Kube Architect

This blog post tells how the Render team: - tracked down Kubernetes memory waste caused by many daemonset namespace watches, - fixed config issues, - and freed over 7 TiB of memory across clusters by reducing unnecessary listwatch overhead. More: https://ku.bz/2vS0QsvjY

Brian Donelan, VP Cloud Platform Engineering at JPMorganChase, explains how he solved a common developer problem: preventing forgotten cloud resources from generating unexpected bills. Brian's key insight was treating these cloud services as "extensions of his MacBook" - since only he would use them, they should scale based on whether his laptop is active. This led him to create an automated solution that connects his MacBook's screen lock state to Kubernetes autoscaling. Watch the full episode: https://ku.bz/sFd8TL1cS

"Do you want the single pane of glass? Or do you want a more distributed architectural setup?" That's the real question when choosing a GitOps tool, says Zach Aller. Argo CD's pull-based approach gives you a central UI to manage multiple clusters — and that's been a major driver of its adoption. But it comes with performance trade-offs at scale. The choice isn't about which tool is "better." It's about whether your team needs centralized visibility or distributed control. Watch the full interview: https://ku.bz/7Bf_w3bN_ This interview is a reaction to Mai Nishitani's episode https://ku.bz/3hWvQjXxp

This tutorial shows how to build a hub-style multi-cluster cert-manager control plane where a central hub cluster manages certificate issuance and distribution across multiple spoke clusters using cert-manager and trust-manager. More: https://ku.bz/LKB8W3PMJ

This week on Learn Kubernetes Weekly 186: 🔥 1 Million Tokens Per Second: Qwen 3.5 27B on GKE with B200 GPUs 🤖 How I Built Kernel: An AI-Powered IT Helpdesk That Deflects 80% of Support Tickets ⚙️ Ansible AWX: Infrastructure Automation on Top of Kubernetes 🛡️ I Setup Kubermatic SecureGuard Before It Even Existed 🔐 SRE: Secrets Management in Kubernetes Read it now: https://kube.today/issues/186 ⭐️ This newsletter is brought to you by StormForge by CloudBolt. Stop setting Kubernetes requests. Let ML handle rightsizing https://ku.bz/2wYKp0Q2Y

YAML often gets reviewed by teams that adopted engineering discipline later than application developers did. Viktor Farcic explains why YAML and Helm changes can escape the same level of scrutiny as application code. His point is not that configuration is less important. It is that different teams typically inherit different habits around version control, review, and operational rigor. If the practices are uneven, the review quality will be uneven too. Watch the full interview: https://ku.bz/7ZnM0ZlDy

"Manual optimization breaks before you get to 250 changes a day." Yasmin Rajabi explains a CloudBolt Software survey finding: most teams still require human review for resource optimization, even though Kubernetes environments can run hundreds or thousands of workloads. The takeaway: human review does not scale once optimization becomes daily operational work. Watch the announcement: https://ku.bz/HDtVsM95b Read The Kubernetes Automation Trust Gap study: https://ku.bz/449hgHFbV

Mike Stefaniak, Head of Product, Kubernetes and Registries at Amazon Web Services (AWS), tackles a fundamental platform engineering question: how much Kubernetes knowledge should developers actually have? Mike advocates for a "middle ground" approach where platform teams build abstractions, paved paths, and best practices without completely hiding that applications run on Kubernetes. He argues that complete abstraction is a mistake because it cuts developers off from the rich Kubernetes ecosystem. Watch the full interview: https://ku.bz/NH_jwkNcR This interview is a reaction to Andrew Jeffree's episode https://ku.bz/Xvyp1_Qcv

📣 New on LearnKube: "The mechanics of Kubernetes RBAC and how it connects users to permissions." Kubernetes RBAC can feel confusing because the object names sound broader than the scope they actually grant. A ClusterRole does not always mean cluster-wide access. If you bind a ClusterRole with a RoleBinding, the permissions apply only in the namespace where the RoleBinding lives. The article walks through: - Why direct user-to-permission mappings do not scale - how Roles and ClusterRoles group permissions into reusable sets - how RoleBindings and ClusterRoleBindings connect identities to permissions - How to test access with kubectl auth can-i Read the full guide: https://learnkube.com/rbac-kubernetes

Ryan Brainard, Software Engineering PMTS @ Heroku by Salesforce, explains how GitOps serves as a crucial source of truth and addresses the configuration drift problems his team experienced with Helm-based pipelines. Ryan emphasizes that they avoid manual changes entirely and treat clusters as cattle, not pets - making them completely disposable and enabling seamless upgrades. This approach leverages their immutable and ephemeral workloads to maintain consistency and eliminate configuration drift at scale. Watch the full interview: https://ku.bz/WY43k-PBd This interview is a reaction to Andrew Jeffree's episode https://ku.bz/Xvyp1_Qcv

Swimmer is a native desktop Kubernetes GUI built for multi-cluster workflows, letting you browse 27+ resource types, compare clusters in split panels, and run terminal sessions per cluster, built with Tauri and Rust. More: https://ku.bz/mFQXr4w0h

Percona vs MongoDB Community vs KubeDB vs Atlas — which operator should you run for MongoDB on Kubernetes? Full breakdown + architecture + PITR guide → https://ku.bz/2n-smMsxC

Kubernetes cost optimization starts with Node Autoscaler and proper resource sizing. Amin Astaneh shares strategies: dynamically size clusters with Node Autoscaler and ensure workloads fit within resource requests. The combination of autoscaling and proper sizing prevents wasted capacity and unnecessary costs. Watch the full interview: https://ku.bz/p1RNM5ldZ This interview is a reaction to Marc Campora's episode https://ku.bz/5gMTkzLhV

Dave Masselink, Software Engineer and Founder at Compute Gardener, explains how carbon awareness can be integrated into Kubernetes scheduling decisions through workload shifting strategies. He breaks down the concept of temporal shifting (moving workloads to cleaner times) and spatial shifting (moving workloads to cleaner locations), with his current focus on the time-based approach. Watch the full episode: https://ku.bz/zk2xM1lfW

This week on Learn Kubernetes Weekly 185: 🔥 A One-Line Kubernetes Fix That Saved 600 Hours a Year 🔐 Why Kubernetes Has No Login — And How We Solved It for AuditRadar ⚙️ Durable Workflows Beyond Vercel: Version-Safe Orchestration for Kubernetes 🧩 The Missing Layers in Your Kubernetes Operator 🚨 Why Your KServe InferenceService Won't Become Ready: Four Production Failures and Fixes Read it now: https://kube.today/issues/185 ⭐️ This issue is brought to you by Qodo, the AI code integrity platform helping teams review, test, and ship reliable infrastructure code faster https://ku.bz/NvLHsnl-6

"CPUs are not real metrics." Nicholas Eberts explains why CPU and memory are tough metrics for accurate saturation. When you're scaling with HPA, you want to actually utilize the resources you're paying for — but CPU doesn't tell you if your pod is truly saturated. The easy button? Requests per second. Or implement custom metrics and export them from your application. You'll get way more efficiency than CPU and memory will ever give you. Watch the full interview: https://ku.bz/jlDL5XzCd

Mac Chaffee explains the critical decision point where teams should reconsider adopting Kubernetes after initially rejecting it. He distinguishes between informed rejection - where teams understand both Kubernetes and their application needs - and uninformed rejection that creates significant risks. Mac emphasizes that teams who truly understand Kubernetes and consciously choose alternatives aren't constantly second-guessing their decision. However, teams that reject Kubernetes without understanding the problems it solves may discover they need auto-scaling, service discovery, or failover capabilities at the worst possible moment - like during Black Friday traffic spikes for e-commerce companies. Watch the full episode: https://ku.bz/9nFPmG85f

🚀 New on LearnKube: “User and workload identities in Kubernetes.” The Kubernetes API server must identify the caller before it can check permissions. The article follows that identity through the request path: external users, in-cluster workloads, service account tokens, projected volumes, JWT claims, TokenReview, and AWS IAM federation. You will learn: - how authentication differs from authorization - why human users usually come from OIDC, certificates, webhooks, proxies, or static token files - how pods authenticate with service accounts - why TokenRequest and projected volumes replaced automatic long-lived token secrets - what sub, aud, iss, and exp tell you inside a JWT - how EKS IRSA uses projected tokens to federate with AWS IAM - how TokenReview validates Kubernetes-issued tokens inside the cluster Read the full article: https://learnkube.com/authentication-kubernetes

Helm and YAML often look safe because they are templates, not running systems. Pronomita Dey breaks down why that assumption is dangerous. Application code gets linting, tests, and static analysis, while Helm configuration is typically checked only for logic or policy, not for the runtime implications a service will actually experience in production. If your review stops at template correctness, you may miss the operational failure entirely. Watch the full interview: https://ku.bz/lm5jTjdVN

Calin Florescu, DevOps Engineer, discusses implementing a robust testing strategy for unified Helm charts. His approach combines two methods: automated validation with the helm-unittest plugin to verify template rendering, and practical testing against the Kubernetes API using dummy repositories. This dual approach ensures templates are both technically correct and practically viable before reaching development teams. Watch the full episode: https://kube.fmhttps://ku.bz/mcPtH5395