Forwarded from KubeFM
Media is too big
VIEW IN TELEGRAM
Shyam Jeedigunta, Principal Engineer at Amazon Web Services (AWS), explains connectivity patterns for hybrid Kubernetes deployments where worker nodes run outside the core cluster network.
He covers the trade-offs between public internet connectivity and private networking solutions, focusing on maintaining reliability and performance while preserving security isolation.
Watch the full interview: https://ku.bz/m89tLbgcq
He covers the trade-offs between public internet connectivity and private networking solutions, focusing on maintaining reliability and performance while preserving security isolation.
Watch the full interview: https://ku.bz/m89tLbgcq
This article shows how running Nomad server control plane on OpenShift using StatefulSets manages distributed edge fleets where Kubernetes can't reach, while OpenShift handles server lifecycle, security, and observability automatically.
More: https://ku.bz/-5g5fZCYL
More: https://ku.bz/-5g5fZCYL
Forwarded from Kube Architect
Forecastle is a control panel which dynamically discovers and provides a launchpad to access applications deployed on Kubernetes.
More: https://ku.bz/1ZZZSgjLj
More: https://ku.bz/1ZZZSgjLj
Forwarded from KubeFM
Media is too big
VIEW IN TELEGRAM
Vincent von BΓΌren was refactoring an old Helm chart when he spotted a debug log line printing a Kubernetes ServiceAccount token to stdout β still running in production.
He decoded it: no audience restrictions, one-year expiry. "My stomach turned. I knew this could be a serious security incident."
In this episode, Vincent breaks down:
- What's actually inside a ServiceAccount JWT
- Why default tokens enable replay attacks
- Projected tokens β the solution that's been available since 1.20, but why most teams haven't switched
- Practical steps to reduce exposure
Watch (or listen to) it here: https://ku.bz/LTnB_Ntbc
π This episode is brought to you by LearnKube β comprehensive Kubernetes training. https://learnkube.com/training
With @Birthmarkb
He decoded it: no audience restrictions, one-year expiry. "My stomach turned. I knew this could be a serious security incident."
In this episode, Vincent breaks down:
- What's actually inside a ServiceAccount JWT
- Why default tokens enable replay attacks
- Projected tokens β the solution that's been available since 1.20, but why most teams haven't switched
- Practical steps to reduce exposure
Watch (or listen to) it here: https://ku.bz/LTnB_Ntbc
π This episode is brought to you by LearnKube β comprehensive Kubernetes training. https://learnkube.com/training
With @Birthmarkb
CronJob Guardian monitors Kubernetes CronJobs with dead-man's switch detection, SLA tracking for success rates and duration regressions, intelligent alerting via Slack/PagerDuty/webhook/email, and a built-in web dashboard with charts and metrics export.
More: https://ku.bz/N2-98L3pg
More: https://ku.bz/N2-98L3pg
Forwarded from Kube Careers
This week's 6 Kubernetes jobs that offer VISA sponsorships are:
Machine Learning Engineer with Anthropic
π° $350.71K to $851.73K a year
Hybrid in Zurich, CH, On-site in San Francisco, CA, USA
β https://ku.bz/8QWBc6mRK
Site Reliability Engineer with OpenAI
π° $230K to $490K a year
On-site in San Francisco, CA, USA
β https://ku.bz/qZFG_pnlB
Platform Engineer with The San Francisco Compute Company
π° $250K to $325K a year
Remote from the United States of America
β https://ku.bz/Qqg1zYQzR
DevOps Engineer with Parloa
π° $225K to $335K a year
Remote from the United States of America, Hybrid in Berlin, DE; Munich, DE
β https://ku.bz/n4xTCdHsz
π Browse 5345 jobs on Kube Careers https://kube.careers
Machine Learning Engineer with Anthropic
π° $350.71K to $851.73K a year
Hybrid in Zurich, CH, On-site in San Francisco, CA, USA
β https://ku.bz/8QWBc6mRK
Site Reliability Engineer with OpenAI
π° $230K to $490K a year
On-site in San Francisco, CA, USA
β https://ku.bz/qZFG_pnlB
Platform Engineer with The San Francisco Compute Company
π° $250K to $325K a year
Remote from the United States of America
β https://ku.bz/Qqg1zYQzR
DevOps Engineer with Parloa
π° $225K to $335K a year
Remote from the United States of America, Hybrid in Berlin, DE; Munich, DE
β https://ku.bz/n4xTCdHsz
π Browse 5345 jobs on Kube Careers https://kube.careers
Forwarded from LearnKube news
This week on Learn Kubernetes Weekly 177:
β What Happens When You Run Java at Scale on Kubernetes
π From Push to Production: Our Deployment Pipeline with Argo CD
β‘ From Minutes to Seconds: How I Eliminated Kubernetes Image Pull Delays
ποΈ Nomad on OpenShift: The Case for the Control Plane
π¬ Deep Dive: The Linkerd Destination Service
Read it now: https://kube.today/issues/177
βοΈ This newsletter is brought to you by Spectro Cloud, helping you scale K8s infrastructure for AI workloads β from cloud to edge https://ku.bz/JD0dS5lhZ
β What Happens When You Run Java at Scale on Kubernetes
π From Push to Production: Our Deployment Pipeline with Argo CD
β‘ From Minutes to Seconds: How I Eliminated Kubernetes Image Pull Delays
ποΈ Nomad on OpenShift: The Case for the Control Plane
π¬ Deep Dive: The Linkerd Destination Service
Read it now: https://kube.today/issues/177
βοΈ This newsletter is brought to you by Spectro Cloud, helping you scale K8s infrastructure for AI workloads β from cloud to edge https://ku.bz/JD0dS5lhZ
Forwarded from KubeFM
Media is too big
VIEW IN TELEGRAM
Molly Sheets, Director of Engineering, Kubernetes at Zynga, challenges the conventional wisdom that slower deployments are safer deployments. She argues that intentionally slowing down Kubernetes deployments through manual approval gates actually makes systems less resilient, not more secure.
Drawing from the research in "Accelerate" and DORA metrics, Molly explains how external approvers can introduce more risk than allowing teams to deploy faster to production. In the Kubernetes context specifically, she emphasizes that the architecture should focus on isolation between applications, enabling teams to release independently without affecting others.
Her core philosophy: "break things, fix it permanently, and keep moving on" with smaller, faster deployments.
Watch the full episode: https://ku.bz/Rmpl8948_
Drawing from the research in "Accelerate" and DORA metrics, Molly explains how external approvers can introduce more risk than allowing teams to deploy faster to production. In the Kubernetes context specifically, she emphasizes that the architecture should focus on isolation between applications, enabling teams to release independently without affecting others.
Her core philosophy: "break things, fix it permanently, and keep moving on" with smaller, faster deployments.
Watch the full episode: https://ku.bz/Rmpl8948_
This media is not supported in your browser
VIEW IN TELEGRAM
IncidentFox automates incident investigation with AI agents using 178+ tools for Kubernetes, AWS, and Grafana, featuring RAPTOR knowledge base for runbooks, alert correlation reducing noise by 85-95%, and Slack/GitHub/PagerDuty integrations.
More: https://ku.bz/wTP3Kbtjs
More: https://ku.bz/wTP3Kbtjs
Forwarded from KubeFM
Media is too big
VIEW IN TELEGRAM
Topology spread constraints are widely used, but most teams don't know the edge cases that can silently break their HA setup.
Jason Deal covers two:
1. TSCs are only evaluated at scheduling time, so they can drift as your cluster churns. Using Descheduler helps enforce conformance long-term.
2. During a rolling deployment, TSCs can match against pods from both the old and new ReplicaSet simultaneously β causing skew violations mid-rollout. The fix: use matchLabelKeys to scope the constraint to just the current pod template hash.
Watch the full interview: https://ku.bz/1_-DTgLsg
Jason Deal covers two:
1. TSCs are only evaluated at scheduling time, so they can drift as your cluster churns. Using Descheduler helps enforce conformance long-term.
2. During a rolling deployment, TSCs can match against pods from both the old and new ReplicaSet simultaneously β causing skew violations mid-rollout. The fix: use matchLabelKeys to scope the constraint to just the current pod template hash.
Watch the full interview: https://ku.bz/1_-DTgLsg
Forwarded from KubeFM
Media is too big
VIEW IN TELEGRAM
On-prem Kubernetes means you own all of it β and that adds up fast.
Raglin Anthony lists the day-to-day pain: control plane patching and upgrades, DNS management across multi-clusters, certificate expiry stalling operations, fragile IAM built on static kubeconfig files, and observability tools running inside the clusters they're supposed to be watching.
Each one is manageable in isolation. Together, they're a full-time job.
Watch the full interview: https://ku.bz/2XqMJnLVx
Raglin Anthony lists the day-to-day pain: control plane patching and upgrades, DNS management across multi-clusters, certificate expiry stalling operations, fragile IAM built on static kubeconfig files, and observability tools running inside the clusters they're supposed to be watching.
Each one is manageable in isolation. Together, they're a full-time job.
Watch the full interview: https://ku.bz/2XqMJnLVx
Forwarded from LearnKube news
Kor is a tool to discover unused Kubernetes resources.
Currently, Kor can identify and list unused:
- ConfigMaps
- Secrets
- Services
- ServiceAccounts
- Deployments
- Statefulsets
- Roles
More: https://ku.bz/J7zwN_LWt
Currently, Kor can identify and list unused:
- ConfigMaps
- Secrets
- Services
- ServiceAccounts
- Deployments
- Statefulsets
- Roles
More: https://ku.bz/J7zwN_LWt
Endpoint-Monitoring Operator probes HTTP/JSON, TCP, DNS, ICMP, Trino, and OpenSearch endpoints via a simple CRD, with built-in Slack and email alerting.
More: https://ku.bz/NqnYpDsKW
More: https://ku.bz/NqnYpDsKW
This tutorial teaches how to set up a local DNS server specifically for demo environments using dnsmasq and Docker containers.
More: https://ku.bz/r6rbLZ-dH
More: https://ku.bz/r6rbLZ-dH
Forwarded from KubeFM
Media is too big
VIEW IN TELEGRAM
Rohit Agrawal from Databricks on replacing Kubernetes networking with a proxy-less, client-side load balancing system and eliminating 20-30% over-provisioning across hundreds of services.
You will learn:
- Why KubeProxy's L4 routing breaks down for gRPC: it picks a backend once per connection, not per request
- How Databricks built an Endpoint Discovery Service that streams real-time pod metadata to every client
- How zone-aware spillover cuts cross-AZ costs without sacrificing availability
- Why CPU-based routing failed and what signals to use instead
Watch (or listen to) it here: https://ku.bz/y803JMhBk
π Sponsored by LearnKube β Kubernetes training, online or in-person. https://learnkube.com/training
With @Birthmarkb
You will learn:
- Why KubeProxy's L4 routing breaks down for gRPC: it picks a backend once per connection, not per request
- How Databricks built an Endpoint Discovery Service that streams real-time pod metadata to every client
- How zone-aware spillover cuts cross-AZ costs without sacrificing availability
- Why CPU-based routing failed and what signals to use instead
Watch (or listen to) it here: https://ku.bz/y803JMhBk
π Sponsored by LearnKube β Kubernetes training, online or in-person. https://learnkube.com/training
With @Birthmarkb
ch-vmm lets you run Cloud Hypervisor virtual machines inside Kubernetes like regular pods with support for snapshots, rollbacks, and multi-VM management.
More: https://ku.bz/v_Tn_YMGf
More: https://ku.bz/v_Tn_YMGf
Forwarded from Kube Careers
This week's 6 Kubernetes jobs that offer VISA sponsorships are:
Machine Learning Engineer with Anthropic
π° $350.15K to $850.37K a year
Hybrid in Zurich, CH, On-site in San Francisco, CA, USA
β https://ku.bz/8QWBc6mRK
Site Reliability Engineer with OpenAI
π° $230K to $490K a year
On-site in San Francisco, CA, USA
β https://ku.bz/qZFG_pnlB
Platform Engineer with The San Francisco Compute Company
π° $250K to $325K a year
Remote from the United States of America
β https://ku.bz/Qqg1zYQzR
DevOps Engineer with Parloa
π° $225K to $335K a year
Remote from the United States of America, Hybrid in Berlin, DE; Munich, DE
β https://ku.bz/n4xTCdHsz
π Browse 5992 jobs on Kube Careers https://kube.careers
Machine Learning Engineer with Anthropic
π° $350.15K to $850.37K a year
Hybrid in Zurich, CH, On-site in San Francisco, CA, USA
β https://ku.bz/8QWBc6mRK
Site Reliability Engineer with OpenAI
π° $230K to $490K a year
On-site in San Francisco, CA, USA
β https://ku.bz/qZFG_pnlB
Platform Engineer with The San Francisco Compute Company
π° $250K to $325K a year
Remote from the United States of America
β https://ku.bz/Qqg1zYQzR
DevOps Engineer with Parloa
π° $225K to $335K a year
Remote from the United States of America, Hybrid in Berlin, DE; Munich, DE
β https://ku.bz/n4xTCdHsz
π Browse 5992 jobs on Kube Careers https://kube.careers
Forwarded from LearnKube news
This week on Learn Kubernetes Weekly 178:
π₯ Kubernetes Remote Code Execution via nodes/proxy Get Permission
π¦ AetΓ²s: From Chaos to Engineering Excellence β A 3-Year Transformation
βΈοΈ Kubernetes v1.35: Extended Toleration Operators to Support Numeric Comparisons
π Reducing Complexity By Migrating from K8S to ECS Fargate for NetworkLessons
ποΈ Database State Management in Kubernetes: Running SQL Server on AKS with GitOps
Read it now: https://kube.today/issues/178
βοΈ This newsletter is brought to you by StormForge by CloudBolt. Stop setting Kubernetes requests. Let ML handle rightsizing https://ku.bz/2wYKp0Q2Y
π₯ Kubernetes Remote Code Execution via nodes/proxy Get Permission
π¦ AetΓ²s: From Chaos to Engineering Excellence β A 3-Year Transformation
βΈοΈ Kubernetes v1.35: Extended Toleration Operators to Support Numeric Comparisons
π Reducing Complexity By Migrating from K8S to ECS Fargate for NetworkLessons
ποΈ Database State Management in Kubernetes: Running SQL Server on AKS with GitOps
Read it now: https://kube.today/issues/178
βοΈ This newsletter is brought to you by StormForge by CloudBolt. Stop setting Kubernetes requests. Let ML handle rightsizing https://ku.bz/2wYKp0Q2Y
This case study shows building a centralized multi-account AWS monitoring platform managing 25+ accounts using Python Boto3 to fetch resource configurations into MongoDB, with Flask API and Next.js frontend achieving $30k annual savings.
More: https://ku.bz/LV7qH0CK1
More: https://ku.bz/LV7qH0CK1
This project provides a webhook provider for ExternalDNS that lets Kubernetes automatically manage DNS records on a MikroTik RouterOS via its API.
More: https://ku.bz/tGmy_4Bcn
More: https://ku.bz/tGmy_4Bcn