Kaptain

Cloud bills are getting side‑eyed while Kubernetes quietly graduates from ‘maybe’ to mission‑critical—databases, networking, CI, the whole stack. Bare‑metal cost wins, Kafka‑backed metrics, zero‑trust guardrails, and an eBPF rootkit worth a postmortem—details inside.

🖥️ AWS to Bare Metal Two Years Later: Answering Your Toughest Questions About Leaving AWS

🛠️ Azure Developer CLI: Azure Container Apps Dev-to-Prod Deployment with Layered Infrastructure

📈 Grafana Pushes the Limits of Metrics Performance with Mimir 3.0

🏗️ How Airbnb Runs Distributed Databases on Kubernetes at Scale

🚦 Kubernetes Gateway API 1.4.0 Makes Network Routing More Declarative and Reliable

🐘 Kubernetes + Postgres = Finally Sane? CloudNativePG and pgEdge Think So

⚙️ Kubernetes with Buildkite: faster, simpler, and ready for scale

🕵️ LinkPro: eBPF rootkit analysis

🔑 Manage Secrets of your Kubernetes Platform at Scale with GitOps

🔒 Zero-Trust Kubernetes: Enforcing Security & Multi-Tenancy with Custom Admission Webhooks

You’re a step ahead—steal the patterns and ship with fewer surprises.

Have a great week!
FAUN.dev() Team

Easily secure any site by putting SSL management on autopilot, supporting one-step validation and renewal via REST API.

ZEDEDA dropped Edge Kubernetes App Flows, a full-stack system that runs edge apps like a pipeline - GitOps-driven, zero-trust secured, resilient even when offline. It handles bare-metal and GPU workloads, scales to tens of thousands of clusters, and hooks into K3s for lightweight, vendor-agnostic orchestration.

CloudNativePG just landed in the CNCF Sandbox - a nod from the community and a sign that Kubernetes-native Postgres is growing up. Meanwhile, pgEdge is syncing up: it now plugs into CloudNativePG, ships Postgres 16–18 container images (Minimal and Standard), and reworks its Helm chart to handle multi-cluster Kubernetes setups.

System shift: Postgres keeps leaning into Kubernetes as the backbone for running distributed databases anywhere.

Kubernetes Gateway API v1.4.0 lands with cleaner traffic routing, sharper control over ingress and egress, and more expressive, declarative configs. Less duct tape. More clarity for complex microservices.

Grafana Mimir 3.0 just released with a clean architectural split: reads and writes now scale independently, thanks to a new decoupled design and Apache Kafka under the hood. The goal = better reliability + smoother scaling.

This builds on 2.17's launch of the Mimir Query Engine, already a game-changer for faster, leaner queries in metric-heavy setups.

A new stealth rootkit called LinkPro just surfaced, taking aim at AWS-hosted Linux boxes. It blends two custom eBPF programs for deep concealment and remote activation via magic packets.

The path in? CVE-2024-23897 - an RCE on a public Jenkins server. From there, attackers slipped into Amazon EKS clusters, dropped vShell (an in-memory backdoor), and escaped containers using a poisoned Docker image.

LinkPro keeps itself hidden with Tracepoint and Kretprobe hooks - masking processes, files, even its own eBPF code. If eBPF tracing isn’t available, it downgrades to an old-school trick: an LD_PRELOAD shared lib.

Cloud DNS is the most cost-effective way to manage your domain names. You can use it with Free DNS or Premium DNS, depending on your needs. Our Cloud DNS service provides up to 10,000% uptime Service Level Agreement (SLA).

ClouDNS offers Free DNS zone migration for all new customers!

Tools like OPA Gatekeeper, Kyverno, and custom webhooks slam the brakes on sketchy workloads before they ever spin up.

These controllers aren’t just gatekeepers - they’re enforcers. They check pod configs, block unverified images, and apply live, scoped policies like tenant-aware network isolation and resource quotas on the fly.

Azure Developer CLI v1.20.0 leveled up Container Apps. Build and push are now split from deploy, so you can finally "build once, deploy everywhere" and mean it.

It adds layered infrastructure support, lets you share an Azure Container Registry across environments, and handles resource dependency sequencing in CI/CD.

OneUptime ditched the cloud bill and rolled their own dual-site setup. Think bare metal, orchestrated with MicroK8s, booted by Tinkerbell, patched together with Ceph, Flux, and Terraform. Result? 99.993% uptime and $1.2M/year saved - 76% cheaper than even well-optimized AWS.

They run it all with just ~14 engineer-hours/month. Thanks, Talos. The cloud's still in play, but only where it helps: archival, CDN, and burst capacity.

The bigger trend? Teams with steady workloads are eyeing physical infra again. Same automation. More control. Way less money lit on fire.

Airbnb runs distributed databases across multiple Kubernetes clusters - each tied to its own AWS Availability Zone. That setup isolates failures down to individual pods and keeps the whole system highly available.

They built a custom Kubernetes operator and leaned on EBS volumes with PVCs to smooth out node swaps. That way, even during shakeups - planned or not - quorum stays intact and the system holds steady.

System shift: Running stateful databases on Kubernetes isn’t just possible now. At scale, it's solid - thanks to smart cluster mapping, custom operators, and failover that actually respects storage.

Buildkite just added a major revamp of its Kubernetes Agent Stack. Highlights: REST-based config, leaner K8s objects, and hardened security defaults.

It handles tens of thousands of concurrent jobs without breaking a sweat. Shared environment vars cut down pod config noise. Error messages come with full YAML receipts.. Metrics are exposed out of the box, no custom scrapers needed. And Helm got more knobs to tweak.

Use the External Secrets Operator to manage secrets securely and connect workload clusters to a control plane with Argo CD. By integrating External Secrets, you can streamline secrets management and maintain a secure environment for your platform. Explore different reference architectures such as the Hub and Spoke model to effectively manage secrets and workload clusters in a scalable manner.

Show your Kubernetes pride with the Kubectl Heavy Blend™ Hoodie — soft, durable, and built for long dev sessions or quick rollouts. This hoodie keeps you warm and ready to ship, whether you’re scaling clusters, sipping coffee or debugging last week incident :)

Host and manage multiple Juice Shop instances for security trainings and Capture The Flags

Raspberry Pi's K3s edge cluster. 

secureCodeBox (SCB) - continuous secure delivery out of the box

pod that scales down to zero

Did you know that Docker containers all share the same host kernel, so a single misconfigured container can exhaust kernel resources like PID or file descriptor limits for everyone? That’s why Kubernetes isolates namespaces and sets per-Pod limits, preventing one noisy neighbor from crashing the entire node.

"'Desired state' in Kubernetes is a contract with controllers, not with your users. Containers remove host assumptions; distributed systems add timing assumptions. Sometimes the outage is the system doing the right thing at the wrong time."
— SenseiOne

This Week’s Human is Geoffrey Dayrit, Cyber Security Senior Lead Technical Program Manager at Lumen Technologies. He builds and scales secure Government Cloud environments aligned with CMMC 2.0, DFARS 252.204‑7012, and FedRAMP/NIST 800‑171, driving zero‑trust architecture and vulnerability remediation to cut risk and shorten audit timelines. Previously he led the Global Security Services PMO, grounding teams in the NIST Cybersecurity Framework (Identify, Protect, Detect, Respond, Recover).