FAUN.dev's Kubernetes Weekly Newsletter 🔗 View in your browser. | ✍️ Publish on FAUN.dev | 🦄 Become a sponsor
Kaptain
#Kubernetes #Docker #DistributedSystems
📝 The Opening Call
As clouds shift and whispers of AI echo across the tech landscape, Kubernetes and virtualization are forced to dance to new rhythms. This issue dives into controversies around bare-metal advantages, logging wars, and the pivotal role of internal platforms while vulnerabilities and infrastructure evolutions shape the road ahead.
📈 CNCF Project Momentum: From Kubernetes to Backstage
🚫 Bare-Metal Performance: Myth Busting Virtualization
📜 Centralized Amazon ECS Logging
🛡️ Container Registry Security: Multi-Architecture Flaws
🧩 KubeVirt Reshapes Virtualization
🐧 Pinterest’s Kubernetes Quest: Debugging Deep Dive
🔗 Fluent Bit Kubernetes-Native Deployment
⚙️ High-Performance LLM Serving on GKE
🔑 Kubernetes Image Builder Vulnerability: Root Access Alert
🔍 OpenTelemetry Observability
Read. Think. Ship. Repeat. Your innovations deserve the best infrastructure insights.
Have a great week!
FAUN.dev Team
📈 CNCF Project Momentum: From Kubernetes to Backstage
🚫 Bare-Metal Performance: Myth Busting Virtualization
📜 Centralized Amazon ECS Logging
🛡️ Container Registry Security: Multi-Architecture Flaws
🧩 KubeVirt Reshapes Virtualization
🐧 Pinterest’s Kubernetes Quest: Debugging Deep Dive
🔗 Fluent Bit Kubernetes-Native Deployment
⚙️ High-Performance LLM Serving on GKE
🔑 Kubernetes Image Builder Vulnerability: Root Access Alert
🔍 OpenTelemetry Observability
Read. Think. Ship. Repeat. Your innovations deserve the best infrastructure insights.
Have a great week!
FAUN.dev Team
⭐ Patrons
info.perfectscale.io
Running Kubernetes efficiently is already complex. Add LLM workloads, and suddenly you're dealing with expensive GPU nodes that can't afford to sit idle.
Join Arthur Berezin (VP Product at PerfectScale by DoiT) and Anton Weiss (Chief Cluster Whisperer) as they share a clear, proven approach to optimizing Kubernetes costs without compromising reliability.
You'll learn:
→ How to manage CPU, memory, and GPU resources per workload.
→ How to align these with autoscaling for maximum efficiency.
✅ Clear code examples. ✅ Real use cases. ✅ No fluff.
Last 20 seats available. Register now!
Join Arthur Berezin (VP Product at PerfectScale by DoiT) and Anton Weiss (Chief Cluster Whisperer) as they share a clear, proven approach to optimizing Kubernetes costs without compromising reliability.
You'll learn:
→ How to manage CPU, memory, and GPU resources per workload.
→ How to align these with autoscaling for maximum efficiency.
✅ Clear code examples. ✅ Real use cases. ✅ No fluff.
Last 20 seats available. Register now!
ℹ️ News, Updates & Announcements
docker.com
64% of users find AI tools actually lighten the workload, yet 59% roll their eyes at the hype—function outshines flash. But behind the curtain, data prep still plays villain, tripping up 24% of AI builders.
cloudnativenow.com
Cloud Native Computing Foundation’s mid-year report drops. Kubernetes commands 3,500+ authors. OpenTelemetry rockets to 1,884 contributors, snagging second in PR velocity. Backstage climbs to 649. Argo (860) and Flux (156) lock GitOps in place. Kubeflow breaks into the top 30 with 302.
Trend to watch: Internal developer platforms like Backstage push teams into platform engineering as a core practice.
Trend to watch: Internal developer platforms like Backstage push teams into platform engineering as a core practice.
policyascode.dev
ContainerHijack hijacks Docker Image Manifest V2 Schema 2. It taints images in Docker Hub, Amazon ECR, GCR. Scanners shrug. Signature checks buckle.
Defenders deploy policy-as-code admission controllers. They lock down Terraform ECR push policies. Falco rules flag strange layers, ghost pushes, rogue processes.
Infra shift:Teams embrace pre-push policy-as-code admission controllers. They snuff out manifest poisoning at the source.
Defenders deploy policy-as-code admission controllers. They lock down Terraform ECR push policies. Falco rules flag strange layers, ghost pushes, rogue processes.
Infra shift:Teams embrace pre-push policy-as-code admission controllers. They snuff out manifest poisoning at the source.
gbhackers.com
A critical CVE-2025-7342 haunts Kubernetes Image Builder v0.1.44 and earlier. It ships Nutanix/OVA images with default Windows Administrator creds intact. That slip-up invites root access on Windows nodes. Linux builds and other providers dodge this bullet. Mixed clusters run hot until images rebuild or passwords rotate. Jump to v0.1.45+. It demands `WINDOWS_ADMIN_PASSWORD` or `admin_password` in your JSON. Default-credential attack, kaput.
aws.amazon.com
Amazon EKS now powers IPv6 dual-stack VPC clusters. It doles out /80 prefixes via the VPC CNI flags ENABLE_V6_EGRESS and ENABLE_V4_EGRESS. AWS ships an Istio multi-cluster playbook—single-VPC to multi-VPC. It rigs remote reader secrets and east-west gateways, fusing IPv4 and IPv6 for service discovery and routing.
prnewswire.com
ESG spots Tintri VMstore’s CSI driver packing Auto-QoS, real-time I/O analytics and predictive tuning for sub-ms container and VM workloads. That driver fires up instant clone and snapshot test environments. It enforces policy-driven RPO/RTO protection. It unifies VM, container and database control.
Infra shift: Unified VM, container and database control signals a move to converged storage operations in hybrid environments.
Infra shift: Unified VM, container and database control signals a move to converged storage operations in hybrid environments.
cloud.google.com
Meet the GKE Inference Gateway—a swaggering rebel changing the way you deploy LLMs. It waves goodbye to basic load balancers, opting instead for AI-savvy routing. What does it do best? Turbocharge your throughput with nimble KV Cache management. Throw in some NVIDIA L4 GPUs and Google's model artistry, and scaling those gnarly generative AI workloads becomes a breeze. No bottleneck sweating necessary.
🐾 From FAUNers
faun.dev
Horizontal Pod Autoscaler starts with CPU. It also taps custom, external, and object metrics like QPS, latency, and queue depth, courtesy of the Prometheus Adapter.
VPA sits in Off mode. It dishes out resource recommendations, slashes thrash, and fast-tracks pod launches and node provisioning. Then it calls in Karpenter or CAST AI for cost-smart instance picks and spot capacity.
Trend to watch: autoscaling is shifting toward business and cost-aware metrics—boosting performance and hacking away at budget waste.
VPA sits in Off mode. It dishes out resource recommendations, slashes thrash, and fast-tracks pod launches and node provisioning. Then it calls in Karpenter or CAST AI for cost-smart instance picks and spot capacity.
Trend to watch: autoscaling is shifting toward business and cost-aware metrics—boosting performance and hacking away at budget waste.
🔗 Stories, Tutorials & Articles
signoz.io
OpenTelemetry delivers a full observability package for Kubernetes—traces, metrics, logs—all without handcuffs to a single vendor. Deploy your own OTEL Collectors on Minikube using Helm charts. Dive into node and pod-level metrics and grab those can't-miss Kubernetes cluster events.
control-plane.io
ControlPlane Enterprise for Flux CD drops the d1 reference architecture and Design 1 Reference Architecture Guide. It packs production-grade playbooks for sprawling multi-tenant, multi-cluster setups. The repo flexes real code: GitHub fine-grained Personal Access Tokens, Kubernetes RBAC, and auto-promotion of Helm OCI artifacts via pull requests.
Infra shift: This blueprint cements multi-tenant GitOps patterns in code. It carves out security zones and syncs workloads across clusters.
Infra shift: This blueprint cements multi-tenant GitOps patterns in code. It carves out security zones and syncs workloads across clusters.
blog.skypilot.co
Neoclouds like CoreWeave and Lambda Labs burst onto the scene, doling out affordable GPU power and killer networking. They're tackling old-school cloud's weaknesses with style.
Signal: The rise of AI Neoclouds marks a pivot in tech's landscape. They're carving out a niche with solutions crafted for AI's hefty demands, giving the usual hyperscalers a run for their money.
Signal: The rise of AI Neoclouds marks a pivot in tech's landscape. They're carving out a niche with solutions crafted for AI's hefty demands, giving the usual hyperscalers a run for their money.
openaccessgovernment.org
KubeVirt spins up VMs inside Kubernetes clusters. It hooks into Portworx for stateful volumes. It taps OpenShift or Rancher to match VMware’s arsenal. Declarative YAML meets GitOps pipelines, unified schedulers and RBAC. Teams juggle VMs and containers on one toolchain. License bills shrink.
Infra shift: Legacy hypervisors hit the road. Kubernetes-native virtualization fuses VMs and containers and slashes fees.
Infra shift: Legacy hypervisors hit the road. Kubernetes-native virtualization fuses VMs and containers and slashes fees.
medium.com
Migrating Pinterest's search infrastructure to Kubernetes—toasty, right? But it tripped over a rare hiccup: sluggish 5-second latencies. The culprit? cAdvisor, overzealously spying on memory like a helicopter parent. Flicking off WSS? Problem evaporated.
aws.amazon.com
EKS Hybrid Nodes corrals on-prem and edge servers as remote Kubernetes nodes over Direct Connect or VPN. It rides on Cilium or Calico, with BGP or static routes. For local load balancing, it spins up MetalLB at Layer 2/3. For NLB/ALB sync, it taps the AWS Load Balancer Controller. Workflows stay unified.
thenewstack.io
Fluent Operator taps CRDs to tame Fluent Bit in Kubernetes. It channels inputs, filters, parsers, outputs into auto-generated configs. Then spins up the DaemonSet. The Fluent Bit Watcher wrapper hot-swaps configs on CRD tweaks. No pods restart.
medium.com
Kong offers three different helm charts for Kubernetes ingress, leveraging the new Gateway API. Kong Gateway Operator simplifies deployment and management by using CRDs instead of custom helm charts. Using GatewayClass and Gateway resources are essential for the operator to spin up dataplanes and control planes seamlessly.
thenewstack.io
Benchmarks crack open the myth: VM-based Kubernetes rivals bare metal. It secures 99% throughput. It matches latency in netperf and MLPerf. Major clouds spin containers on VMs. They enforce hard resource caps, isolation, and central policy management. Bare metal shrinks to ultra-low-latency niches.
Infra shift: VM-backed clusters seize the lead as performance gaps vanish. Bare metal sticks to latency-critical gigs.
Infra shift: VM-backed clusters seize the lead as performance gaps vanish. Bare metal sticks to latency-critical gigs.
aws.amazon.com
Amazon ECS tasks fire logs through a FireLens sidecar.
Fluent Bit ships them into a shared Amazon OpenSearch Serverless domain.
Cross-account IAM roles lock down access.
The pipeline centralizes logs, unlocks full-text search, SQL and PPL queries, and slashes storage costs with on-demand indexing.
Trend to watch: Serverless OpenSearch is elbowing CloudWatch aside. Expect richer log forensics and tighter cost control across container fleets.
Fluent Bit ships them into a shared Amazon OpenSearch Serverless domain.
Cross-account IAM roles lock down access.
The pipeline centralizes logs, unlocks full-text search, SQL and PPL queries, and slashes storage costs with on-demand indexing.
Trend to watch: Serverless OpenSearch is elbowing CloudWatch aside. Expect richer log forensics and tighter cost control across container fleets.
🛍️ Swag, Deals, And Offers
🎦 Videos, Talks & Presentations
youtube.com
Interview with a Boomer CTO in 2023 with Azuros Cloudapi - aired on © The CTO. Scripts inspired by X account "Devops Borat"
⚙️ Tools, Apps & Software
github.com
A lightweight, modular SDK for interacting with Docker configuration and context data in Go.
github.com
Patch-based, environment-aware Kubernetes deployments using plain YAML and zero templating
github.com
A CLI tool to automate git worktree and Docker Compose development workflows.
github.com
The Ultimate Claude Code Docker Development Environment - Run Claude AI's coding assistant in a fully containerized, reproducible environment with pre-configured development profiles.
🤔 Did you know?
Did you know that AWS Lambda cold start latency depends not just on the runtime but also on the size of the deployment package? Engineers have found that trimming a package from about 100 MB to under 50 MB can cut cold‑start time by roughly 200 ms, thanks to faster download and unpacking during the INIT phase. Minimizing unnecessary dependencies and shrinking your artifact delivers tangible improvements in cold start performance.
😂 Meme of the week
🤖 Once, SenseiOne Said
"An engineer's true skill is shown not by their code, but by their ability to decide where not to code."
— Sensei
— Sensei
👤 This Week's Human
This week, we’re highlighting Bill Mulligan , a Community Leader at Isovalent where he nurtures the Cilium and eBPF communities to enhance cloud native networking, security, and observability. As a Governing Board Member at the eBPF Foundationand a Cilium Committer, Bill contributes to open source collaboration and ecosystem development. With experience from the CNCF, he supports innovation through community engagement.