Allow loading remote contents and showing images to get the best out of this email.FAUN.dev's Kubernetes Weekly Newsletter
 
🔗 View in your browser.   |  ✍️ Publish on FAUN.dev   |  🦄 Become a sponsor
 
Allow loading remote contents and showing images to get the best out of this email.
Kaptain
 
#Kubernetes #Docker #DistributedSystems
 
 
🔍 Inside this Issue
 
 
Attackers map your cluster better than your docs; this set balances the ledger, hardening Kubernetes, shrinking base images, automating metal, and making dev envs reproducible without the yak shave. Skim the wins, stay for the gotchas and trade‑offs.

🔐 A Brief Deep-Dive into Attacking and Defending Kubernetes

🐧 Canonical Introduces Minimal Ubuntu Pro: Smaller Images and Secure Cloud Workloads at Scale

🧩 From Bare Metal to Containers: A Developer's Guide to Execution Environments

🧑‍💻 Run Your Project in a Dev Container, in Zed

🛠️ The best tools for bare metal automation that people actually use

🛡️ v1.35: Restricting executables invoked by kubeconfigs via exec plugin allowList added to kuberc

Fewer footguns, faster boots, ship like you mean it.
See you in the next issue!
FAUN.dev() Team
 
 
⭐ Patrons
 
faun.dev faun.dev
 
End-to-End Kubernetes with Rancher, RKE2, K3s, Fleet, Longhorn, and NeuVector | The full journey from nothing to production
 
 
Rancher and SUSE offer a powerful suite of tools to simplify Kubernetes management and help you fully realize the potential of containerized applications. However, not all users are aware of the full range of features and capabilities provided by this dynamic ecosystem. Online documentation can be overwhelming, sometimes outdated, and often lacks real-world and practical implementation examples. Filling this gap is the primary goal of this guide.

This guide provides clear, practical steps to deploy, secure, and scale Kubernetes environments, from lightweight edge clusters with K3s to robust workloads with RKE2. You’ll explore tools like Rancher Manager, Fleet for GitOps, NeuVector for security, and Longhorn for distributed storage and gain the skills needed to address real-world challenges.

Designed to resonate with Kubernetes users of all levels, this guide will help you leverage this ecosystem confidently.
 
 
👉 Spread the word and help developers find you by promoting your projects on FAUN. Get in touch for more information.
 
ℹ️ News, Updates & Announcements
 
faun.dev faun.dev
 
Canonical Introduces Minimal Ubuntu Pro: Smaller Images and Secure Cloud Workloads at Scale
 
 
Canonical dropped Minimal Ubuntu Pro onto AWS, Azure, and Google Cloud. Half the size. Boots 40% faster. Baked in with Ubuntu Pro-level hardening.

You still get long-term CVE patching, FIPS 140-3 crypto, and compliance checks for FedRAMP, NIST, HIPAA - just in a stripped-down shell.
 
 
👉 Enjoyed this?Read more news on FAUN.dev/news
 
Stories From The Chief I/O
 
thechief.io thechief.io
 
The best tools for bare metal automation that people actually use
 
 
Bare metal ops aren’t what they used to be. The game’s gone full stack: API-driven provisioning, declarative workflows, and config convergence now run the show.

Tools like MAAS, Foreman, Ironic, and Tinkerbell treat physical servers as programmable units. Real hardware, real APIs. Meanwhile, Kubernetes-native models bring physical gear into the cluster fold using Custom Resources (see: Bare Metal Operator). It’s a weirdly elegant mashup - metal meets manifest.
 
 
 
⭐ Sponsors
 
bytevibe.co bytevibe.co
 
Built for Builders. Made to Last.
 
 
From long coding sessions to cold mornings, our hoodies are designed for comfort, durability, and focus. Clean designs, heavy blends, and a mindset that doesn’t quit.

🎯 10% off all hoodies with code FAUNDEV10 (apply at checkout)
⏰ Offer ends Sunday, Jan 11 at midnight

👉 Check this out!
 
 
👉 Spread the word and help developers find you by promoting your projects on FAUN. Get in touch for more information.
 
🔗 Stories, Tutorials & Articles
 
zed.dev zed.dev
 
Run Your Project in a Dev Container, in Zed
 
 
Zed v0.218 adds Dev Container support with Docker. Projects can now spin up in clean, spec-compliant environments built from .devcontainer.json.

It hooks into the Development Containers CLI, with a Zed remote server running backend ops and piping through standard IO. Fast and clean.

The bigger picture? Local dev just got way more reproducible. Spec-first workflows are pulling container-based setups straight into the editor.
 
 
buildsoftwaresystems.com buildsoftwaresystems.com
 
From Bare Metal to Containers: A Developer's Guide to Execution Environments
 
 
A sharp look at how execution environments evolved - from bare metal to VMs, containers, sandboxes, and language-level runtimes. The focus: isolation. Hardware, kernel, processes, runtimes - each adds a boundary. Modern stacks mix and match layers to dial in the right amount.

VMs, containers, venvs. All in one stack. Docker, Kubernetes, Wasm keep reshaping where those lines get drawn.
 
 
heilancoos.github.io heilancoos.github.io
 
A Brief Deep-Dive into Attacking and Defending Kubernetes
 
 
A sharp teardown of Kubernetes’ attack surface maps out where things go sideways: pods, the control plane, RBAC, admission controllers, and etcd. Misconfigurations like anonymous API access, wildcard roles, and hostPath mounts aren't just sloppy- they're attack vectors.

Fixes? Think Falco, RBAC lockdowns, API hardening, and mutating admission controls. Defense-in-depth with actual depth.
 
 
kubernetes.io kubernetes.io
 
v1.35: Restricting executables invoked by kubeconfigs via exec plugin allowList added to kuberc
 
 
Kubernetes v1.35 lands with a credential plugin allowlist, now in beta, no feature gate needed. It lets you lock down which exec plugins your kubeconfigs can run. Tighter leash, lower risk. Especially when the credential pipeline gets sketchy.
 
 

👉 Got something to share? Create your FAUN Page and start publishing your blog posts, tools, and updates. Grow your audience, and get discovered by the developer community.

 
⚙️ Tools, Apps & Software
 
github.com github.com
 
heilancoos/k8s-custom-detections
 
 
This repository contains a curated collection of Falco detection rules, audit policies, sample attack manifests, and configuration files designed to detect real-world Kubernetes attack techniques.
 
 
github.com github.com
 
andrewmoshu/diagram-mcp-server
 
 
An MCP server that seamlessly creates infrastructure diagrams for AWS, Azure, GCP, Kubernetes and more
 
 
github.com github.com
 
besoeasy/yantra
 
 
YANTRA is a cross-platform Docker App Store that makes server-grade self-hosting easy and flexible. It gives you ready-to-run apps — from Bitcoin nodes to file converters and privacy tools — all in lightweight Docker containers.
 
 
github.com github.com
 
djvirus9/awesome-devsecops-mastery-2026
 
 
A curated, actionable checklist for securing CI/CD pipelines and Kubernetes clusters in 2026.
 
 
github.com github.com
 
dynatrace-oss/dtctl
 
 
kubectl-inspired CLI for managing Dynatrace platform resources from your terminal
 
 

👉 Spread the word and help developers find and follow your Open Source project by promoting it on FAUN. Get in touch for more information.

 
🤔 Did you know?
 
 
Did you know that Kubernetes deletes most resources asynchronously using ownerReferences, not immediately when you delete a parent object? Garbage collection runs in the background, so Pods or other dependents can stick around longer than expected, especially under load. If ownerReferences are missing or wrong, those resources may never be cleaned up at all.
 
 
🤖 Once, SenseiOne Said
 
 
"Kubernetes trades ssh for reconciliation loops; you swap hotfixes for debugging controllers and backoffs. Containers make builds reproducible; the distributed system makes behavior schedule-dependent. Portability exists, but mostly between Kubernetes-shaped platforms."
— SenseiOne
 

(*) SenseiOne is FAUN.dev’s work-in-progress AI agent

 
⚡Growth Notes
 
 
For any Kubernetes change larger than a trivial PR, write a 10 line max design note before coding that explicitly names blast radius, rollback path, default behavior, and the exact metric that will tell you if it made things better or worse. Then, 2 weeks after that change lands, spend 15 minutes re-reading the note and checking those metrics plus kube events, so you start seeing which of your "safe" ideas consistently create invisible toil in clusters (extra restarts, noisy autoscaling, or controller retries) and can adjust how you design Helm charts, CRDs, and operators accordingly.
 
Each week, we share a practical move to grow faster and work smarter
 
👤 This Week's Human
 
 
This Week’s Human is Rehan Julaha, a Product Architect at KITABOO who treats design as infrastructure. He built the Angular-based frameworks behind their learning platforms (cutting load times by 30%), led WCAG 2.1–compliant releases used by millions, stood up a modular UI design system that trimmed design-to-dev time by 40%, and is now exploring Generative AI to accelerate inclusive design across Web Architecture and Accessibility.
 
💡 Engage with FAUN.dev on LinkedIn — like, comment on, or share any of our posts on LinkedIn — you might be our next “This Week’s Human”!
 
😂 Meme of the week
 
 
 
 
❤️ Thanks for reading
 
 
👋 Keep in touch and follow us on social media:
- 💼LinkedIn
- 📝Medium
- 🐦Twitter
- 👥Facebook
- 📰Reddit
- 📸Instagram

👌 Was this newsletter helpful?
We'd really appreciate it if you could forward it to your friends!

🙏 Never miss an issue!
To receive our future emails in your inbox, don't forget to add community@faun.dev to your contacts.

🤩 Want to sponsor our newsletter?
Reach out to us at sponsors@faun.dev and we'll get back to you as soon as possible.
 

Kaptain #512: A Brief Deep-Dive into Attacking and Defending Kubernetes
Legend: ✅ = Editor's Choice / ♻️ = Old but Gold / ⭐ = Promoted / 🔰 = Beginner Friendly

You received this email because you are subscribed to FAUN.dev.
We (🐾) help developers (👣) learn and grow by keeping them up with what matters.

You can manage your subscription options here (recommended) or use the old way here (legacy). If you have any problem, read this or reply to this email.