Alessandro Pomponio, Research Software Engineer @ IBM Research, explains his team's strategic approach to selecting open source tools from the CNCF landscape for their research computing platform.

Alessandro details their decision-making process for policy enforcement, comparing Kyverno and Gatekeeper. They ultimately chose Kyverno because it uses YAML and "truly speaks Kubernetes," making it more accessible for researchers who manage clusters as a secondary responsibility rather than their primary job.

Watch the full episode: https://ku.bz/5sK7BFZ-8

This article explains Kubernetes secrets management from an SRE angle by comparing:

- Sealed Secrets,
- External Secrets Operator,
- and Vault-based approaches with examples.

More: https://ku.bz/l5fy3crYf

The right AI governance pattern for Kubernetes is not one agent doing everything. It is multiple agents doing specific work well.

Henrik Rexed of Dynatrace says teams should think in terms of specialized review lanes: one AI system for infrastructure-heavy changes, another for observability concerns, and a human reviewer to confirm the final result. That reduces the chance of subtle platform-specific issues being missed by a generic review pass.





Watch the full interview: https://ku.bz/KGQ_b20nQ

This week on Learn Kubernetes Weekly 185:

🔥 A One-Line Kubernetes Fix That Saved 600 Hours a Year
🔐 Why Kubernetes Has No Login — And How We Solved It for AuditRadar
⚙️ Durable Workflows Beyond Vercel: Version-Safe Orchestration for Kubernetes
🧩 The Missing Layers in Your Kubernetes Operator
🚨 Why Your KServe InferenceService Won't Become Ready: Four Production Failures and Fixes

Read it now: https://kube.today/issues/185

⭐️ This issue is brought to you by Qodo, the AI code integrity platform helping teams review, test, and ship reliable infrastructure code faster https://ku.bz/NvLHsnl-6

🎙️ What is Brandt Keller bringing to KCD New York?

A practical session on software assurance at scale, why verification material becomes harder to manage across organizational boundaries, and why runtime is where trust and verification matter most.

If you're interested in supply chain security, cloud-native platform engineering, observability, AI-enabled infrastructure, and practical Kubernetes operations, KCD New York is the place to be.

We also have 10 free tickets available. Email hello@kube.events to claim one before they are gone.

Register for KCD New York and claim your spot.

🔗 https://ku.bz/JkjmffBzw

This article shows how to sign every container image using Cosign keyless signing in GitHub Actions and enforce signatures at pod admission with Kyverno, using the chalk/debug npm attack as the real-world motivation.

More: https://ku.bz/7WkPPBjwH

This article reviews Kubermatic SecureGuard (KubeSG), a Kubernetes-native open source secrets manager built on OpenBao and the External Secrets Operator that automates secret rotation and delivery without app rewrites or proprietary SDKs.

More: https://ku.bz/wD-DcVMBD

This tutorial shows how to run Cloudflare Tunnels as a DaemonSet to expose services with zero open inbound ports, using liveness probes, Kubernetes Secrets, and GitOps with ArgoCD.

More: https://ku.bz/RYlKnctWf

📣 New on LearnKube: "The mechanics of Kubernetes RBAC and how it connects users to permissions."

Kubernetes RBAC can feel confusing because the object names sound broader than the scope they actually grant.

A ClusterRole does not always mean cluster-wide access.

If you bind a ClusterRole with a RoleBinding, the permissions apply only in the namespace where the RoleBinding lives.

The article walks through:

- Why direct user-to-permission mappings do not scale
- how Roles and ClusterRoles group permissions into reusable sets
- how RoleBindings and ClusterRoleBindings connect identities to permissions
- How to test access with kubectl auth can-i

Read the full guide:
https://learnkube.com/rbac-kubernetes

This article explains how to build a highly available GKE architecture using Multi-Cluster Services and Multi-Cluster Gateway.

It covers subnet naming requirement for cross-regional internal ALBs, cluster setup via Fleet, demo app with request routing.

More: https://ku.bz/7kBX1rFD4

This tutorial teaches Kubernetes security testing from an offensive perspective, covering:

- pod compromise detection,
- service account token exploitation,
- RBAC privilege escalation,
- and tools like kubeletctl and peirates.

More: https://ku.bz/gh_lvlX5t

This week on Learn Kubernetes Weekly 186:

🔥 1 Million Tokens Per Second: Qwen 3.5 27B on GKE with B200 GPUs
🤖 How I Built Kernel: An AI-Powered IT Helpdesk That Deflects 80% of Support Tickets
⚙️ Ansible AWX: Infrastructure Automation on Top of Kubernetes
🛡️ I Setup Kubermatic SecureGuard Before It Even Existed
🔐 SRE: Secrets Management in Kubernetes

Read it now: https://kube.today/issues/186

⭐️ This newsletter is brought to you by StormForge by CloudBolt. Stop setting Kubernetes requests. Let ML handle rightsizing https://ku.bz/2wYKp0Q2Y

This tutorial shows how to build a hub-style multi-cluster cert-manager control plane where a central hub cluster manages certificate issuance and distribution across multiple spoke clusters using cert-manager and trust-manager.

More: https://ku.bz/LKB8W3PMJ

ESP Kubernetes Reference Implementation runs compliance scanning in Kubernetes using ESP policies with pull-based agents that execute NIST, CIS, and STIG controls and produce CUI-free attestations forwarded to SIEM or cloud functions.

More: https://ku.bz/z00YcWHVS

Sealed Secrets Web is a tool that provides a web interface for managing and encrypting sensitive data in Kubernetes using the Sealed Secrets service by Bitnami.

More: https://ku.bz/WS8Y2DHgS

🚀 New on LearnKube: Microservice authentication with Kubernetes Service Accounts.

Service Accounts are usually described as identities used to call the Kubernetes API.

But you can also use them to authenticate requests between services inside the cluster.

The article walks through:

- how an API service can pass its Service Account token to a data store
- how the data store can validate the token with the TokenReview API
- why accepting any valid token is not enough
- how projected Service Account tokens let you bind a token to a specific audience

Thanks to Gulcan for putting together the full walkthrough with diagrams, manifests, Go snippets, TokenReview examples, and projected Service Account tokens.

Read the full guide:
https://learnkube.com/microservices-authentication-kubernetes

This article shows a Zero Trust blueprint using mutual TLS (mTLS) and Istio security policies to make internal and external APIs secure by default, with step-by-step configs and lessons from real systems.

More: https://ku.bz/Ft_3_HxjS

This tutorial teaches how to enforce signed container images in Kubernetes using Cosign for signing, Harbor for storage, and Kyverno admission controller for verification, including custom CA trust configuration and CI/CD integration patterns.

More: https://ku.bz/CjQLsVFWf

This week on Learn Kubernetes Weekly 187:

🧠 Applying Kubernetes Patterns to LLM Workloads
🐢 Why Your Grafana is Slow on Kubernetes (and 3 Replicas Won't Fix It)
📊 Observability at Albert Heijn
🎬 Vibe Coding a Kubernetes Media Server: What I Learned About AI-First Engineering
🔌 Installing Kong Gateway Custom Plugins on Kubernetes using Helm Charts

Read it now: https://kube.today/issues/187

⭐️ This newsletter is brought to you by WeAreDevelopers World Congress — The World’s Largest Event for Developers, AI Builders & Tech Leaders https://ku.bz/cwnthSpPK

This tutorial shows how to secure east-west traffic in GKE using an Internal Regional Gateway with Envoy proxies, certificates, HTTP Routes with path rewriting, and a zero-trust architecture for service-to-service communication.

More: https://ku.bz/VqqYrclKm