Self-service and governance aren't competing forces — they work together.

Peter Kelly explains how Tigera's tiered network policies in Project Calico let platform teams lock down critical rules at an upper layer while giving developers a lower tier to manage their own policies. Security stays immutable at the top, and developers get autonomy within those guardrails.

The key: treat policy tiers like layers — compulsory at the top, flexible at the bottom.

Full interview: https://ku.bz/xgqZJhdyn





Watch the full interview: https://ku.bz/xgqZJhdyn

This interview is a reaction to Ben Poland's episode https://ku.bz/klBmzMY5-

Jan Ludvik on how he cut EKS node startup from 65 to 45 seconds and reduced P90 pod startup by 30 seconds across ~1,000 nodes.

You will learn:

- Why Kubelet's serial image pull default quietly blocks pod startup, and how parallel pulls fix it
- How EBS lazy loading can silently negate image caching in AMIs — and the critical path workaround
- A Lambda-based automation that temporarily boosts EBS throughput during startup, then reverts to save cost
- The kubelet metrics and logs that expose pod and node startup latency, most teams never monitor

Watch (or listen to) it here: https://ku.bz/B7TzKXyxf

🌟 This episode is brought to you by LearnKube — get started on your Kubernetes journey through comprehensive online, in-person, or remote training https://learnkube.com/training

With @Birthmarkb

This week on Learn Kubernetes Weekly 171:

🔍 Stop Hunting Logs: How OpenTelemetry Brings Metrics, Logs, and Traces Together
🚀 Continuous Frontend Deployments at Scale: 7000 Deployments per Month with GitOps
⚙️ How We Replaced the Default Kubernetes Scheduler to Optimize Our Continuous Integration Builds
🏗️ Building Production-Ready Micro Frontends in Kubernetes: A Pragmatic Approach
🔐 Detecting Vulnerabilities in Public Helm Charts

Read it now: https://kube.today/issues/171

⭐️ This issue is brought to you by vCluster and LearnKube — join "Multi-Tenancy March" starting Feb 24: a free 3-part hands-on series on namespace isolation, virtual clusters, GPU sharing, and AI agent sandboxing on Kubernetes https://ku.bz/multitenant26

This week's 6 best Kubernetes vacancies that focus on security are:

DevSecOps Engineer with Anthropic
💰 $40.5M to $48.5M a year
🏠 From the office in San Francisco, CA, USA
→ https://ku.bz/wrrnmcjDQ

DevSecOps Engineer with Tailscale
💰 $16.01M to $20.04M a year
🌎 Fully remote
→ https://ku.bz/J9Cs7QBBp

DevSecOps Engineer with Accenture Federal Services
💰 $11.49M to $15.13M a year
👨‍💻 Remote from
→ https://ku.bz/bsl59cPMh

DevSecOps Engineer with OpenAI
💰 $364.5K to $490K a year
👨‍💻 Remote from the United States of America
→ https://ku.bz/NXd17JHfV

DevSecOps Engineer with xAI
💰 $180K to $440K a year
👨‍💻 Remote from
→ https://ku.bz/R4vBYC5mW

👉 Browse 2270 jobs on Kube Careers https://kube.careers

kseal is a kubeseal companion CLI for viewing, exporting, encrypting, and offline decrypting Kubernetes Sealed Secrets without needing live cluster access.

More: https://ku.bz/JbNY0d2Ch

Push-to-K8s is a Kubernetes controller written in Go that automatically synchronizes labeled secrets from a source namespace to all other namespaces in the cluster with real-time change detection propagating updates in 5-10 seconds.

More: https://ku.bz/z-7ytwsb-

Radosław from aleno migrated from ECS to Kubernetes — spot instances broke at 20+ containers, firewalls silently dropped traffic, and the wrong memory metric caused OOM kills.

You will learn:

- Why ECS spot instances have no built-in fallback mechanism — and how Karpenter's flexible instance selection solves it
- How running Flux and Argo CD together gives infra teams git-push workflows while developers get a UI
- Why the default Kubernetes memory metric includes evictable caches — and switching to working set fixed OOM errors
- How jemalloc cut memory usage by 20% and fixed HPA autoscaling for WebSocket containers

Watch (or listen to) it here: https://ku.bz/x6wFMhVsx

🌟 This episode is sponsored by LearnKube — get started on your Kubernetes journey through comprehensive online, in-person, or remote training https://learnkube.com/training

With @Birthmarkb

This article explains how EKS authentication tokens work by pre-signing AWS STS GetCallerIdentity calls, and how you can use this technique to implement IAM-based authentication in your own services.

More: https://ku.bz/3WRXBcqzd

This week on Learn Kubernetes Weekly 172:

🔥 Google Cloud Shell Container Escape
🌐 Azure Kubernetes Service Deep Dive Into Azure CNI Pod Subnet
💭 How I Think About Kubernetes
📦 How We Shrunk a Kubernetes Sidecar from 421MB to 90MB (With No OS Inside)
🎯 Kube Resource Orchestrator: Manage any group of resources as one unit

Read it now: https://kube.today/issues/172

⭐️ This newsletter is brought to you by Kubex — Automated Resource Optimization for Kubernetes, GPUs and AI Workloads https://ku.bz/y98T8bWXP

Guardon is a browser extension that catches Kubernetes security misconfigurations during GitHub/GitLab code reviews, providing instant feedback, actionable YAML fixes, a custom rule engine, and Kyverno policy import, with no CI setup required.

More: https://ku.bz/1dwsMRc7S

This week's 6 best Kubernetes vacancies that focus on security are:

DevSecOps Engineer with Anthropic
💰 $40.5M to $48.5M a year
🏠 From the office in San Francisco, CA, USA
→ https://ku.bz/wrrnmcjDQ

DevSecOps Engineer with Tailscale
💰 $15.95M to $19.97M a year
🌎 Fully remote
→ https://ku.bz/J9Cs7QBBp

DevSecOps Engineer with Accenture Federal Services
💰 $11.49M to $15.13M a year
👨‍💻 Remote from
→ https://ku.bz/bsl59cPMh

DevSecOps Engineer with OpenAI
💰 $364.5K to $490K a year
👨‍💻 Remote from the United States of America
→ https://ku.bz/NXd17JHfV

DevSecOps Engineer with xAI
💰 $180K to $440K a year
👨‍💻 Remote from
→ https://ku.bz/R4vBYC5mW

👉 Browse 2373 jobs on Kube Careers https://kube.careers

This tutorial teaches how to implement layered security in Kubernetes using Kyverno for admission control and KubeArmor for runtime protection to enforce guardrails.

More: https://ku.bz/SnYRwQhFR

Shyam Jeedigunta, Principal Engineer at Amazon Web Services (AWS), explains the security challenges and solutions for onboarding Kubernetes nodes from different infrastructure providers.

He discusses how to handle identity management, certificate issuance, and trust establishment when nodes come from edge locations, on-premises infrastructure, or other cloud providers rather than the same infrastructure as the control plane.

Watch the full interview: https://ku.bz/m89tLbgcq

"I don't want to see AI agents autonomously control clusters right now."

Nick Eberts draws a clear line: AI assistants are valuable for read-only troubleshooting — giving hints, explaining what's wrong. But making changes? That should go through pull requests and human review, especially in a GitOps workflow. He also flags an emerging challenge: securing agent-to-agent communication between MCP servers and clients, and extending Istio authorization policies into the agent layer.

The takeaway: AI should assist, not act — until the guardrails catch up.



Watch the full interview: https://ku.bz/G1QSYQTn2

This interview is a reaction to Mai Nishitani's episode https://ku.bz/3hWvQjXxp

cert-manager-webhook-pdns is a PowerDNS webhook for cert-manager that enables automated Let's Encrypt certificate issuance using DNS-01 challenges by integrating with PowerDNS API for DNS record management.

More: https://ku.bz/x3vxd7ZpJ

📕 We published a book on optimising and right-sizing GPUs in Kubernetes.

Most GPU clusters show 100% allocation and single-digit actual usage.

The book helps you:

- Tell whether your GPUs are actually computing or just allocated
- Pick the right metrics instead of trusting nvidia-smi
- Choose between time-slicing, MIG, and dedicated GPUs based on real data
- Stop GPU waste from cascading into CPU and memory waste

Download it for free here: ku.bz/KL4jRvsL4

This book was made possible by Kubex.

"The supply chain has become the sharp end of the wedge."

Andrew Martin traces the evolution of software supply chain attacks from boot sector viruses to modern npm-borne worms. His team signs everything, generates SBOMs, and verifies Cosign artifacts at admission time into Kubernetes clusters.

The prediction for 2026: continuous validation of supply chain security metadata at runtime will become a staple in Kubernetes security tooling this year.



Watch the full interview: https://ku.bz/wyMlWGTqf

This tutorial teaches how to implement Kubernetes egress control using Squid proxy and NetworkPolicy for visibility and enforcement of outbound traffic without service mesh complexity.

More: https://ku.bz/XyLs9nnzh

Karpenter can rotate your nodes for three reasons: they're underutilized, they're empty, or the AMI has drifted from what you specified.

You can set a disruption budget for each reason to control how many nodes rotate at once. But here's the catch: if you only set budgets for two reasons and skip the third, Karpenter doesn't disable it. It silently applies a default 10% budget to any reason you didn't mention.

Adhi Sutandi's team found this the hard way — drift events fired during maintenance windows they thought were locked down. The fix? Set a single budget of one node with no reason qualifier, so it applies to everything.



New episode out now: https://ku.bz/XyVfsSQPr

Chainloop is an evidence store and policy engine for Software Supply Chain attestations, SBOMs, VEX, SARIF, and QA reports, with contract-based workflows, Rego policy evaluation, and third-party integrations such as Dependency-Track and Guac.

More: https://ku.bz/_wQslV4bc

This week on Learn Kubernetes Weekly 173:

🔥 Kubernetes Egress Control with Squid Proxy
💪 How We Turned a Forced OS Migration into a 30% Infrastructure Reduction
⚡ Auto-scaling and Load-based Scaling in Kubernetes
🎯 Smart Scheduler: Intelligent Pod Placement for Kubernetes Cost Optimization
🤖 Using Claude Code to Pilot Kubernetes on Autodock

Read it now: https://kube.today/issues/173

⭐️ This newsletter is brought to you by Hadron, the new lightweight secure Linux OS from the Kairos team https://ku.bz/mMZytrj-z