Kubesploit

This article explains how to secure production debugging in Kubernetes with least-privilege RBAC, controlled exec access, ephemeral containers, and short-lived just-in-time credentials for on-call teams ➤ ku.bz/k0qGtqj-d

This article explains why vanilla Kubernetes has no real login event and shows a practical session-tracking workaround using credential-id fingerprints from audit logs, with a side-by-side comparison against OpenShift OAuth behavior ➜ ku.bz/DxYlmDBjQ

Agent Sandbox gives Kubernetes a safer way to run AI-enabled applications Mauricio Salatino on isolation, AI-enabled applications, and the platform changes that come with them 📺: ku.bz/QXKc1tBFY

k8s-mechanic watches for pod crashes, degraded Deployments, and NotReady nodes, spawns a read-only in-cluster agent that investigates the failure and opens a PR on your GitOps repo with secret redaction, prompt injection detection, and a pentest report ➤ ku.bz/Xg8shhsZb

Harbor is a CNCF-graduated open source container registry that stores, signs, and scans images, with built-in RBAC, LDAP/OIDC support, vulnerability scanning, policy-based replication, and a full REST API ➜ ku.bz/GjjZhkvSD

This article explains how ListenerSet in Gateway API v1.5 separates listeners from Gateways so teams can restore self-service TLS management across namespaces and scale beyond the old listener limit ➤ ku.bz/s-5QsVS_T

✅ Being ready for production means knowing the right settings and being willing to adjust them. Sometimes a readiness probe returns 200 too soon. CPU requests might have too much buffer. Maybe someone copied HPA thresholds from another service, or no one has tested `terminationGracePeriodSeconds` yet. Everyone notices the risk, but making changes can also cause outages. That is where app and platform ownership gets awkward: Developers understand the code path, but it's Platform teams who see rollout safety, node pressure, and cluster-wide trade-offs.

This tutorial teaches how to build a cert-manager external issuer that uses a YubiHSM 2 to sign TLS certificates via Go's crypto.Signer interface ➤ ku.bz/b9GlYRS88

Kubeconform is a Kubernetes manifests validation tool Similar to Kubeval, but with the following improvements: ➀ High performance ➁ Remote or local schema locations ➂ Up-to-date schemas for all recent versions of Kubernetes ➜ ku.bz/l0kD6R0TS

This week on the Learn Kubernetes Weekly: 🔥 Hunting a 4GB Native Memory Leak ⚠️ Five Ingress-NGINX Behaviors 🔀 ctx_ DevOps Context Switcher 🚀 Ingress NGINX to Istio 🐘 PostgreSQL on Kubernetes ⭐️ WeAreDevelopers Read it now: kube.today/issues/184

This tutorial shows how to use Cilium and Hubble to enforce HTTP path based network policies in Kubernetes with eBPF, so you can allow or block specific endpoints without sidecars ➜ ku.bz/Fl4tzq2J2

🗣️ John Ford from Scout24 SE explains the hidden cost of slow Kubernetes autoscaling: a 25% capacity buffer kept around because nodes took up to two minutes to provision ku.bz/DdmVC2_7v 🌟 LearnKube 🎙 🎙Bart

This tutorial explains TLS and certificate debugging from root CA basics to Kubernetes secrets, with OpenSSL and curl commands for inspecting certs, validating handshakes, and fixing common production errors ➜ ku.bz/z-30r6w-V

AI should assist the operators, not replace them YongKang He on AI as a co-pilot for SRE 📺: ku.bz/8Q7Vy60P7

Node Healthcheck Operator automatically detects unhealthy nodes and triggers pluggable remediators like BMC, ClusterAPI, or software reboots to recover workloads without manual intervention ➜ ku.bz/8Y52rJ74q

New on LearnKube: Kubelet Metrics. Learn how kubelet collects Kubernetes metrics from cgroups, cAdvisor, containerd, and CRI, and when pod/container stats move to the runtime. Read the full guide: learnkube.com/kubernetes-met…

X.509 Certificate Exporter is a Go-based Prometheus exporter that monitors certificate expiration inside Kubernetes clusters or as a standalone service, helping teams alert before TLS certificates expire ➤ ku.bz/BPXM_D-v2

Cilium Policy Generator, watches dropped flows in real time, and auto-generates CiliumNetworkPolicy YAML files to allow them — so you stop writing policies by hand in default-deny Cilium clusters ➤ ku.bz/hZYF4XgL_

This tutorial shows how to secure an ArgoCD based EKS GitOps workflow with External Secrets Operator, IRSA, and AWS SSM Parameter Store so secrets stay out of Git and sync safely into Kubernetes ➜ ku.bz/1qJT8SG1s

This tutorial explains how to prevent, detect, and clean up leaked secrets in Git repositories using .env files, Kubernetes Secrets, Gitleaks, GitGuardian, and git-filter-repo ➜ ku.bz/PZjTtq9v8