KubernetesLinks

One tiny Kubernetes knob shaved 29 minutes off every restart, while AWS quietly made Gateway API feel like the default path instead of a science project. Then the vibes swing hard: GPU inference gets modular, JSON querying gets weirdly fast, and a Trivy mess reminds us how thin the supply chain ice can be.

🛠️ A one-line Kubernetes fix that saved 600 hours a year
🌉 AWS Load Balancer Controller Reaches GA with Kubernetes Gateway API Support
🧩 Deploying Disaggregated LLM Inference Workloads on Kubernetes
⚡ jsongrep is faster than {jq, jmespath, jsonpath-rust, jql}
🧨 Trivy Hack Spreads Infostealer via Docker, Triggers Worm and Kubernetes Wiper

Steal the wins, dodge the footguns, ship with confidence.

Happy coding!
FAUN.dev() Team

This article introduces a tool called jsongrep, explains the internal search engine it uses, and outlines the benchmarking strategy used to compare its performance with other JSON path-like query tools. The tool parses the JSON document, constructs an NFA from the query, determinizes the NFA into a DFA, and performs a depth-first search with DFA transitions to identify matching values in the JSON file. The article also provides installation instructions for jsongrep and highlights its cross-platform compatibility and efficiency due to the use of DFA for searching.

In large language model (LLM) inference workloads, a single monolithic serving process can hit its limits due to different compute profiles for prefill and decode stages. Disaggregated serving splits the pipeline into distinct stages to better utilize GPU resources and scale more flexibly on Kubernetes. Different ecosystem solutions like NVIDIA Dynamo and llm-d implement this pattern to optimize inference performance.

AWS ships GA Gateway API support in the AWS Load Balancer Controller. Teams can manage ALB and NLB with the SIG standard.

The controller swaps annotation JSON for validated CRDs - TargetGroupConfiguration, LoadBalancerConfiguration, ListenerRuleConfiguration - and handles L4 (TCP/UDP/TLS) and L7 (HTTP/gRPC).

Multi-cloud Gateway API portability, plus AWS GA, pushes routing into Kubernetes and cuts reliance on third-party ingress controllers. Infra teams get less yak shaving.

Atlantis, a tool for planning and applying Terraform changes, faced slow restarts of up to 30 minutes due to a safe default in Kubernetes that became a bottleneck as the persistent volume used by Atlantis grew to millions of files. After investigation, a one-line change to fsGroupChangePolicy reduced restart time to about 30 seconds, saving roughly 50 hours of blocked engineering time per month.

Why this matters: Kubernetes safe defaults can become bottlenecks at scale. Audit fsGroupChangePolicy and PV permission settings on large stateful workloads.

Cybersecurity researchers found malicious artifacts distributed via Docker Hub after the Trivy supply chain attack. Malicious versions 0.69.4, 0.69.5, and 0.69.6 of Trivy were removed from the image library. Threat actor TeamPCP targeted Aqua Security's GitHub organization, compromising 44 repositories.

Protect your Kubernetes workloads with ModSecurity-compatible rules and OWASP Core Rule Set (CRS) using native Kubernetes CRDs.

Easy self-hosting for Docker-based web apps

vigil-rs is a PID 1 / container init daemon written in Rust. It supervises multiple processes, runs health checks, and exposes a REST API over a Unix socket with native zombie-reaping and per-service stop signals.

A lightweight, open-source Kubernetes desktop app. 22 MB, zero telemetry, MIT licensed

A terminal UI for monitoring Kubernetes services. Get instant visibility into your K8s pods, deployments, and more - right in your terminal.

Did you know that in Kubernetes, a Pod sending traffic to a Service backed by a Pod on the same node does not automatically get a "free" local path? In iptables mode, kube-proxy pre-programs NAT rules in the kernel, so even same-node traffic is still subject to DNAT at the virtual IP and tracked by conntrack - there is no shortcut just because source and destination share a node. IPVS mode uses its own kernel-level connection tracking instead of Netfilter, and eBPF-based datapaths like Cilium can bypass kube-proxy's iptables rules entirely. To explicitly guarantee node-local routing, Kubernetes provides internalTrafficPolicy: Local, which instructs kube-proxy to only select endpoints on the same node - at the cost of failing requests if no local endpoint exists.

"Kubernetes sells you declarative control, then spends the rest of its time reconciling with reality you never declared: partitions, retries, and skew. Containers make failures repeatable; distributed systems make repeatable failures look like policy. If you want simplicity, stop trying to automate the hard parts and start deciding which failures you will tolerate on purpose."

Instrumenting request latency at the ingress level only gives you a number that looks healthy while individual services silently degrade - without per-pod, per-container metrics correlated to the same time window, you're averaging over the outliers that matter most during a partial failure.

This week, we’re highlighting Dirceu Vieira Junior, a Senior Software Engineer at iFood and 7x Salesforce Certified full stack developer with 10+ years in software. Formerly a Salesforce Tech Lead at Atrium, he has spent the last decade building Salesforce systems end to end.