Happy to present our newest digest of the prominent software updates in the Cloud Native ecosystem!

Release Spotlight: Crossplane v1.20.0

Last week, Crossplane (a CNCF Incubating project) announced its quarterly release, v1.20.0, with numerous new features and enhancements. The real-time compositions, which actively watch for changes to respond to them immediately, matured to Beta and became enabled by default. The ImageConfig API now supports mirroring Crossplane packages to private repositories. Some community providers, including Kubernetes and Helm, got the change logs feature, enabling these providers to log every change and the reason for it.

Function response caching is a new Alpha feature that allows to cache the responses in the function pipeline to reduce the amount of requests Crossplane sends. Another highlight in this release is including shell autocompletion for the crossplane CLI.

Other noticeable updates in the Cloud Native space:

1. vCluster, a namespace-based solution for virtual Kubernetes clusters, released its v0.25.0, featuring support for external standalone etcd, a simplified initContainer process, added validation for cert-manager, KubeVirt and External Secrets, and deprecated k0s and k3s support.

2. Kmesh, a high-performance service mesh data plane (a CNCF Sandbox project), announced its v1.1.0​​, bringing access logs and metrics for long-lived TCP connections, refactored DNS module, BPF config map optimisation, optimised kernel-native mode, and compatibility with Istio 1.25.

3. Kargo, an application lifecycle orchestration platform for Kubernetes, was updated to v1.5.0, with better Project configuration via a new namespaced CRD, enhanced conditional promotion step execution, ConfigMap access and improved Secret access in expressions, improved Workload Identity Federation support in GKE, and Bitbucket support in git-open-pr and git-wait-for-pr promotion steps.

4. Backstage, a framework for building developer portals (a CNCF Incubating project), has seen v1.39.0, accumulating 260 pull requests from 74 contributors. It got a REST API for Scheduler Service, its design system Canon updated to 0.4.0 (with a new Tab component), federated credentials for Azure DevOps integration, Valkey support for cache service, and custom AuthConnector implementations. It also removed support for several features from the old backend system and deprecated React 17.

5. CloudNativePG, a platform to run and manage PostgreSQL databases in Kubernetes (a CNCF Sandbox project), released its 1.26.0, introducing declarative offline in-place major upgrades of PostgreSQL, enhanced startup and readiness probes for replicas, declarative management of extensions and schemas, a new annotation to enable webhook validation, and integration with autoscalers like Karpenter for better node drain management.

6. Flux (a CNCF Graduated project) landed v2.6.0 just yesterday. It came with the general availability of Flux OCIRepository API to store the Kubernetes desired state in container registries, image automation digest pinning, object-level workload identities, GitHub App authentication for Git repositories, and several improvements in notifications and controllers.

#news #releases

Kaniko reached its end of life

Kaniko is a well-known tool created by Google to build container images inside a container or Kubernetes cluster. Launched in January 2018, it gained good traction in the Cloud Native community. However, it hasn’t been actively developed for the last few years. Yesterday, a PR officially archiving this project was merged, and its Git repo was archived. From now on, Kaniko will no longer be developed or maintained.

#news #tools

Kong Gateway is a Cloud Native, platform-agnostic, scalable API Gateway. Its recent 3.10.x release introduced the following breaking change: “Free mode is no longer available. Running Kong Gateway without a license will now behave the same as running it with an expired license.”

In response to this news, Tetrate Labs promptly released kong2eg, “a migration tool that helps you transition from Kong Gateway to Envoy Gateway by integrating Kong as an external processing extension within Envoy Gateway.”

#news #networking #tools

A quick update on a recent Kaniko news: Chainguard has forked the project here (only 8 GitHub stars at the moment!). They are using it internally and, thus, plan to maintain Kaniko. That's what their README says:

Chainguard is going to keep this fork updated, patched, and maintained. We do not plan any major feature work, but bug fixes and other minor contributions are welcome! We don't plan on publishing built release artifacts (container images, etc.) publicly, but they are available to Chainguard customers.

An official announcement should follow in their blog later this week.

#news

About 5 hours ago, Apple released a Swift package (Containerization) and a CLI tool (container) to easily run Linux containers on Mac computers.

Containerization uses Virtualization.framework on Apple silicon to provide APIs to spawn lightweight virtual machines and manage their runtime environment, manage OCI images, interact with remote registries, etc. It relies on vmnet framework for managing the virtual network to which the containers attach.

container is a user-facing tool for creating and running Linux containers as lightweight virtual machines. It works with OCI-compliant container images, allowing you to interact with common container registries. Using it, you can also configure memory and CPU limitations for containers, build and run multiplatform images, share host files with containers, view container and system logs.

Both projects are available as Open Source (Apache 2 license). More details about them:
- container on GitHub
- Containerization on GitHub
- video presentation by Michael Crosby from WWDC25

#news #tools

Nice timeline for GitOps briefly covering its precursors, emergence and today’s state.

Source: “GitOps in 2025: From Old-School Updates to the Modern Way” by Gerardo Lopez and Saloni Narang on the CNCF blog

#gitops

Kubernetes Gateway API Inference Extension is a new project focused on solving traffic-routing challenges for GenAI and LLM services running on Kubernetes. Built on top of the Gateway API, it adds inference-specific routing capabilities, allowing you to transform existing gateways into a specialised (i.e. inference) one for self-hosted GenAI/LLMs. The project was launched as part of Kubernetes SIGs.

Learn more about Gateway API Inference Extension from this announcement in the Kubernetes blog and the project's GitHub repo.

#news #genai

OpenReports is a new standardisation effort that originated in the Kubernetes Policy Working Group and is designed to “capture, correlate, and export evaluation results for any Kubernetes tool, such as policy engines, scanners, or any controller that wishes to produce reports.” To do so, it develops a unified API and set of tools for both producing and consuming reports.

The current list of report producers OpenReports focuses on includes Falco, Kyverno, Trivy Operator, and Kubewarden. Consumers include Fairwinds Insights, Kyverno Policy Reporter, Lula, Nirmata Control Hub, and Open Cluster Management.

Find more information about OpenReports from this announcement and the official website.

#news

Kubernetes and CNCF won’t be using Slack like before

For ten years, Slack has supported CNCF and Kubernetes by providing a free enterprise account for both workspaces. However, due to recent changes in their business strategy, this generous offer is no longer available for these huge Open Source communities. Thus, both workspaces will be switched to a free plan this Friday, June 20.

This transition brings lots of limitations in Slack workspaces, such as retaining a 90-day history only and disabling several existing apps and workflows. Therefore, the community is considering the following steps, naming migration to Discord as one of the viable options.

P.S. Half a year ago, in December 2024, the Kubernetes workspace hit a hard Slack limit of having no more than 200,000 users per channel. This event also sparked an early discussion of a possible transition from Slack.

Find more details about these changes in the official posts from the Kubernetes project and CNCF.

#news

Imagine a Kubernetes Pod that automatically scales to zero when there’s no load. No, it’s not KEDA doing that, but an implementation on a container runtime level!

Meet zeropod, a containerd shim that performs a container checkpoint for your Pod (i.e. freezes your container and saves it on a disk) when no new TCP connections are coming. After it’s done, the needed port is still listened to, which allows it to restore the container whenever a new connection arrives. Why would you need it? Think of low-traffic websites or your dev environments. Zeropod:

- is implemented as a DaemonSet that installs a binary on the node and leverages a Runtime Class;
- relies on the CRIU (Checkpoint and Restore in Userspace) tool and requires Kubernetes v1.23+ and containerd 1.6+ to work;
- comes with ready-to-use manifests for general deployments and customisations for kind, k3s, GKE, and RKE2;
- offers some experimental features, such as migrating a scaled-down container and live migrating a running container.

Language: Go | License: Apache 2.0 | 434 ⭐️

▶️ GitHub repo

#tools

Salesforce makes a U-turn for the official Slack workspaces of Kubernetes and CNCF. Their enterprise accounts will still be available (with not much other details provided at the moment).

#news

Seeing Kubernetes nodes’ resource consumption in your terminal has become much easier with this new project.

kubectl node-resource is a kubectl plugin that shows resource allocation and their actual utilisation for your Kubernetes nodes. This tool offers:

- A simple list view and a summary view. The latter features histograms and distribution buckets for both resource allocation and utilisation;
- Displaying specific resources only and free resources, as well as sorting nodes by resource usage;
- Structured JSON output to integrate this data with other tools;
- Optimised API server querying to ensure support for large K8s clusters.

Language: Go | License: Apache 2.0 | 77 ⭐️

▶️ GitHub repo

#tools #cli

CNCF got a new Executive Director

Yesterday, a few changes in the CNCF and Linux Foundation top management were announced:

- Priyanka Sharma, the Executive Director at the CNCF for the last five years, stepped down.
- Jonathan Bryce became the Executive Director at the CNCF and Executive Director of Cloud & Infrastructure at the Linux Foundation. He has been the Executive Director of the OpenInfra Foundation since 2012, and this role will stay with him as well. Previously this year, OpenInfra joined the Linux Foundation.
- Chris Aniszczyk, who has been the CTO at the CNCF, keeps this position and also became the CTO of Cloud & Infrastructure at the Linux Foundation. This means he will work on more cloud projects at the parent organisation.

#news

Happy to present our newest digest of the prominent software updates in the Cloud Native ecosystem!

1. OpenEBS, a persistent storage for Kubernetes workloads (a CNCF Sandbox project), released its v4.3.0 with numerous enhancements. They include data-at-rest encryption and IPv6 support in the replicated storage (Mayastor), a new unified plugin for interacting with all supported engines, and a backup garbage collector for LocalPV ZFS.

2. werf, a CLI tool for software delivery to Kubernetes (a CNCF Sandbox project), has recently released v2.38.0 and v2.39.0, bringing several new features. Now, it allows to have external configuration includes (to simplify reusing common templates), use template debugging mode for Helm charts, and keep specific tags while performing automatic cleanup of container images.

3. Argo CD (a CNCF Graduated project) announced v3.1, its next significant update, which is currently available as v3.1.0-rc1 only. This version introduces support for using OCI-compliant container registries as sources for configuration artifacts, support for CLI plugins, scaling resources directly from the UI, and client-side apply migration.

4. OpenTofu, a community-driven Terraform fork (a CNCF Sandbox project), reached v1.10.0 that introduced OCI registry support, native S3 state locking, enhanced planning, global provider cache lock, OpenTelemetry tracing, external key providers, official VS Code extension, Language Server Protocol support, and OpenTofu Registry MCP server.

5. Headlamp, a Web UI for Kubernetes, released 0.31.0 and 0.32.0, featuring tons of improvements. Particularly, the project got a multi-cluster view (experimental), a few new themes and support for plugin-defined themes, support for Node shell, Pod eviction and force deletion, new advanced search, and several new localisations.

6. OpenBao, a community-driven Vault fork, was updated to v2.3 with significant enhancements. Most notably, it now supports tenant isolation using namespaces (it’s available in UI as well), automatic unsealing using the KMIP protocol, and CEL (Common Expression Language) in PKI.

#news #releases

Wondering what LEGO can assemble artfully, besides their well-known blocks? Well, let’s talk about Terraform resources in Kubernetes!

To make this real, this company has recently released Kube Terraform Reconciler (krec), a new Open Source project for platform engineers. It’s a Kubernetes operator for managing Terraform resources, allowing you to:

- Get an infrastructure defined by Terraform workspaces as Kubernetes custom resources and continuously reconciled;
- Specify Terraform backend configuration for workspaces;
- Enable auto-apply for workspaces;
- Use custom providers and modules.

Language: Go | License: Apache 2.0 | 164 ⭐️

▶️ GitHub repo

#tools #IaC

We haven’t shared any Kubernetes-related articles for a while. Filling this gap with some of the latest interesting reads:

1. “Kubernetes is not just for Black Friday” by Thibault Martin.

I’ve always ruled out Kubernetes as too complex machinery designed for large organizations who face significant surges in traffic during specific events like Black Friday sales. I thought Kubernetes had too many moving parts and would work against my objectives. I was wrong. Kubernetes is not just for large organizations with scalability needs I will never have. Kubernetes makes perfect sense for a homelabber who cares about having a simple, sturdy setup.

2. “Exploring Cloud Native projects in CNCF Sandbox. Part 4: 13 arrivals of 2024 H2” by Dmitry Shurupov, Palark.

Familiarise yourself with the following recently added CNCF projects: Ratify, Cartography, HAMi, KAITO, Kmesh, Sermant, LoxiLB, OVN-Kubernetes, Perses, Shipwright, KusionStack, youki, OpenEBS!

3. “Kubernetes List API performance and reliability” by Ahmet Alp Balkan.

We use Kubernetes beyond officially supported/tested scale limits by running more than 5,000 nodes and over a hundred thousand of pods in a single cluster. In these large scale setups, expensive “list” calls on the Kubernetes API are the achilles heel of the control plane reliability and scalability. In this article, I’ll explain which list call patterns pose the most risk, and how recent and upcoming Kubernetes versions are improving the list API performance.

4. “Kubernetes Networking from Packets to Pods” by Luca Cavallin.

The TCP/IP model, which powers the modern internet, is composed of four primary layers: [..] Understanding this layered approach is fundamental, as every network packet in a Kubernetes cluster adheres to this model. We'll explore this entire ecosystem in three parts: the foundational technologies that make it all possible, the core Kubernetes model itself, and finally, advanced topics and practical guides.

5. “What Would a Kubernetes 2.0 Look Like” by Matthew Duggan.

Some common trends have emerged, where mistakes or misconfiguration arise from where Kubernetes isn't opinionated enough. Even ten years on, we're still seeing a lot of churn inside of ecosystem and people stepping on well-documented landmines. So, knowing what we know now, what could we do differently to make this great tool even more applicable to more people and problems?

6. “Rootless container builds on Kubernetes” by Spyros Trigazis, CERN.

In this post, we will present 3 options (podman/buildah, buildkit and kaniko) for building container images in Kubernetes pods as non-root with containerd 2.x as runtime. Further improvements can be made using kata-containers, firecracker, gvisor or others but the complexity increases and administrators have to maintain multiple container runtimes.

#articles

If you often render, validate, and debug Kubernetes manifests, you’ll surely find this new tool helpful.

kat simplifies working with manifests in your terminal by invoking their generators (such as Helm, Kustomize, CUE, KCL, etc.), displaying the resulting resources and providing several convenient features:

- browsable list structure for the Kubernetes resources, fuzzy search and filtering;
- live reload of the displayed data;
- built-in validation based on external tools, such as Kubeconform and Kyverno;
- customisable keybindings, profiles, themes, and even plugins.

P.S. We also can’t conceal the fact that the cat at the helm used for the project’s logo is almost as cute as our channel’s platypus, Pal 😂

Language: Go | License: Apache 2.0 | 61 ⭐️

▶️ GitHub repo
💬 Reddit announcement

#tools #cli

Amazon EKS announced it now supports Kubernetes clusters with up to 100,000 nodes. The authors name massive AI/ML workloads as a possible use case for such setups, which can fit 1.6m AWS Trainium chips or 800k NVIDIA GPUs in a single K8s cluster.

It’s been a significant effort in AWS involving a comprehensive set of improvements aimed at achieving such a scale. Here’s what the engineers did:

- Re-architecting etcd (its new design is illustrated in this post). It involved switching from a Raft-based consensus backend to an internal component built at AWS, moving BoltDB from network-attached Amazon EBS volumes to in-memory storage (tmpfs), and choosing an optimal partitioning scheme.
- Tuning API servers by elaborating specific configurations, enabling strongly-consistent reads from cache and streaming list responses, and using CBOR (Concise Binary Object Representation) encoding for custom resources.
- Optimizing cluster controllers' performance, enhancing Karpenter, scaling the cluster network, and introducing SOCI (Seekable OCI) fast pull for container image pulls.

Find more details, including the resulting benchmark charts, in this blog post.

#news #AWS

According to the State of Tech Talent 2025, published last month by The Linux Foundation (LF Research and LF Education):

- The most significant understaffing persists in the following fields: AI/ML engineering (68%), cybersecurity and compliance (65%), FinOps and cost optimisation (61%), cloud computing (59%), and platform engineering (56%);
- 71% of organisations consider certifications important when recruiting new talent;
- 85% prioritize portfolios of practical work in hiring decisions and see Open Source contributions as proof of technical and collaboration skills;
- 94% expect that AI will deliver significant value in core activities, increasing the need for a skilled workforce.

Find more insights by reading the full report here.

#reports #career

“Have you tried turning it off and on again?..” Well, that’s surely not an approach we really want, but if it’s all you can do for some [nasty] app in Kubernetes, don’t hesitate to look at this workaroundish tool 🫠

Restart-operator is a Kubernetes operator that allows you to define schedules to restart specific workloads — e.g., suffering from memory leaks or needing to apply configuration changes — automatically via rolling updates. It comes with:

- Standard cron-style definitions for the schedules;
- Support for Deployments, StatefulSets, and DaemonSets as workloads, as well as support for K8s namespaces;
- Tracking the status of restarts performed.

Language: Go | License: MIT | 27 ⭐️

▶️ GitHub repo
💬 Reddit announcement

#tools