Learn Kubernetes weekly

Curated articles, tutorials, projects and events with a focus on Kubernetes delivered directly to your box every Wednesday.

77K subscribers — 177 issues

No spam, unsubscribe any time. Our privacy and GDPR policies.

Learn Kubernetes Weekly issue 177 · 1 Apr 2026

Running Java at Scale, Push to Production with Argo CD, Eliminating Image Pull Delays, Nomad on OpenShift, Linkerd Destination Service

This newsletter is brought to you by Spectro Cloud, helping you scale K8s infrastructure for AI workloads — from cloud to edge.

Articles

What Happens When You Run Java at Scale on Kubernetes
medium.com
This article explains the challenges of running Java at scale on Kubernetes, covering JVM memory management with container limits, heap sizing with MaxRAMPercentage, CPU throttling, and garbage collector selection for containers.
Why the software you trust might be the biggest threat to your infrastructure
www.defence-solutions.airbus.com
This article explains how software supply chain attacks like SolarWinds and xz Utils happen, and walks through a practical three-pillar defense using SLSA provenance, Cosign signing, and Kubernetes admission control to stop them.
Learn where your pipeline is exposed and what to do about it.
sponsored
From Push to Production: Our Deployment Pipeline with Argo CD
medium.com
This article describes OpenMirai's deployment pipeline using GitHub Actions for CI, Argo CD for GitOps, and a separate deployment repository, with staging-first testing and scheduled production releases during off-peak hours.
From Minutes to Seconds: How I Eliminated Kubernetes Image Pull Delays
medium.com
This article describes building an Image Preload Operator that reduces Kubernetes pod startup times from minutes to seconds by intelligently preloading container images using a single DaemonSet with CRI-agnostic image pulling.
Nomad on OpenShift: The case for the control plane
hashicorpengineering.substack.com
This article shows how running Nomad server control plane on OpenShift using StatefulSets manages distributed edge fleets where Kubernetes can't reach, while OpenShift handles server lifecycle, security, and observability automatically.
Deep Dive: The Linkerd Destination Service
medium.com
This article explains how Linkerd's destination service works as the central routing and policy authority, using event-driven architecture with Kubernetes Informers to provide service discovery, policy distribution, and Layer 7 configuration to proxies.

Articles worth checking out:

The State of Edge AI: New Research

Get fresh insights into adoption and best practices to guide your edge AI projects with our unique research.

→ Download it now

Tutorials

Kairos: the CNCF project for secure edge, powering AI workloads
www.youtube.com
Kairos.io is the field-proven way to build and manage lightweight, secure, immutable OS and K8s stacks for your edge devices and data centers.
Watch this talk to see why Dutch agritech startup Aurea chose Kairos on NVIDIA devices to power AI vision in orchards.
sponsored
Kueue for AI: The Power of Atomic Admission & Topology Awareness
medium.com
This tutorial shows how to use Kueue's waitForPodsReady and Topology API to implement gang scheduling and topology-aware placement in Kubernetes, preventing partial pod admissions and optimizing workload placement across nodes.
Uniform API server access using clientcmd
kubernetes.io
This tutorial teaches how to use the clientcmd library from client-go to build command line tools that access Kubernetes API servers with kubectl-style configuration handling, including kubeconfig files, context selection, and authentication flags.
CloudNativePG - install and first test: transient failure
dev.to
This tutorial shows how to install CloudNativePG 1.28 operator and deploy a three-node PostgreSQL cluster with synchronous replication and quorum-based failover, then tests transient failure recovery by pausing the primary container.
Deploy LLM Models on OpenShift
medium.com
This tutorial shows how to deploy LLM models on OpenShift without operators by using llama.cpp with a quantized GGUF model, building a multi-stage container image, and exposing it via standard Kubernetes resources.

That Time I Found a Service Account Token in my Log Files

You're integrating HashiCorp Vault into your Kubernetes cluster and adding a temporary debug log line to check whether the ServiceAccount token is being passed correctly. Three months later, that log line is still in production — and the token it prints has a 1-year expiry with no audience restrictions.

Vincent von Büren, a platform engineer at ipt in Switzerland, lived through exactly this incident. In this episode, he breaks down why default Kubernetes ServiceAccount tokens are a quiet security risk hiding in plain sight.

You will learn:

What's actually inside a Kubernetes ServiceAccount JWT (issuer, subject, audience, and expiry)
Why tokens with no audience scoping enable replay attacks across internal and external systems
How Vault's Kubernetes auth method and JWT auth method compare, and when to choose each
What projected tokens are, why they dramatically reduce blast radius, and what's holding teams back from using them
Practical steps for auditing which pods actually need API access and disabling auto-mounting everywhere else

That Time I Found a Service Account Token in my Log Files

Kubernetes jobs

- Software Engineer with Wildlife Studios
- Salary: $23.76K to $184.8K a year
- Location: based in the office in São Paulo, BR
- Tech stack: Kubernetes, Kubernetes, AWS, alerting, monitoring, incident response, observability, production systems, System Design, Architectural decisions
- Software Engineer with Wildlife Studios
- Salary: $23.76K to $184.8K a year
- Location: based in the office in São Paulo, BR
- Tech stack: Kubernetes, Kubernetes, AWS, alerting, monitoring, logging, Unity, Node.js, C++, C#
- Software Engineer with Wildlife Studios
- Salary: $16.2K to $286K a year
- Location: based in the office in São Paulo, BR
- Tech stack: Kubernetes, Kubernetes, AWS, alerting, monitoring, logging, tracing, Unity, C#, Go
- Software Engineer with MongoDB
- Salary: $47.97K to $278.3K a year
- Location: remote from
- Tech stack: Kubernetes, Kubernetes, AWS, Azure, GCP, alerting, monitoring, logging, tracing, Google Cloud
- Software Engineer with MongoDB
- Salary: US$47.97K to US$278.3K a year
- Location: based in the office in Dublin, IE
- Tech stack: Kubernetes, Kubernetes, Google Cloud, Microsoft Azure, AWS, alerting, monitoring, logging, tracing, MongoDB

Discover more Kubernetes jobs on Kube Careers →

Code & tools

KubeAttention
github.com/softcane
KubeAttention is a machine learning-powered Kubernetes scheduler plugin that uses eBPF telemetry to detect noisy neighbor interference and place latency-sensitive workloads on optimal nodes.
OpenEBS
github.com/openebs
OpenEBS is a modern Block-Mode storage platform, a Hyper-Converged Software Storage System, and a virtual NVMe-oF SAN (vSAN) Fabric that is natively integrated into Kubernetes' core.
Benchmark Suite for Gateway API Implementations
github.com/howardjohn
This tool provides a comprehensive test suite to evaluate real-world behavior (latency, scale, route propagation, traffic) of Kubernetes Gateway API implementations, beyond basic conformance.
OpenKruise Agents: AI agent sandbox
github.com/openkruise
OpenKruise Agents manage AI agent workloads in Kubernetes, providing rapid resource provisioning via pooling, sandbox hibernation with checkpoint support, and user session management with efficient traffic routing.
Gonzo: TUI log analysis
github.com/control-theory
Gonzo lets you use a terminal UI to stream and analyse logs in real time, with support for OpenTelemetry (OTLP), AI-powered insights, heatmaps and advanced filtering.

Other interesting projects:

Upcoming Kubernetes events

Apr
2
GitOps in Practice: Automating Releases with Argo CD
In-person meetup organized by Cloud Native Cluj-Napoca.
- Location: Cluj-Napoca, RO
- This is a free event.
Apr
4
Beyond EKS/AKS/GKE: Building a Multi-Cloud Kubernetes Cluster with Kubeadm
In-person meetup organized by Resiliency & Platform Engineering Bengaluru.
- Location: Bengaluru, IN
- This is a free event.
Apr
4
Building an Internal Developer Platform from Scratch
Online workshop organized by Packt Publishing Limited.
- This is a virtual event
- This event requires an entrance fee
Apr
7
How to Survive and Thrive in a Multicluster World
In-person meetup organized by Cloud Native Kuala Lumpur.
- Location: Kuala Lumpur, MY
- This is a free event.
Apr
7
Observable by Design: Building Cloud-Native Applications with OpenTelemetry
In-person meetup organized by Cloud Native Stockholm.
- Location: Luxembourg, LU
- This is a free event.
Apr
23
Advanced Kubernetes course
Online workshop organized by LearnKube.
- This is a virtual event
- This event requires an entrance fee

Discover more Kubernetes events on Kube Events →

Thanks to our sponsors who make Kube Today possible

Find out more about being a sponsor →

Kubernetes call for papers

47
days
Kubernetes Community Days Lima 2026
The Call For Paper is open until 19 May 2026 at UTC. More info →
Location: Lima, PE
In-person conference organized by KCD Lima, Perú.
The conference starts on the 18 July 2026.
Apply here
32
days
KubeCon China 2026
The Call For Paper is open until 3 May 2026 at UTC. More info →
Location: Shanghai, CN
In-person conference organized by CNCF.
The conference starts on the 9 September 2026.
Apply here
19
days
SREday Munich 2026
The Call For Paper is open until 21 April 2026 at UTC. More info →
Location: Munich, DE
In-person conference organized by SREday.
The conference starts on the 15 May 2026.
Apply here
10
days
SREday Austin 2026
The Call For Paper is open until 12 April 2026 at UTC. More info →
Location: Austin, TX, USA
In-person conference organized by SREday.
The conference starts on the 6 May 2026.
Apply here
63
days
Devopsdays Feira de Santana
The Call For Paper is open until 4 June 2026 at UTC. More info →
Location: Feira de Santana, BR
In-person conference organized by Devopsdays.
The conference starts on the 6 June 2026.
Apply here
29
days
SREday NYC 2026
The Call For Paper is open until 1 May 2026 at UTC. More info →
Location: New York, NY, USA
In-person conference organized by SREday.
The conference starts on the 2 June 2026.
Apply here
63
days
Devopsdays Curitiba
The Call For Paper is open until 4 June 2026 at UTC. More info →
Location: Curitiba, BR
In-person conference organized by Devopsdays.
The conference starts on the 22 August 2026.
Apply here
32
days
Devopsdays Berlin
The Call For Paper is open until 3 May 2026 at UTC. More info →
Location: Berlin, DE
In-person conference organized by Devopsdays.
The conference starts on the 29 September 2026.
Apply here
6
days
SREday Barcelona 2026
The Call For Paper is open until 8 April 2026 at UTC. More info →
Location: Barcelona, ES
In-person conference organized by SREday.
The conference starts on the 20 April 2026.
Apply here

Until next time!

— Gulcan