Learn Kubernetes Weekly issue 133 · 28 May 2025

Writing my own Kubernetes, Scaling VMs in Kubernetes, API Server Proxy, CVE-2024–10220, Exploit me, baby, one more time

This newsletter is brought to you by Fairwinds — expert-led, fully managed Kubernetes that frees your engineers from infrastructure headaches and puts you on the fast track to production-grade success.

Articles

  1. A journey of writing my own Kubernetes

    medium.com

    This article walks through building a reimplementation of Kubernetes built in Go with etcd, containerd, custom kubelet, API server, and kube-proxy.

    It creates pods, services, endpoints, and manages networking via direct IPTables manipulation.

  2. In-House Kubernetes vs. Managed Kubernetes-as-a-Service

    www.fairwinds.com

    Spending more time managing Kubernetes than building your product? You’re not alone.

    Explore the pros and cons of "build vs. buy" to find the right fit for your team.

    sponsored

  3. Scaling Virtual Machines in Kubernetes Clusters: Insights for Kubernetes Applications

    msschuman.medium.com

    This study benchmarks Vultr-based clusters using K6 to compare Regular, AMD EPYC, and Intel Xeon node pools under synthetic load.

    Results show Intel nodes achieve the highest stability and RPS, and a 1:1 pod:vCPU ratio ensures optimal performance.

  4. Exploring the Kubernetes API Server Proxy

    raesene.github.io

    The Kubernetes API server includes an HTTP proxy that allows authorized users to access pods, nodes, and external hosts from the cluster network.

    With proxy and node rights, attackers can SSRF into the API server or override pod IPs to exfiltrate data.

  5. CVE-2024–10220: Attack and Defense

    medium.com

    This analysis details how Kubernetes' deprecated gitRepo volume enables root-level container escape via Git hook injection using a fake bare repo to exploit default behavior in kubelet.

  6. Exploit me, baby, one more time: command injection in Kubernetes Log Query

    akamai.com

    This article breaks down a critical RCE flaw in Kubernetes Log Query.

    Attackers could inject PowerShell commands through unvalidated pattern input, leading to SYSTEM-level access on Windows nodes.

Articles worth checking out:

Kubernetes Best Practices in 2025

A strong cloud native foundation starts with Kubernetes done right.

Avoid pitfalls, implement smart policies, and unlock the full value of Kubernetes with these best practices.

Learn more about the Kubernetes best practices in 2025

Kubernetes Best Practices in 2025

Tutorials

  1. Chaos testing a Postgres cluster managed by cloud-nativepg

    coroot.com

    This article tests Postgres HA under chaos in Kubernetes using CloudNativePG for DB management and Coroot for full-stack observability.

    It simulates CPU noise, query locks, and pod kills, showing how eBPF + pg_stat reveal root cause.

  2. Discover How Fathom Transformed Infrastructure and Deployment Speed

    www.fairwinds.com

    Fathom partnered with Fairwinds to streamline its AWS infrastructure and move to Kubernetes. The result?

    Faster deployments, fewer incidents, and more time for innovation—enabling their small team to operate more efficiently at scale.

    sponsored

  3. Scaling under pressure: Chaos Mesh stress tests on EKS auto mode

    medium.com

    This chaos engineering experiment simulates resource spikes on EKS Auto Mode using Chaos Mesh, NGINX, and HPA.

    It shows how Karpenter scales nodes dynamically under CPU stress, respects anti-affinity, and reclaims resources post-load to optimize cost.

  4. Istio Gateways and VirtualServices: Locally Exposing Kubernetes Services Made Easy

    medium.com

    The article details using Istio Gateways and VirtualServices to expose Kubernetes services locally, enabling shared gateways with TLS.

    This decouples networking from app code, simplifying traffic management in dev environments.

  5. Exploring Istio: The power of service mesh in Kubernetes

    medium.com

    Learn how to use Istio, a service mesh, to manage microservices in Kubernetes.

    This article covers traffic control, mTLS security, and observability with Kiali, Prometheus, and Jaeger, using a Garage Management System as a practical example.

Performance testing Kubernetes workloads

If you're tasked with performance testing Kubernetes workloads without much guidance, this episode offers clear, experience-based strategies that go beyond theory.

Stephan Schwarz, a DevOps engineer at iits-consulting, walks through his systematic approach to performance testing Kubernetes applications. He covers everything from defining what performance actually means, to the practical methodology of breaking individual pods to understand their limits, and navigating the complexities of Kubernetes-specific components that affect test results.

You will learn:

  • How to establish baseline performance metrics by systematically testing individual pods, disabling autoscaling features, and documenting each incremental change to understand real application limits
  • Why shared Kubernetes components skew results and how ingress controllers, service meshes, and monitoring stacks create testing challenges that require careful consideration of the entire request chain
  • Practical approaches to HPA configuration, including how to account for scaling latency, the time delays inherent in Kubernetes scaling operations, and planning for spare capacity based on your SLA requirements
  • The role of observability tools like OpenTelemetry in production environments where load testing isn't feasible, and how distributed tracing helps isolate performance bottlenecks across interdependent services
Performance testing Kubernetes workloads

Kubernetes jobs

    • Software Engineer with Hootsuite

    • Salary: CA$80.7K to CA$113.1K a year

    • Location: remote from Canada, the United States

    • Tech stack: Kubernetes, Docker, Go, Javascript, Java, Scala, PHP, Mongo, MySQL

    • Site Reliability Engineer with SpaceX

    • Salary: $120K to $170K a year

    • Location: based in the office in Hawthorne, CA, USA

    • Tech stack: Kubernetes, On-premise, Docker, Go, Shell, Python, C++, C, Terraform, Ansible

    • Data Engineer with Black Canyon Consulting

    • Salary: $115K to $150K a year

    • Location: remote from the United States

    • Tech stack: Kubernetes, AWS, Azure, GCP, Anthos, ArgoCD, Docker, Python, C++, Spark

    • Software Engineer with CookUnity

    • Salary: $150K to $165K a year

    • Location: remote from the United States

    • Tech stack: Kubernetes, AWS, On-premise, Docker, Javascript, GraphQL, Typescript, Kotlin, Redis, PostgreSQL

    • Software Engineer with ClickHouse

    • Salary: $118K to $209.5K a year

    • Location: remote from the United States

    • Tech stack: Kubernetes, AWS, Azure, GCP, Go, SQL, Terraform, Gitlab

Discover more Kubernetes jobs on Kube Careers →

Code & tools

  1. The Bare Metal Operator

    metal3.io

    The Bare Metal Operator implements a Kubernetes API for managing bare metal hosts.

    It maintains an inventory of available hosts as instances of the BareMetalHost Custom Resource Definition.

  2. Lazy-Pull OCI Images

    github.com/containerd

    Stargz Snapshotter is a containerd plugin enabling lazy pulling of eStargz-formatted OCI images.

    It fetches image data on demand, reducing startup time by avoiding full-image pre-pulls.

  3. Kubernetes History Inspector: Interactive Timeline Debugging

    github.com/GoogleCloudPlatform

    **Kubernetes History Inspector (KHI) turns raw Kubernetes logs into a visual, filterable timeline. **

    It correlates multi-type logs, diffs resource states, and shows topology.

  4. Freelens: Cross-Platform GUI for Kubernetes Cluster Management

    github.com/freelensapp

    Freelens is a cross-platform GUI for managing Kubernetes clusters.

    It bundles kubectl/Helm, supports kubeconfig, and runs on macOS, Linux, and Windows.

  5. Helm-mapkubeapis: Fix Deprecated APIs in Helm Releases

    github.com/helm

    mapkubeapis is a Helm v3 plugin which updates in-place Helm release metadata that contains deprecated or removed Kubernetes APIs to a new instance with supported Kubernetes APIs.

Other interesting projects:

Subscribe to Learn Kubernetes Weekly

Trusted by 77K engineers. Delivered 150 issues and counting.

or subscribe via

Upcoming Kubernetes events

  1. May

    29

    Kubernetes Topics Trends

    Online webinar organized by Learnk8s.

    • This is a virtual event

    • This is a free event.

  2. Jun

    2

    Docker vs. Podman & Development of Spegel, a stateless OCI registry mirror for clusters

    In-person meetup organized by Cloud Native Nürnberg.

    • Location: Nürnberg, DE

    • This is a free event.

  3. Jun

    4

    Kubernetes Community Days New York 2025

    In-person conference organized by KCD New York.

    • Location: New York, NY, USA

    • This event requires an entrance fee

      • Use LEARNK8S to get 10% off

  4. Jun

    5

    Kubernetes Community Days Czech & Slovak 2025

    In-person conference organized by KCD Czech & Slovak.

    • Location: Bratislava, SK

    • This event requires an entrance fee

  5. Jun

    26

    Advanced Kubernetes course

    Online workshop organized by Learnk8s.

    • This is a virtual event

    • This event requires an entrance fee

Discover more Kubernetes events on Kube Events →

Thanks to our sponsors who make Kube Today possible

  • LearnKube
  • Akamai
  • Fairwinds
  • Densify
Find out more about being a sponsor →

Kubernetes call for papers

  1. expired

    Cloud Native Days Austria

    The Call For Paper was open until 31 May 2025 at UTC. More info →

    • Location: Vienna, AT

    • In-person conference organized by CNDA Austria.

    • The conference starts on the 8 October 2025.

    • Apply here

  2. expired

    Cloud Native Denmark 2025

    The Call For Paper was open until 16 June 2025 at UTC. More info →

    • Location: Aarhus, DK

    • In-person conference organized by CND.

    • The conference starts on the 17 April 2025.

    • Apply here

  3. expired

    Kubernetes Community Days Porto 2025

    The Call For Paper was open until 30 June 2025 at UTC. More info →

    • Location: Porto, PT

    • In-person conference organized by KCD Porto.

    • The conference starts on the 4 November 2025.

    • Apply here

  4. expired

    Kubernetes Community Days Warsaw 2025

    The Call For Paper was open until 16 June 2025 at UTC. More info →

    • Location: Warsaw, PL

    • In-person conference organized by KCD Warsaw.

    • The conference starts on the 9 October 2025.

    • Apply here

  5. expired

    Kubernetes Community Days UK Edinburgh 2025

    The Call For Paper was open until 9 June 2025 at UTC. More info →

    • Location: Edinburgh, UK

    • In-person meetup organized by KCD UK.

    • The meetup starts on the 21 October 2025.

    • Apply here

  6. expired

    Texas Linux Festival 2025

    The Call For Paper was open until 3 August 2025 at UTC. More info →

    • Location: Austin, TX, USA

    • In-person conference organized by TXLF.

    • The conference starts on the 4 October 2025.

    • Apply here

  7. expired

    Devopsdays Tel Aviv

    The Call For Paper was open until 15 June 2025 at UTC. More info →

    • Location: Tel Aviv, IL

    • In-person conference organized by Devopsdays.

    • The conference starts on the 11 December 2025.

    • Apply here

  8. expired

    Open Source Summit Japan 2025

    The Call For Paper was open until 4 August 2025 at UTC. More info →

    • Location: Tokyo, JP

    • In-person conference organized by Linux Foundation.

    • The conference starts on the 10 December 2025.

    • Apply here

  9. expired

    Devopsdays Dallas

    The Call For Paper was open until 2 June 2025 at UTC. More info →

    • Location: Dallas, TX, USA

    • In-person conference organized by Devopsdays.

    • The conference starts on the 17 September 2025.

    • Apply here

Until next time!

— Dan

Subscribe to Learn Kubernetes Weekly

Trusted by 77K engineers. Delivered 150 issues and counting.

or subscribe via