Kaptain

From surgical cluster upgrades to an Ingress NGINX end-of-life, this batch is about moving fast without tripping over your infra. Gateway API gets real on kind, CPU weights grow up, and a private assistant you can run offline rounds it out, with details and gotchas below.

🚀 Cluster API v1.12: Introducing In-place Updates and Chained Upgrades
🌉 Experimenting with Gateway API using kind
🛑 Ingress NGINX: Statement from the Steering and Security Response Committees
⚖️ New Conversion from cgroup v1 CPU Shares to v2 CPU Weight
🤖 Run a Private Personal AI with Clawdbot + DMR

Ship smarter this week.

Take care!
FAUN.dev() Team

Cluster API v1.12 lands with in-place machine updates and chained upgrades across Kubernetes minor versions. Cleaner workflows. Fewer hoops.

It sharpens immutable rollouts and throws in a delete-first strategy, handy when running lean on resources.

Uncover how to level-up your GitHub Copilot and VS Code experience from an autocomplete assistant to an intelligent, agentic teammate that can navigate your codebase, execute tasks, reason across files and even manage your GitHub projects.

In Building with GitHub Copilot course, you're not just learning how to use GitHub Copilot. You're exploring a shift in how we write, reason about, and collaborate on code.

Get your copy today!

A new quadratic formula now maps cgroup v1 CPU shares to cgroup v2 CPU weight. Why? Because the old linear approach messed with CPU fairness; especially at low share values. This fix nails prioritization where it counts.

It lands at the OCI runtime layer, live in runc v1.3.2 and crun v1.23, so containers finally get CPU weights that reflect reality, not rounding errors.

Big picture: Kubernetes and cgroup v2 never quite agreed on CPU math. This update closes that gap, giving schedulers sharper control and workloads cleaner isolation.

Cluster API v1.12.0 adds in-place updates and chained upgrades, so machines can swap parts without going down, and clusters can jump versions without drama.

KubeadmControlPlane and MachineDeployments now choose between full rollouts or surgical patching, depending on what changed. The goal: keep clusters stable, upgrades smooth.

Bigger picture: Cluster API is edging closer to what real workload orchestration should feel like, a smart balance between solid-state infra and lifecycle agility.

Kubernetes is cutting off Ingress NGINX in March 2026. No more updates. No bug fixes. No security patches. Done.

Roughly half of cloud-native setups still rely on it, but it's been understaffed for years. If you're one of them, it's time to move.

There’s no plug-and-play replacement, but the ecosystem’s betting on Gateway API. It’s more modern. More flexible. Built for today’s traffic-routing problems.

Clawdbot just plugged into Docker Model Runner (DMR). That means you can now run your own OpenAI-compatible assistant, locally, on your hardware. No cloud. No per-token fees. No data leaking into the void.

A new guide shows how to run Gateway API locally with kind and cloud-provider-kind. It spins up a one-node Kubernetes cluster in Docker - complete with LoadBalancer Services and a Gateway API controller. Cloud vibes, zero cloud bill.

Fire it up to deploy demo apps, test routing, or poke around with CRD experiments. No production stress attached.

Take a break, and get a coffee! Warm your soul with a nice mug perfectly sized black ceramic mug.

A Reddit user shared their insights on what they would do differently after 5 years of running Kubernetes in production, to cite:

1. Don't run your own control plane unless you have to We spent 6 months maintaining self-hosted clusters before switching to EKS. That's 6 months of my life I won't get back.

2. Start with resource limits from day 1 Noisy neighbor problems are real. One runaway pod took down our entire node because we were lazy about limits.

3. GitOps isn't optional, it's survival We resisted ArgoCD for a year because "kubectl apply works fine." Until it didn't. Lost track of what was deployed where.

4. Invest in observability before you need it The time to set up proper monitoring is not during an outage at 3am.

5. Namespaces are cheap, use them We crammed everything into 3 namespaces. Should've been 30.

Descheduler for Kubernetes

Kubernetes Enumeration Tools for Penetration Testing - K8s security assessment scripts for red team operations

A Kubernetes operator to manage Zed Attack Proxy (ZAP) scans :rocket:

Gracefully handle EC2 instance shutdown within Kubernetes

DevOps and Security knowledge base with 50+ skills covering Kubernetes, Terraform, AWS/GCP/Azure, container hardening, SOC2 compliance, and incident response. Includes ready-to-run scripts and agent-ready instructions for SREs, platform engineers, and security teams.

Did you know Kubernetes’ API server implements API Priority and Fairness (APF) to protect itself from overload by classifying traffic into flows and priority levels defined by FlowSchema and PriorityLevelConfiguration? APF applies a fair-queuing algorithm so that within a given priority level, distinct request flows are treated equitably, and it uses shuffle sharding to assign flows to a subset of queues to reduce interference from heavy hitters. APF has been enabled by default since Kubernetes 1.20 (beta) and became stable in v1.29, and the flow control configuration (priority levels, concurrency shares, queueing behavior) is tunable at runtime via API objects without restarting the API server. By dividing the server’s total concurrency limit among priority levels, critical control-plane traffic such as leader election, kubelet heartbeats, and controller manager requests remain responsive even under load from noisy clients.

"Containers made processes portable; Kubernetes made failure modes portable. Distributed systems don't remove decisions; they hide them in timeouts, retries, and elections."
-- SenseiOne

When you change a Kubernetes resource, take the time to diff not just the YAML, but the resulting object model you expect the controllers to converge to, stepping through how each controller, admission webhook, and CRD status field will react to that single patch. This quiet habit of mentally simulating the full reconciliation path before you kubectl apply is how senior engineers avoid cascading outages, reduce rollback thrash, and build a deep, controller-focused intuition that continues to pay off even as APIs and platforms shift around them.