FAUN.dev's DevOps Weekly Newsletter 🔗 View in your browser. | ✍️ Publish on FAUN.dev | 🦄 Become a sponsor
DevOpsLinks
#DevOps #SRE #PlatformEngineering
📝 The Opening Call
When infrastructure flaws threaten AI’s ascent and secrets whisper through shadows, you need more than just the basics. This week, we're unpacking invisible serverless choices, bulletproof GitOps, and the secrets management shields that might just save your stack.
🔐 Critical NVIDIA Flaw Allows Privilege Escalation
🔍 Building Scalable Secrets Management
⚙️ Serverless: The Illusion of Choice
💼 GitHub Engineers’ Platform Insights
🛠️ How Zapier Runs Isolated AWS Lambda Tasks
🧰 kubriX: Internal Dev Platform for Kubernetes
📈 Lessons from Scaling PostgreSQL Queues
🚀 Self-hosting Trigger.dev v4 with Docker
Embrace the chaos and secrets, and let your infrastructure evolve or vanish into the noise.
Have a great week!
FAUN.dev Team
🔐 Critical NVIDIA Flaw Allows Privilege Escalation
🔍 Building Scalable Secrets Management
⚙️ Serverless: The Illusion of Choice
💼 GitHub Engineers’ Platform Insights
🛠️ How Zapier Runs Isolated AWS Lambda Tasks
🧰 kubriX: Internal Dev Platform for Kubernetes
📈 Lessons from Scaling PostgreSQL Queues
🚀 Self-hosting Trigger.dev v4 with Docker
Embrace the chaos and secrets, and let your infrastructure evolve or vanish into the noise.
Have a great week!
FAUN.dev Team
⭐ Patrons
info.perfectscale.io
Running Kubernetes efficiently is already complex. Add LLM workloads, and suddenly you're dealing with expensive GPU nodes that can't afford to sit idle.
Join Arthur Berezin (VP Product at PerfectScale by DoiT) and Anton Weiss (Chief Cluster Whisperer) as they share a clear, proven approach to optimizing Kubernetes costs without compromising reliability.
You'll learn:
→ How to manage CPU, memory, and GPU resources per workload.
→ How to align these with autoscaling for maximum efficiency.
✅ Clear code examples. ✅ Real use cases. ✅ No fluff.
Last 20 seats available. Register now!
Join Arthur Berezin (VP Product at PerfectScale by DoiT) and Anton Weiss (Chief Cluster Whisperer) as they share a clear, proven approach to optimizing Kubernetes costs without compromising reliability.
You'll learn:
→ How to manage CPU, memory, and GPU resources per workload.
→ How to align these with autoscaling for maximum efficiency.
✅ Clear code examples. ✅ Real use cases. ✅ No fluff.
Last 20 seats available. Register now!
ℹ️ News, Updates & Announcements
cybersecuritynews.com
Two CVE-2025 vulns in VMware Tools allow SYSTEM access via named pipe hijacking and path traversal. Upgrade to 12.5.1+ ASAP for fixes. Administrators must upgrade.
github.blog
GitHub Spark spins natural-language prompts into full-stack AI apps in minutes. It taps Claude Sonnet 4 to scaffold UI and server logic. It hooks up data storage, LLM inference, hosting, GitHub Actions, Dependabot, plus multi-LLM smarts from OpenAI, Meta, DeepSeek and xAI—zero config.
Trend to watch: AI dev platforms are collapsing infra layers — CI/CD, hosting, and inference are becoming invisible defaults, not separate concerns.
Trend to watch: AI dev platforms are collapsing infra layers — CI/CD, hosting, and inference are becoming invisible defaults, not separate concerns.
docker.com
Docker Desktop hatches a beta MCP Catalog and Toolkit. It unleashes 100+ containerized Model Context Protocol servers loaded with metadata and use-case filters. Teams fire them via GUI or CLI. The catalog carves Docker-built images from community builds, runs supply-chain scans, and seals isolation. Custom setups and manual tie-ins vanish.
thehackernews.com
Critical NVIDIA Container Toolkit vulnerability (CVE-2025-23266) with CVSS score of 9.0 allows for container escape and potential data manipulation. Hyped AI-based threats aside, infrastructure vulnerabilities like these demand immediate attention.
🐾 From FAUNers
faun.pub
Azure API Management, locked into internal VNet mode, secures private-endpoint access to Azure OpenAI in East/West US. It wires hub-spoke vNets with MSI. Premium tier APIM tacks on scale units, private DNS zones, Log Analytics diagnostics, and retry policies. It slams the brakes on overloads, logs every call, and flips regions on failover.
🔗 Stories, Tutorials & Articles
medium.com
A LinkedIn thread exposes a hack around AWS EventBridge’s 256KB limit. Someone chains Lambdas to compress then decompress events. Serverless traps lurk: blown-up IAM permissions. Triggers with zero validation. Wide-open egress. Unscanned packages fueling supply chain bombs.
medium.com
The blueprint carves out production-grade AWS infra. Terraform orchestrates VPCs with public and private subnets, deploys a Bastion host, spins up private EKS clusters, and stands up an internet-facing ALB armed with SSL/TLS. Argo CD drives GitOps. The CI pipeline runs SAST, builds Docker images, hunts CVEs, and rolls out updates with zero downtime. Observability arrives via Prometheus scraping metrics, Grafana painting dashboards, and centralized logs streaming to your store.
medium.com
Wix’s MRE team injects AI-driven chaos into CI/CD pipelines. Mobile releases gain speed and rock-solid stability. They harness hackathon-born prompt tests to bulletproof builds and deployments.
Signal: AI resilience trials in pipelines mark a shift from rigid builds to probabilistic validation.
Signal: AI resilience trials in pipelines mark a shift from rigid builds to probabilistic validation.
medium.com
This article dives into Azure RBAC for Kubernetes. It maps each persona to pinpoint roles per namespace. Permissions stay minimal from the get-go. It ties role bindings to Azure AD groups, splits dev and prod, and flips on audit logs. Quarterly reviews, crisp docs keep RBAC lean and current.
gregros.dev
Boosting scalability in distributed systems isn't just a mad dash for speed. It's about morphing resources to tackle shifting demand. Nail scalability, and you balance infrastructure costs with job handling efficiency, all while juggling resource utilization at a sweet spot around 0.5. Crave a drama-free experience? Systems must scale like an expert balancer, adapting to the rollercoaster of workloads thrown their way.
csoonline.com
GitGuardian's 2024 report sounds the alarm: 23 million secrets slipped through leaks in 2023. A whopping 70% hung around for months. Talk about a security nightmare! Enter HashiCorp Vault and Akeyless. These tools mastered the multi-cloud juggling act and automated secrets management. Result? A satisfying 90% cut in static secrets.
dzone.com
DevOps pipelines serve as superhighways for cybercriminals to target with credential leaks, supply chain infiltration, misconfigurations, and dependency vulnerabilities. Security must evolve with development to combat these sophisticated attacks.
medium.com
Discover how kubriX seamlessly integrates leading open-source tools like Argo CD, Kargo, and Backstage to deliver a fully functional IDP out of the box. This blog post provides a deep dive into the technical aspects of kubriX, showcasing its capabilities and value proposition within the realm of Internal Developer Platforms for Kubernetes environments.
leodalcegio.dev
Communication between systems involves protocols, IP addresses, and DNS for mapping. Distributed systems divide workloads across multiple machines, allowing for scalability. Load balancing is key for distributing requests evenly among machines. Data consistency in distributed systems can be achieved through replicas and different levels of consistency, such as strong, sequential, and eventual.
cybersecuritynews.com
API monitoring tracks latency, errors and uptime. Tools tag real-time metrics. They fire alerts. They map traces. They automate tests. They crunch analytics. Examples span OSS stars Prometheus, Graphite and SaaS champs AppDynamics, Postman. Each hooks into CI/CD pipelines and plants global synthetic probes.
aws.amazon.com
Zapier snaps each customer Zap into its own AWS Lambda, cradled inside lean Firecracker microVMs. It wrangles 100k+ functions under an EKS control plane and inventory DB. When runtimes retire, Zapier swings into action: a set of Terraform modules paired with a custom Lambda canary tool. Traffic trickles in. Rollback fires the moment things falter. Cleanup purges the old. Boom—95% fewer deprecated runtimes.
Infra shift: Canary-fueled upgrades and IaC morph serverless into a self-healing machine.
Infra shift: Canary-fueled upgrades and IaC morph serverless into a self-healing machine.
trigger.dev
Trigger.dev v4 sharpens self-hosting. It pins everything to Docker Compose. It bakes registry and object storage in. It chops YAML bloat. Env-var docs unify configs. Resource caps lock down security. Scaling? Spin up more worker containers.
github.blog
Product engineers are like builders of Gundam models, construcing the final product, while platform engineers supply the tools needed to build these kits. Understanding the Gundam analogy helps differentiate engineering roles at GitHub.
rudderstack.com
PostgreSQL juggles 100,000 events per second. Just needs some index wizardry and query twerking. The problem? Table bloat and Write Amplification. Gross. Enter the mighty COPY—it bulldozes through bulk data, politely ignoring the usual Insert drag. And those recursive CTEs? They pull off loose index scans, giving performance a sly nod minus the native support.
thehiddenport.dev
Attackers swap predictable IDs. They slip into AWS APIs, Lambda functions, internal tools. Fuzzers like ffuf flag sneaky HTTP 200s. Burp Intruder bubbles up 404 probes. CloudWatch logs trace every call. Random UUIDs seal ID gaps.
🛍️ Swag, Deals, And Offers
🎦 Videos, Talks & Presentations
youtube.com
Interview with a Boomer CTO in 2023 with Azuros Cloudapi - aired on © The CTO. Scripts inspired by X account "Devops Borat".
⚙️ Tools, Apps & Software
github.com
Linux Bash Script for the Paranoid Admin on a Budget - real-time monitoring and active threat response
github.com
A lightweight Bash script to help you block yourself from using time-wasting or distracting commands until a specified date with optional reasons and friendly reminders.
github.com
A lightweight, modular SDK for interacting with Docker configuration and context data in Go.
github.com
A small & fast frontend to quickly search your Github repositories and files
🤔 Did you know?
Did you know that Shopify’s engineering team managed to reduce the p95 build time for their core monolithic CI pipeline from 45 to just 18 minutes while consuming 35 % less compute? This performance boost cut developer wait times dramatically and cut infrastructure expenditure without rewriting major systems. It demonstrates how targeted CI optimization—not heavy engineering investment—can yield massive productivity and cost benefits.
😂 Meme of the week
🤖 Once, SenseiOne Said
"Software evolves faster than the team that writes it; wisdom lies in engineering the system that engineers the engineers."
— Sensei
— Sensei
👤 This Week's Human
This week, we’re highlighting Bill Mulligan , a Community Leader at Isovalent where he nurtures the Cilium and eBPF communities to enhance cloud native networking, security, and observability. As a Governing Board Member at the eBPF Foundationand a Cilium Committer, Bill contributes to open source collaboration and ecosystem development. With experience from the CNCF, he supports innovation through community engagement.