FAUN.dev's Kubernetes Weekly Newsletter 🔗 View in your browser. | ✍️ Publish on FAUN.dev | 🦄 Become a sponsor
KubernetesLinks
This Week in Kubernetes, with Kaptain the Shark
🔍 Inside this Issue
This one swings between massive scale and tiny signals: Airbnb is calmly swallowing 50M metrics samples per second while some teams ignore 437 restarts until the night goes sideways. Add Kubernetes user namespaces going GA, microVM sandboxes as the new security baseline, and an AI-shaped flood of vuln reports, and you have plenty to steal for your own stack.
📈 Building a fault-tolerant metrics storage system at Airbnb
🧠 From public static void main to Golden Kubestronaut: The Art of unlearning
🛡️ The AI-driven shift in vulnerability discovery
🦝 Ubuntu 26.04 LTS Released: Meet Resolute Raccoon
🧩 Kubernetes v1.36: User Namespaces are finally GA
🧱 Why MicroVMs: The Architecture Behind Sandboxes
Ship smarter, page less.
Happy coding!
FAUN.dev() Team
📈 Building a fault-tolerant metrics storage system at Airbnb
🧠 From public static void main to Golden Kubestronaut: The Art of unlearning
🛡️ The AI-driven shift in vulnerability discovery
🦝 Ubuntu 26.04 LTS Released: Meet Resolute Raccoon
🧩 Kubernetes v1.36: User Namespaces are finally GA
🧱 Why MicroVMs: The Architecture Behind Sandboxes
Ship smarter, page less.
Happy coding!
FAUN.dev() Team
⭐ Patrons
iacconf.com
Managing IaC or leading platform engineering? IaCConf is the “can’t miss” event featuring 20 top IaC leaders across 13 sessions. Join 5,000+ practitioners to share what’s actually working and swap hard-won lessons.
Register Now
Register Now
eventbrite.co.uk
Are Your APIs Ready for AI Agents? A Hands-on Workshop on May 23rd
AI agents are beginning to autonomously call APIs, chain services, and create integrations that most platforms were never designed to handle. This hands-on masterclass on Designing AI-ready APIs helps architects and developers build governed, predictable API ecosystems using OpenAPI, Overlay, and Arazzo.
Learn how to add guardrails, improve discoverability, and safely evolve existing APIs for automated consumption.
FAUN.dev readers get an exclusive 40% discount using code FAUN40.
AI agents are beginning to autonomously call APIs, chain services, and create integrations that most platforms were never designed to handle. This hands-on masterclass on Designing AI-ready APIs helps architects and developers build governed, predictable API ecosystems using OpenAPI, Overlay, and Arazzo.
Learn how to add guardrails, improve discoverability, and safely evolve existing APIs for automated consumption.
FAUN.dev readers get an exclusive 40% discount using code FAUN40.
🐾 From FAUNers
faun.dev
Ubuntu 26.04 LTS - Resolute Raccoon ships GNOME 50. GNOME-on-X11 is gone; the session runs only on Wayland. Mutter patches shave NVIDIA blocked frame time down to microseconds.
The release requires systemd 259 and cgroup v2. It swaps initramfs to Dracut. Desktop minimums rise. Binaries default to memory-safe Rust.
Ubuntu adds native CUDA and ROCm to main repos. Livepatch lands on Arm64. The installer gains TPM-backed full-disk encryption. App Center becomes the central app manager.
System shift: Requiring Wayland, cgroup v2, Dracut, and repo-distributed CUDA/ROCm pushes Ubuntu defaults toward modern GPU, container, and init stacks. Consider it the distro telling legacy tech to take a hike.
The release requires systemd 259 and cgroup v2. It swaps initramfs to Dracut. Desktop minimums rise. Binaries default to memory-safe Rust.
Ubuntu adds native CUDA and ROCm to main repos. Livepatch lands on Arm64. The installer gains TPM-backed full-disk encryption. App Center becomes the central app manager.
System shift: Requiring Wayland, cgroup v2, Dracut, and repo-distributed CUDA/ROCm pushes Ubuntu defaults toward modern GPU, container, and init stacks. Consider it the distro telling legacy tech to take a hike.
🔗 Stories, Tutorials & Articles
medium.com
Airbnb built a metrics system that ingests 50M samples/s, stores 2.5PB of logical time series, and hosts 1.3B active series.
They use tenant-per-service grouping and shuffle sharding. They enforce per-tenant guardrails and a consolidated control plane. They shard queries and compaction. They run zone-aware replicas and multi-cluster rollouts.
They use tenant-per-service grouping and shuffle sharding. They enforce per-tenant guardrails and a consolidated control plane. They shard queries and compaction. They run zone-aware replicas and multi-cluster rollouts.
kubernetes.io
Kubernetes v1.36 promotes User Namespaces to GA on Linux. It brings rootless workload isolation.
Kubelet leans on kernel ID-mapped mounts. It sidesteps expensive chown by remapping UID/GID at mount time and confines privileged processes. No more mass-chown screams.
Kubelet leans on kernel ID-mapped mounts. It sidesteps expensive chown by remapping UID/GID at mount time and confines privileged processes. No more mass-chown screams.
cncf.io
AI models let non-experts craft real and fake vulnerabilities at scale. They spit out low-quality noise and the occasional high-value report.
Reports flood OSS maintainers. Triage, patching, release cadences, and downstream upgrade/compliance pipelines buckle under the load.
Guidance recommends publishing threat models, requiring tested PoC and example fixes, adopting AI-assisted triage, and tracking triage metrics.
Reports flood OSS maintainers. Triage, patching, release cadences, and downstream upgrade/compliance pipelines buckle under the load.
Guidance recommends publishing threat models, requiring tested PoC and example fixes, adopting AI-assisted triage, and tracking triage metrics.
cncf.io
The author left JVM monolith ops for Kubernetes. They stacked certs: CKA, CKAD, CKS, KCNA, KCSA, CNCF Golden Kubestronaut.
They treat Pods as the atomic deployable. They pick fights: Ingress vs NodePort. They warn about ConfigMap drift.
They spotlight runtime primitives: Horizontal Pod Autoscaler and service mesh for resilience.
They treat Pods as the atomic deployable. They pick fights: Ingress vs NodePort. They warn about ConfigMap drift.
They spotlight runtime primitives: Horizontal Pod Autoscaler and service mesh for resilience.
docker.com
Docker Sandboxes puts each agent session in a dedicated microVM. Each microVM runs a private Docker daemon inside the VM boundary. That blocks access to the host.
A new cross‑platform VMM runs on macOS, Windows, and Linux hypervisors. It slashes cold starts and runs full Docker build, run, and compose workflows per sandbox.
A new cross‑platform VMM runs on macOS, Windows, and Linux hypervisors. It slashes cold starts and runs full Docker build, run, and compose workflows per sandbox.
⚙️ Tools, Apps & Software
github.com
kite-desktop, a desktop-based K8S multi-cluster management tool built on Wails v3
github.com
Kubernetes Skill for Claude Code and Codex. LLMs hallucinate a lot with K8s - KubeShark fixes this. It eliminates hallucinations and grounds your Kubernetes, Helm etc official best practices.
github.com
Open source, cloud native, Postgres platform with copy-on-write branching and scale-to-zero
github.com
Model Context Protocol (MCP) server for Kubernetes and OpenShift
🤖 Once, SenseiOne Said
"Kubernetes makes every failure recoverable, which is how you end up normalizing failure as the steady state. In a distributed system, the real outage is the gap between what the control plane believes and what the containers are actually doing."
— SenseiOne
— SenseiOne
⚡Growth Notes
"WARN: Liveness probe failed, restarting container (restart count: 437)" => nobody paged because the pod kept "recovering" and the service stayed green. The team that treats restart counts as background noise instead of a leading indicator is the same team that debugs a cascading OOMKill at 2 am, wondering how it got that bad.
😂 Meme of the week
