Q7Vy60P7

Node Healthcheck Operator automatically detects unhealthy nodes and triggers pluggable remediators like BMC, ClusterAPI, or software reboots to recover workloads without manual intervention. More: https://ku.bz/8Y52rJ74q

🚀 New on LearnKube: "Kubelet Metrics: How cAdvisor and CRI Collect Kubernetes Stats." Kubernetes metrics often look like a Prometheus topic, but the data originates much lower in the stack. This guide explains how kubelet collects and exposes pod, container, node, and resource metrics, and how that path changes when stats move from cAdvisor to the container runtime through CRI. You will learn: - how Linux cgroups provide the raw counters behind container metrics - where cAdvisor fits inside kubelet - what kubelet exposes through /metrics, /metrics/cadvisor, /metrics/resource, and /stats/summary - how containerd and CRI-O can return pod and container stats through CRI - why the same kubelet endpoint can hide a different internal collection path Read the full article: https://learnkube.com/kubernetes-metrics-cadvisor-kubelet-cri

This tutorial shows how to secure an ArgoCD based EKS GitOps workflow with External Secrets Operator, IRSA, and AWS SSM Parameter Store so secrets stay out of Git and sync safely into Kubernetes. More: https://ku.bz/1qJT8SG1s

This tutorial explains how to prevent, detect, and clean up leaked secrets in Git repositories using .env files, Kubernetes Secrets, Gitleaks, GitGuardian, and git-filter-repo. More: https://ku.bz/PZjTtq9v8

For regulated environments, open source can be a strength rather than a liability. Devin Allen explains that visibility into the codebase is what makes open source workable in secure environments. More eyes on the code means problems can be found, understood, and fixed faster, which changes the conversation from blind trust to transparent verification. Watch the full interview: https://ku.bz/8lKHj1C5d

Many teams still treat Kubernetes as secure by default, and that assumption creates risk fast. Glen Messenger argues that Kubernetes was built for orchestration, not security. His point is that platforms like GKE have to add strong defaults, least privilege, and opinionated controls so teams do not build insecure systems accidentally. Watch the full interview: https://ku.bz/N5njxPHdY

This tutorial teaches how to deploy Crossview on Kubernetes with Helm and secure it for enterprise use with session auth, SSO, proxy header auth, RBAC, TLS, and high-availability settings. More: https://ku.bz/hwQDK693G

This week on Learn Kubernetes Weekly 183: 🔥 Autoscaling Hid Our LLM Cost Regression (85% → 4% Cache Hit Rate) 🔥 Mount Mayhem at Netflix: Scaling Containers on Modern CPUs 🗄️ DocumentDB on Kubernetes: Resilient, Highly Available Databases with Automatic Failover 🛡️ We Brought Skew Protection to Your Kubernetes 🔒 Keeping Your Security Model Intact When Running VMs in Kubernetes Read it now: https://kube.today/issues/183 ⭐️ This newsletter is brought to you by LearnKube — master Kubernetes with hands-on training designed for engineers who want to learn the smart way https://ku.bz/hypSbyc-V

This tutorial explains how Amazon EKS Pod Identity session policies let teams restrict pod IAM permissions with inline policies. More: https://ku.bz/NtVpLWQ60

Nicholaos Mouzourakis, Staff Product Security Engineer at Gusto, explains how batch authorization significantly improves Open Policy Agent (OPA) performance in Kubernetes environments. He shares how packing multiple authorization requests into a single HTTP call dramatically reduces network latency overhead. The performance gains are substantial - batch requests process approximately 18 times faster than individual requests. Nicholaos explains that while adding requests to an existing batch is "negligible and basically free," teams should carefully consider dependencies between authorization requests. Watch the full episode: https://kube.fmhttps://ku.bz/S-2vQ_j-4

Brian Stack from Render explains why Kubernetes scaling can break along a dimension most teams ignore: namespaces. At Render scale, hundreds of thousands of namespaces made common DaemonSet patterns expensive. Calico and Vector were list-watching namespace data across every node, multiplying memory usage and putting pressure on the API server during restarts and rollouts. You will learn: - Why namespaces can become a hidden scaling bottleneck - How DaemonSets multiply memory and control-plane pressure - How profiling, staging clusters, and upstream collaboration freed 7 TiB - Why pushing from an 80% fix to a complete fix can make teams faster Watch (or listen to) it here: https://ku.bz/0mrvCsXrV 🌟 This episode is brought to you by LearnKube — comprehensive Kubernetes training. https://learnkube.com/training With @Birthmarkb

This article shows how to maintain VM-level network security during KubeVirt live migration by using Calico labels and policy enforcement rather than node or pod IPs. More: https://ku.bz/mggD2nXf6