Nicholaos Mouzourakis, Staff Product Security Engineer at Gusto, explains how Open Policy Agent (OPA) integrates with Kubernetes for authorization. He highlights OPA's versatility and performance characteristics, noting that a single node can handle numerous requests with proper optimization.

He describes multiple deployment options, including:

- Standing up multiple OPA instances
- Setting up auto-scaling groups
- Co-locating OPA with server pods
- Running OPA as a WASM module for lower latency

Watch the full episode: https://kube.fmhttps://ku.bz/S-2vQ_j-4

"Self-service capabilities without governance is how you get outages at 3 AM."

Zain Malik from ExoStellar tackles the tension between developer empowerment and platform governance. A mature platform provides standardized interfaces that give users access to what they need—kernel layers, node layers, DOS systems—without compromising reliability.

The key insight: centralization isn't about restriction, it's about creating reliable building blocks that scale.





Watch the full interview: https://ku.bz/rwttMCncv

kubectl-rexec is a kubectl plugin that provides full audit logging for kubectl exec sessions, addressing the security gap where standard exec commands leave no trace of what happens inside containers.

More: https://ku.bz/yRQZ9Jrml

This week's 6 best Kubernetes vacancies that focus on security are:

DevSecOps Engineer with Tailscale
💰 $16.01M to $20.04M a year
🌎 Fully remote
→ https://ku.bz/J9Cs7QBBp

DevSecOps Engineer with Accenture Federal Services
💰 $10.84M to $20.34M a year
👨‍💻 Remote from
→ https://ku.bz/WdgxCrTlm

DevSecOps Engineer with OpenAI
💰 $364.5K to $490K a year
👨‍💻 Remote from the United States of America
→ https://ku.bz/NXd17JHfV

DevSecOps Engineer with Anthropic
💰 $300K to $405K a year
👨‍💻 Remote from
→ https://ku.bz/LzVjTfYNp

DevSecOps Engineer with Scale AI
💰 $264K to $330K a year
👨‍💻 Remote from
→ https://ku.bz/BdXCcJX58

👉 Browse 1635 jobs on Kube Careers https://kube.careers

This case study shows how Mindbody used Kyverno policy-as-code to dynamically manage Istio ingress gateways across hundreds of applications without updating individual Helm charts.

More: https://ku.bz/F6-Xr10Yv

Synapse is a high-performance reverse proxy and firewall built with Rust, using XDP-based packet filtering for ultra-low latency protection at kernel level.

More: https://ku.bz/w2PFxxfN8

This article explains the risks of using unmaintained Docker images and how to detect vulnerabilities with tools like Trivy, SBOM operator, and Dependency Track.

More: https://ku.bz/WJ75qXRbV

Ritesh Patel, Co-founder @ Nirmata, explains how Nirmata's AI platform engineering assistant differentiates itself in the market through strategic focus rather than broad appeal.

He demonstrates a direct approach to competitive positioning by acknowledging that their solution isn't for everyone - it's specifically designed for teams that have already adopted Kyverno as their policy engine.

Watch the interview: https://ku.bz/8nkrRSG_Z

Read the announcement: https://ku.bz/8_yYZZMG4

Tibo on why Kubernetes isn't just for enterprise scale — it can be a practical choice for solo self-hosters too.

You will learn:

- Why Ansible's declarative promise fell short with the Podman collection, forcing sequential imperative steps instead of desired-state definitions
- How community Helm charts replace the need to write and maintain every manifest yourself
- Why GitOps isn't just a deployment workflow — it's a disaster recovery strategy when your infrastructure lives in your living room

Watch (or listen to) it here: https://ku.bz/Xk5S7VqXz

🌟 This episode is brought to you by LearnKube — get started on your Kubernetes journey through comprehensive online, in-person, or remote training https://learnkube.com/training

With @Birthmarkb

Guardon is a Kubernetes admission controller that enforces security and compliance policies in real-time before resources are created in your cluster.

More: https://ku.bz/d4hT8s9Sw

This week on Learn Kubernetes Weekly 170:

📦 Could lockfiles just be SBOMs?
🌐 Dynamic Istio Ingress Gateway Management with Kyverno
🎮 Factorio in Kubernetes? Well, why not?
🤖 Running DeepSeek Models on Kubernetes: A Backend Engineer's Experiment
⚡ Ephemeral Infrastructure: Why Short-Lived is a Good Thing

Read it now: https://kube.today/issues/170

⭐️ This issue is brought to you by vCluster and LearnKube — join "Multi-Tenancy March" starting Feb 24: a free 3-part hands-on series on namespace isolation, virtual clusters, GPU sharing, and AI agent sandboxing on Kubernetes https://ku.bz/multitenant26

This article shows how to scan Helm charts for insecure RBAC, secret leaks, and malicious templates using tools like Trivy, GitHub Search, and OPA.

More: https://ku.bz/k4MpGVLyZ

This week's 6 best Kubernetes vacancies that focus on security are:

DevSecOps Engineer with Tailscale
💰 $16.15M to $20.21M a year
🌎 Fully remote
→ https://ku.bz/J9Cs7QBBp

DevSecOps Engineer with Accenture Federal Services
💰 $11.49M to $15.13M a year
👨‍💻 Remote from
→ https://ku.bz/bsl59cPMh

DevSecOps Engineer with OpenAI
💰 $364.5K to $490K a year
👨‍💻 Remote from the United States of America
→ https://ku.bz/NXd17JHfV

DevSecOps Engineer with Anthropic
💰 $300K to $405K a year
👨‍💻 Remote from
→ https://ku.bz/LzVjTfYNp

DevSecOps Engineer with Point72
💰 $225K to $300K a year
👨‍💻 Remote from
→ https://ku.bz/gG67-vdCY

👉 Browse 2029 jobs on Kube Careers https://kube.careers

Self-service and governance aren't competing forces — they work together.

Peter Kelly explains how Tigera's tiered network policies in Project Calico let platform teams lock down critical rules at an upper layer while giving developers a lower tier to manage their own policies. Security stays immutable at the top, and developers get autonomy within those guardrails.

The key: treat policy tiers like layers — compulsory at the top, flexible at the bottom.

Full interview: https://ku.bz/xgqZJhdyn





Watch the full interview: https://ku.bz/xgqZJhdyn

This interview is a reaction to Ben Poland's episode https://ku.bz/klBmzMY5-

Jan Ludvik on how he cut EKS node startup from 65 to 45 seconds and reduced P90 pod startup by 30 seconds across ~1,000 nodes.

You will learn:

- Why Kubelet's serial image pull default quietly blocks pod startup, and how parallel pulls fix it
- How EBS lazy loading can silently negate image caching in AMIs — and the critical path workaround
- A Lambda-based automation that temporarily boosts EBS throughput during startup, then reverts to save cost
- The kubelet metrics and logs that expose pod and node startup latency, most teams never monitor

Watch (or listen to) it here: https://ku.bz/B7TzKXyxf

🌟 This episode is brought to you by LearnKube — get started on your Kubernetes journey through comprehensive online, in-person, or remote training https://learnkube.com/training

With @Birthmarkb

This week on Learn Kubernetes Weekly 171:

🔍 Stop Hunting Logs: How OpenTelemetry Brings Metrics, Logs, and Traces Together
🚀 Continuous Frontend Deployments at Scale: 7000 Deployments per Month with GitOps
⚙️ How We Replaced the Default Kubernetes Scheduler to Optimize Our Continuous Integration Builds
🏗️ Building Production-Ready Micro Frontends in Kubernetes: A Pragmatic Approach
🔐 Detecting Vulnerabilities in Public Helm Charts

Read it now: https://kube.today/issues/171

⭐️ This issue is brought to you by vCluster and LearnKube — join "Multi-Tenancy March" starting Feb 24: a free 3-part hands-on series on namespace isolation, virtual clusters, GPU sharing, and AI agent sandboxing on Kubernetes https://ku.bz/multitenant26

This week's 6 best Kubernetes vacancies that focus on security are:

DevSecOps Engineer with Anthropic
💰 $40.5M to $48.5M a year
🏠 From the office in San Francisco, CA, USA
→ https://ku.bz/wrrnmcjDQ

DevSecOps Engineer with Tailscale
💰 $16.01M to $20.04M a year
🌎 Fully remote
→ https://ku.bz/J9Cs7QBBp

DevSecOps Engineer with Accenture Federal Services
💰 $11.49M to $15.13M a year
👨‍💻 Remote from
→ https://ku.bz/bsl59cPMh

DevSecOps Engineer with OpenAI
💰 $364.5K to $490K a year
👨‍💻 Remote from the United States of America
→ https://ku.bz/NXd17JHfV

DevSecOps Engineer with xAI
💰 $180K to $440K a year
👨‍💻 Remote from
→ https://ku.bz/R4vBYC5mW

👉 Browse 2270 jobs on Kube Careers https://kube.careers

kseal is a kubeseal companion CLI for viewing, exporting, encrypting, and offline decrypting Kubernetes Sealed Secrets without needing live cluster access.

More: https://ku.bz/JbNY0d2Ch

Push-to-K8s is a Kubernetes controller written in Go that automatically synchronizes labeled secrets from a source namespace to all other namespaces in the cluster with real-time change detection propagating updates in 5-10 seconds.

More: https://ku.bz/z-7ytwsb-

Radosław from aleno migrated from ECS to Kubernetes — spot instances broke at 20+ containers, firewalls silently dropped traffic, and the wrong memory metric caused OOM kills.

You will learn:

- Why ECS spot instances have no built-in fallback mechanism — and how Karpenter's flexible instance selection solves it
- How running Flux and Argo CD together gives infra teams git-push workflows while developers get a UI
- Why the default Kubernetes memory metric includes evictable caches — and switching to working set fixed OOM errors
- How jemalloc cut memory usage by 20% and fixed HPA autoscaling for WebSocket containers

Watch (or listen to) it here: https://ku.bz/x6wFMhVsx

🌟 This episode is sponsored by LearnKube — get started on your Kubernetes journey through comprehensive online, in-person, or remote training https://learnkube.com/training

With @Birthmarkb