Kubesploit

This week on Learn Kubernetes Weekly 183: 🔥 Autoscaling Hid Our LLM Cost Regression (85% → 4% Cache Hit Rate) 🔥 Mount Mayhem at Netflix: Scaling Containers on Modern CPUs 🗄️ DocumentDB on Kubernetes: Resilient, Highly Available Databases with Automatic Failover 🛡️ We Brought Skew Protection to Your Kubernetes 🔒 Keeping Your Security Model Intact When Running VMs in Kubernetes Read it now: https://kube.today/issues/183 ⭐️ This newsletter is brought to you by LearnKube — master Kubernetes with hands-on training designed for engineers who want to learn the smart way https://ku.bz/hypSbyc-V

This tutorial explains how Amazon EKS Pod Identity session policies let teams restrict pod IAM permissions with inline policies. More: https://ku.bz/NtVpLWQ60

Nicholaos Mouzourakis, Staff Product Security Engineer at Gusto, explains how batch authorization significantly improves Open Policy Agent (OPA) performance in Kubernetes environments. He shares how packing multiple authorization requests into a single HTTP call dramatically reduces network latency overhead. The performance gains are substantial - batch requests process approximately 18 times faster than individual requests. Nicholaos explains that while adding requests to an existing batch is "negligible and basically free," teams should carefully consider dependencies between authorization requests. Watch the full episode: https://kube.fmhttps://ku.bz/S-2vQ_j-4

Brian Stack from Render explains why Kubernetes scaling can break along a dimension most teams ignore: namespaces. At Render scale, hundreds of thousands of namespaces made common DaemonSet patterns expensive. Calico and Vector were list-watching namespace data across every node, multiplying memory usage and putting pressure on the API server during restarts and rollouts. You will learn: - Why namespaces can become a hidden scaling bottleneck - How DaemonSets multiply memory and control-plane pressure - How profiling, staging clusters, and upstream collaboration freed 7 TiB - Why pushing from an 80% fix to a complete fix can make teams faster Watch (or listen to) it here: https://ku.bz/0mrvCsXrV 🌟 This episode is brought to you by LearnKube — comprehensive Kubernetes training. https://learnkube.com/training With @Birthmarkb

This article shows how to maintain VM-level network security during KubeVirt live migration by using Calico labels and policy enforcement rather than node or pod IPs. More: https://ku.bz/mggD2nXf6

Stefan Roman explains how to implement network security in a multi-tenant Kubernetes learning platform. He describes the evolution from a single-namespace architecture to a dual-namespace system that separates the control plane from worker nodes. The discussion covers: - Implementing NetworkPolicies to create strict namespace isolation and control traffic flow - Managing cross-namespace communication between the control plane and worker nodes - Using NodePort services to dynamically expose SSH access only when needed - Configuring Kubernetes DNS for essential component communication - Securing public access through a single API server endpoint until lab initialization Watch the full episode: https://ku.bz/Xz-TrmX2F

We published a Kubernetes production-readiness checklist for teams preparing workloads for production. The checklist is designed to help platform and application teams review the Kubernetes-specific behavior that affects an application before it goes live. It includes: - An interactive checklist - Detailed explanations for each production-readiness check - A downloadable PDF worksheet It walks through five areas: - The contract between your application and Kubernetes - The manifests that define how Kubernetes should run it - The workload security posture - Scaling behavior under load - Operational checks after launch Open the checklist: https://learnkube.com/production-best-practices If you want a guided review, LearnKube also offers a Kubernetes Production Readiness Review with one of our instructors: https://learnkube.com/production-readiness-review

Trupositive is a wrapper that automatically tags Terraform and CloudFormation resources with Git commit SHA, branch, and repository metadata for auditability and infrastructure traceability. More: https://ku.bz/jy_MxscNM

This article introduces KubeUser, an open source Kubernetes operator that automates user certificate, RBAC, and kubeconfig creation from a declarative custom resource. More: https://ku.bz/t3c88n2-h

Warden is an open source runtime access gateway that lets AI agents, pods, pipelines, and services use identity-based policies to reach cloud APIs, databases, and storage without storing long-lived credentials. More: https://ku.bz/KTFVJj-Tv

This week on Learn Kubernetes Weekly 182: 🔄 We built a self-healing registry mirror (because Docker Hub rate limits are no fun) 💰 Our Kubernetes Cluster Was Costing $14,850/Month. We Moved to Fly.io for $680. 🦈 Kubeshark: Making Packet Level Visibility in Kubernetes ⏱️ Running Temporal.io on Kubernetes in Production — What Nobody Tells You 📊 What 6 Months of Tracking a Production OpenShift Cluster Revealed About Kubernetes Read it now: https://kube.today/issues/182 ⭐️ This newsletter is brought to you by LearnKube — master Kubernetes with hands-on training designed for engineers who want to learn the smart way https://ku.bz/hypSbyc-V

This tutorial teaches how to eliminate static kubeconfig files by configuring HashiCorp Vault as an OIDC provider for authentication with dynamic, short-lived tokens. More: https://ku.bz/m2GQwKDZl

What happens when an AI agent stops generating Kubernetes YAML and starts operating the cluster directly? Mike Solomon from AIATELLA explains how his team moved from sprawling Helm charts to Markdown-driven infrastructure specs that Claude Code can execute, test, and refine. You will learn: - Why Helm became hard to maintain for a fast-moving medical infrastructure repo - How Claude debugged Argo, TLS conflicts, kubectl patches, and private registry credentials - How runbooks and agent memory files capture failures so deployments become reproducible Watch (or listen to) it here: https://ku.bz/y70mLvWNs 🌟 This episode is brought to you by LearnKube — get started on your Kubernetes journey through comprehensive online, in-person or remote training. https://learnkube.com/training With @Birthmarkb

This tool runs inside Kubernetes and automatically decrypts secrets encrypted with Mozilla SOPS, and then creates standard Kubernetes Secret objects from them. More: https://ku.bz/fy2bXhv9X

We published a new page for companies that want to work with LearnKube: https://learnkube.com/for-marketers Some LearnKube projects are too large to make alone. The GPU ebooks we published recently are a good example: https://learnkube.com/books They are free because sponsors helped fund the research, writing, production, webinars, and distribution behind them. We want to keep creating ambitious technical education for Kubernetes and platform engineering teams. We already have ideas we’d like to develop around AI infrastructure, Kubernetes resource optimization, platform engineering, and general Kubernetes education. If your company wants to support these efforts and reach Kubernetes practitioners with useful technical content, we’d like to talk: https://learnkube.com/for-marketers

Siclaw is an open source AI SRE platform for read-only infrastructure diagnostics, root cause analysis, team workflows, Kubernetes access, and MCP-based investigation without changing live systems directly. More: https://ku.bz/cSX5czD5y

This case study shows how Unitary built Osmia, an open-source orchestration layer on EKS to run autonomous AI coding agents safely at scale using pod isolation, Karpenter, IRSA-based secrets, and real-time trajectory scoring. More: https://ku.bz/lyr0QGf1f

This week's 6 best Kubernetes vacancies that focus on security are: DevSecOps Engineer with Anthropic 💰 $405K to $485K a year Remote from the United States of America → https://ku.bz/wrrnmcjDQ DevSecOps Engineer with OpenAI 💰 $364.5K to $490K a year Remote from the United States of America → https://ku.bz/NXd17JHfV DevSecOps Engineer with Faire 💰 $268K to $368.5K a year Remote from the United States of America, Canada, the United Kingdom (+1 more) → https://ku.bz/6dD8HVYdT DevSecOps Engineer with Mercor 💰 $130K to $500K a year On-site in San Francisco, CA, USA → https://ku.bz/Hs5qfr1h2 DevSecOps Engineer with Perplexity 💰 $220K to $405K a year Fully remote → https://ku.bz/rnYh0TMpt 👉 Browse 6817 jobs on Kube Careers https://kube.careers

PII-Shield is a sidecar that sanitizes logs before they leave the pod by detecting secrets and personal data, preserving JSON structure, and supporting Helm based deployment.. More: https://ku.bz/V2B6Gqksv

Mike Stefaniak, Head of Product, Kubernetes and Registries at Amazon Web Services (AWS), discusses the current limitations and future requirements for giving AI assistants write access to Kubernetes resources. Mike identifies two critical barriers preventing autonomous AI actions in production: insufficient fine-grained security controls in current Kubernetes authorization systems and unresolved hallucination problems in AI models. Watch the full interview: https://ku.bz/PzjrglcZJ