Why MicroVMs: The Architecture Behind Sandboxes | KubernetesLinks

🔗 View in your browser. | ✍️ Publish on FAUN.dev | 🦄 Become a sponsor

KubernetesLinks

This Week in Kubernetes, with Kaptain the Shark

🔍 Inside this Issue

This one swings between massive scale and tiny signals: Airbnb is calmly swallowing 50M metrics samples per second while some teams ignore 437 restarts until the night goes sideways. Add Kubernetes user namespaces going GA, microVM sandboxes as the new security baseline, and an AI-shaped flood of vuln reports, and you have plenty to steal for your own stack.

📈 Building a fault-tolerant metrics storage system at Airbnb
🧠 From public static void main to Golden Kubestronaut: The Art of unlearning
🛡️ The AI-driven shift in vulnerability discovery
🦝 Ubuntu 26.04 LTS Released: Meet Resolute Raccoon
🧩 Kubernetes v1.36: User Namespaces are finally GA
🧱 Why MicroVMs: The Architecture Behind Sandboxes

Ship smarter, page less.

Happy coding!
FAUN.dev() Team

⭐ Patrons

iacconf.com

How is infrastructure keeping pace with AI in 2026?

Managing IaC or leading platform engineering? IaCConf is the “can’t miss” event featuring 20 top IaC leaders across 13 sessions. Join 5,000+ practitioners to share what’s actually working and swap hard-won lessons.

Register Now

eventbrite.co.uk

Are Your APIs Ready for AI Agents? A Hands-on Workshop on May 23rd

Are Your APIs Ready for AI Agents? A Hands-on Workshop on May 23rd

AI agents are beginning to autonomously call APIs, chain services, and create integrations that most platforms were never designed to handle. This hands-on masterclass on Designing AI-ready APIs helps architects and developers build governed, predictable API ecosystems using OpenAPI, Overlay, and Arazzo.

Learn how to add guardrails, improve discoverability, and safely evolve existing APIs for automated consumption.

FAUN.dev readers get an exclusive 40% discount using code FAUN40.

👉 Spread the word and help developers find you by promoting your projects on FAUN. Get in touch for more information.

🐾 From FAUNers

faun.dev

Ubuntu 26.04 LTS Released: Meet Resolute Raccoon

Ubuntu 26.04 LTS - Resolute Raccoon ships GNOME 50. GNOME-on-X11 is gone; the session runs only on Wayland. Mutter patches shave NVIDIA blocked frame time down to microseconds.

The release requires systemd 259 and cgroup v2. It swaps initramfs to Dracut. Desktop minimums rise. Binaries default to memory-safe Rust.

Ubuntu adds native CUDA and ROCm to main repos. Livepatch lands on Arm64. The installer gains TPM-backed full-disk encryption. App Center becomes the central app manager.

System shift: Requiring Wayland, cgroup v2, Dracut, and repo-distributed CUDA/ROCm pushes Ubuntu defaults toward modern GPU, container, and init stacks. Consider it the distro telling legacy tech to take a hike.

👉 Got something to share? Create your FAUN Page and start publishing your blog posts, tools, and updates. Grow your audience, and get discovered by the developer community.

🔗 Stories, Tutorials & Articles

medium.com

Building a fault-tolerant metrics storage system at Airbnb

Airbnb built a metrics system that ingests 50M samples/s, stores 2.5PB of logical time series, and hosts 1.3B active series.

They use tenant-per-service grouping and shuffle sharding. They enforce per-tenant guardrails and a consolidated control plane. They shard queries and compaction. They run zone-aware replicas and multi-cluster rollouts.

kubernetes.io

v1.36: User Namespaces in are finally GA

Kubernetes v1.36 promotes User Namespaces to GA on Linux. It brings rootless workload isolation.

Kubelet leans on kernel ID-mapped mounts. It sidesteps expensive chown by remapping UID/GID at mount time and confines privileged processes. No more mass-chown screams.

cncf.io

The AI-driven shift in vulnerability discovery: What maintainers and bug finders need to know

AI models let non-experts craft real and fake vulnerabilities at scale. They spit out low-quality noise and the occasional high-value report.

Reports flood OSS maintainers. Triage, patching, release cadences, and downstream upgrade/compliance pipelines buckle under the load.

Guidance recommends publishing threat models, requiring tested PoC and example fixes, adopting AI-assisted triage, and tracking triage metrics.

cncf.io

From public static void main to Golden Kubestronaut: The Art of unlearning

The author left JVM monolith ops for Kubernetes. They stacked certs: CKA, CKAD, CKS, KCNA, KCSA, CNCF Golden Kubestronaut.

They treat Pods as the atomic deployable. They pick fights: Ingress vs NodePort. They warn about ConfigMap drift.

They spotlight runtime primitives: Horizontal Pod Autoscaler and service mesh for resilience.

docker.com

Why MicroVMs: The Architecture Behind Sandboxes

Docker Sandboxes puts each agent session in a dedicated microVM. Each microVM runs a private Docker daemon inside the VM boundary. That blocks access to the host.

A new cross‑platform VMM runs on macOS, Windows, and Linux hypervisors. It slashes cold starts and runs full Docker build, run, and compose workflows per sandbox.

👉 Got something to share? Create your FAUN Page and start publishing your blog posts, tools, and updates. Grow your audience, and get discovered by the developer community.

⚙️ Tools, Apps & Software

github.com

eryajf/kite-desktop

kite-desktop, a desktop-based K8S multi-cluster management tool built on Wails v3

github.com

LukasNiessen/kubernetes-skill

Kubernetes Skill for Claude Code and Codex. LLMs hallucinate a lot with K8s - KubeShark fixes this. It eliminates hallucinations and grounds your Kubernetes, Helm etc official best practices.

github.com

xataio/xata

Open source, cloud native, Postgres platform with copy-on-write branching and scale-to-zero

github.com

kubereboot/kured

Kubernetes Reboot Daemon

github.com

containers/kubernetes-mcp-server

Model Context Protocol (MCP) server for Kubernetes and OpenShift

👉 Spread the word and help developers find and follow your Open Source project by promoting it on FAUN. Get in touch for more information.

🤖 Once, SenseiOne Said

"Kubernetes makes every failure recoverable, which is how you end up normalizing failure as the steady state. In a distributed system, the real outage is the gap between what the control plane believes and what the containers are actually doing."
— SenseiOne

(*) SenseiOne is FAUN.dev’s work-in-progress AI agent

⚡Growth Notes

"WARN: Liveness probe failed, restarting container (restart count: 437)" => nobody paged because the pod kept "recovering" and the service stayed green. The team that treats restart counts as background noise instead of a leading indicator is the same team that debugs a cascading OOMKill at 2 am, wondering how it got that bad.

Each week, we share a practical move to grow faster and work smarter

😂 Meme of the week

❤️ Thanks for reading

👋 Keep in touch and follow us on social media:
- 💼LinkedIn
- 📝Medium
- 🐦Twitter
- 👥Facebook
- 📰Reddit
- 📸Instagram

👌 Was this newsletter helpful?
We'd really appreciate it if you could forward it to your friends!

🙏 Never miss an issue!
To receive our future emails in your inbox, don't forget to add community@faun.dev to your contacts.

🤩 Want to sponsor our newsletter?
Reach out to us at sponsors@faun.dev and we'll get back to you as soon as possible.

KubernetesLinks #526: Why MicroVMs: The Architecture Behind Sandboxes
Legend: ✅ = Editor's Choice / ♻️ = Old but Gold / ⭐ = Promoted / 🔰 = Beginner Friendly

You received this email because you are subscribed to FAUN.dev.
We (🐾) help developers (👣) learn and grow by keeping them up with what matters.

You can manage your subscription options here (recommended) or use the old way here (legacy). If you have any problem, read this or reply to this email.