Learn Kubernetes Weekly issue 178 · 8 Apr 2026
RCE via Nodes/Proxy, Aetòs: From Chaos to Engineering, Extended Toleration Operators, Migrating to ECS Fargate, SQL Server On AKS With GitOps
This newsletter is brought to you by StormForge by CloudBolt. Stop setting Kubernetes requests. Let ML handle rightsizing.
Articles
Kubernetes remote code execution via nodes/proxy get permission
grahamhelton.com
This article shows how nodes/proxy GET permission in Kubernetes enables command execution in any Pod across the cluster via a WebSocket authorization bypass, affecting 69 Helm charts, including major monitoring tools like Prometheus and Datadog.
CI/CD is automated. Kubernetes right-sizing isn’t.
www.cloudbolt.io
59% deploy to production automatically, but only 27% allow CPU/memory right-sizing changes to auto-apply within guardrails.
This report covers what conditions teams require to trust automation in production.
sponsored
Aetòs: From Chaos to Engineering Excellence — A 3-Year Transformation
medium.com
This case study shows how Portworx built Aetòs, an Internal Developer Platform processing 50M daily API calls, managing 14,000 VMs, achieving 70% cloud cost reduction, and saving 10,000 engineering hours quarterly.
Kubernetes v1.35: Extended Toleration Operators to Support Numeric Comparisons
kubernetes.io
This article introduces Gt and Lt operators for pod tolerations in Kubernetes 1.35, enabling threshold-based scheduling with numeric taint values, such as failure probability or cost metrics, rather than exact matching.
Reducing Complexity By Migrating from K8S to ECS Fargate for NetworkLessons
dev.to
This case study shows how NetworkLessons migrated from Kubernetes to ECS Fargate using AWS CDK, reducing operational complexity while implementing multi-account architecture, automated cost controls, and infrastructure as code.
Database State Management in Kubernetes: Running SQL Server on AKS with GitOps
medium.com
This case study shows how to run SQL Server on Azure Kubernetes Service using StatefulSets, persistent volumes, and GitOps for multi-tenant database deployments.
Stop Setting Kubernetes Requests
Most teams overprovision to stay safe.
CloudBolt uses ML to continuously rightsize workloads, tuning requests and limits based on real usage without breaking HPA or risking performance.
Tutorials
Kubernetes Rightsizing Automation with Actionable Chargeback
www.cloudbolt.io
See a practical “better together” approach: EKS Auto Mode reduces cluster ops overhead while StormForge continuously right-sizes workload requests.
This webinar includes live demo + how to make cost allocation actionable (idle, overhead, shared services).
sponsored
Deploy LLM Models on OpenShift
medium.com
This tutorial shows how to deploy LLM models on OpenShift without operators by using llama.cpp with a quantized GGUF model, building a multi-stage container image, and exposing it via standard Kubernetes resources.
Enforcing Signed Container Images in Kubernetes Using Cosign & Kyverno
medium.com
This tutorial teaches how to enforce signed container images in Kubernetes using Cosign for signing, Harbor for storage, and Kyverno admission controller for verification, including custom CA trust configuration and CI/CD integration patterns.
Modernizing Jenkins: From Static Agents to Kubernetes Dynamic Pods
medium.com
This tutorial shows how to modernize Jenkins by replacing static agents with Kubernetes dynamic pods for cost tracking, resource isolation, and scalability using namespace-based builds and the Kubernetes plugin.
Building a Local Data Platform with Kubernetes and Terraform
blog.dataengineerthings.org
This tutorial shows how to build a local data platform using KinD for Kubernetes and Terraform for infrastructure provisioning, with Argo CD as the GitOps engine for deploying and managing applications.
You're running gRPC services in Kubernetes, load balancing looks fine on the dashboard — but some pods are burning at 80% CPU while others sit idle, and adding more replicas only partially helps.
Rohit Agrawal, a Staff Software Engineer on the traffic platform team at Databricks, explains why this happens and how his team replaced Kubernetes's default networking with a proxy-less, client-side load-balancing system built on the xDS protocol.
In this episode:
- Why KubeProxy's Layer 4 routing breaks down under high-throughput gRPC: it picks a backend once per TCP connection, not per request
- How Databricks built an Endpoint Discovery Service (EDS) that watches Kubernetes directly and streams real-time pod metadata to every client
- How zone-aware spillover cut cross-availability-zone costs without sacrificing availability
- Why CPU-based routing failed (monitoring lag creates oscillation) and what signals to use instead
The system has been running in production for three years across hundreds of services, handling millions of requests.
Kubernetes jobs
Software Engineer with Remote
Salary: $53.3K to $119.85K a year
Location: fully remote
Tech stack: Kubernetes, Kubernetes, AWS, Docker, GitHub, GitHub Actions, Gitlab, Jenkins, Postgres, AI
Software Engineer with Remote
Salary: $53.3K to $119.85K a year
Location: fully remote
Tech stack: Kubernetes, Kubernetes, AWS, Docker, GitHub, CI/CD, Gitlab, compliance, AWS IAM, security
Software Engineer with Remote
Salary: $53.3K to $119.85K a year
Location: fully remote
Tech stack: Kubernetes, Kubernetes, AWS, Docker, GitHub, Gitlab, Jenkins, AWS IAM, security, Postgres
Software Engineer with Remote
Salary: $53.3K to $119.85K a year
Location: fully remote
Tech stack: Kubernetes, Kubernetes, AWS, Docker, GitHub, CI/CD, Gitlab, compliance, security, Postgres
Software Engineer with Remote
Salary: $53.3K to $119.85K a year
Location: remote from
Tech stack: Kubernetes, Kubernetes, AWS, Docker, GitHub, CI/CD, Gitlab, Jenkins, AWS IAM, security
Discover more Kubernetes jobs on Kube Careers →
Code & tools
Netfence: eBPF Network Filter Daemon
github.com/danthegoodman1
Netfence runs as a daemon, injecting eBPF filter programs into cgroups and network interfaces, with a built-in DNS server that resolves allowed domains and populates IP allowlists, and connecting to a central control plane to synchronize network rules.
Kubernetes Orphaned Resources Finder
github.com/yonahd
Kor is a tool to discover unused Kubernetes resources.
Currently, Kor can identify and list unused:
- ConfigMaps
- Secrets
- Services
- ServiceAccounts
- Deployments
- Statefulsets
- Roles
IncidentFox: AI Incident Response
github.com/incidentfox
IncidentFox automates incident investigation with AI agents using 178+ tools for Kubernetes, AWS, and Grafana, featuring RAPTOR knowledge base for runbooks, alert correlation reducing noise by 85-95%, and Slack/GitHub/PagerDuty integrations.
Endpoint-Monitoring Operator: Kubernetes monitoring operator
github.com/LiciousTech
Endpoint-Monitoring Operator probes HTTP/JSON, TCP, DNS, ICMP, Trino, and OpenSearch endpoints via a simple CRD, with built-in Slack and email alerting.
github.com/yokecd
Yoke is an IaC tool inspired by Helm that leverages WebAssembly and Go to dynamically deploy Kubernetes packages with executable runtime capabilities.
It supports revision tracking, rollback, and inspection.
Other interesting projects:
Upcoming Kubernetes events
Apr
9
What I'll Tell My Kids About Kubernetes Security & K8s-wish
In-person meetup organized by Cloud Native Belgium.
Location: Brussels, BE
This is a free event.
Apr
11
Kubernetes Community Days Kochi 2026
In-person conference organized by KCD Kochi.
Location: Kochi, IN
This is a free event.
Apr
14
In-person conference organized by Devopsdays.
Location: Tokyo, JP
This event requires an entrance fee
Apr
15
Getting traffic into Kubernetes clusters on-premise at scale
Online & in-person meetup organized by Cloud Native Prague.
Location: Prague, CZ and virtual
This is a free event.
Apr
15
In-person conference organized by SREday.
Location: San Francisco, CA, USA
This event requires an entrance fee
Apr
23
Online workshop organized by LearnKube.
This is a virtual event
This event requires an entrance fee
May
15
Kubernetes Community Days Istanbul 2026
In-person conference organized by KCD Istanbul.
Location: İstanbul, TR
This event requires an entrance fee
Kubernetes call for papers
41
days
Kubernetes Community Days Lima 2026
The Call For Paper is open until 19 May 2026 at UTC. More info →
Location: Lima, PE
In-person conference organized by KCD Lima, Perú.
The conference starts on the 18 July 2026.
- Apply here
25
days
The Call For Paper is open until 3 May 2026 at UTC. More info →
Location: Shanghai, CN
In-person conference organized by CNCF.
The conference starts on the 9 September 2026.
- Apply here
54
days
The Call For Paper is open until 1 June 2026 at UTC. More info →
Location: Bergen, NO
In-person conference organized by CND Norway.
The conference starts on the 27 October 2026.
- Apply here
13
days
The Call For Paper is open until 21 April 2026 at UTC. More info →
Location: Munich, DE
In-person conference organized by SREday.
The conference starts on the 15 May 2026.
- Apply here
4
days
The Call For Paper is open until 12 April 2026 at UTC. More info →
Location: Austin, TX, USA
In-person conference organized by SREday.
The conference starts on the 6 May 2026.
- Apply here
57
days
The Call For Paper is open until 4 June 2026 at UTC. More info →
Location: Feira de Santana, BR
In-person conference organized by Devopsdays.
The conference starts on the 6 June 2026.
- Apply here
23
days
The Call For Paper is open until 1 May 2026 at UTC. More info →
Location: New York, NY, USA
In-person conference organized by SREday.
The conference starts on the 2 June 2026.
- Apply here
57
days
The Call For Paper is open until 4 June 2026 at UTC. More info →
Location: Curitiba, BR
In-person conference organized by Devopsdays.
The conference starts on the 22 August 2026.
- Apply here
25
days
The Call For Paper is open until 3 May 2026 at UTC. More info →
Location: Berlin, DE
In-person conference organized by Devopsdays.
The conference starts on the 29 September 2026.
- Apply here
Until next time!
— Gulcan