Containers share a kernel, so a container is not a security boundary by default. This is the practical hardening that makes one act like a boundary — minimal pinned images, a signed and scanned supply chain, dropped capabilities and seccomp, and a Kubernetes securityContext that actually holds.
Kubernetes
-
Container Security in 2026: The Threat Model, the Supply Chain, and a Pod That Can't Hurt You -
Secrets Management in 2026: From .env Files to Short-Lived, Identity-Based Credentials The point of secrets management is not a better place to hide a long-lived API key — it is to have fewer standing secrets and shorter-lived ones. A practical tour from .env hygiene to SOPS, Vault, dynamic credentials, Kubernetes reality, and workload identity that kills the "secret zero" problem.
-
Queueing Theory for Capacity Planning: Why Latency Explodes at 80% Queueing theory gives engineers a rigorous foundation for capacity planning. Little's Law, the M/M/1 utilization-latency formula, and the hockey-stick curve explain why latency degrades catastrophically near saturation — and exactly where to set thresholds for thread pools, connection pools, and HPA.
-
k3s vs k8s: Lightweight Kubernetes or the Full Thing? k3s is not a fork of Kubernetes or a stripped-down imitation — it is a CNCF-certified, fully conformant Kubernetes distribution that happens to ship as a single sub-70MB binary and run the control plane in a few hundred megabytes of RAM. So 'k3s vs k8s' is really a packaging and operations question, not an API question: your manifests and Helm charts run unchanged on both. This post breaks down what k3s actually changes (the kine datastore shim, SQLite instead of etcd by default, bundled batteries like Traefik and ServiceLB, removed legacy in-tree drivers), the real resource and operational differences, high-availability options, where each one wins, and where k3s's conveniences can surprise you.
-
GCP for the AWS-Fluent Engineer Google Cloud from the perspective of someone who already knows AWS: the resource hierarchy that replaces accounts and OUs, IAM that works completely differently, GKE as the best managed Kubernetes, Cloud Run as containers-done-serverless, BigQuery as the genuinely differentiated killer app, and the global VPC model that will break your mental picture on day one. Includes a full AWS-to-GCP service translation table.
-
Harvester: Cloud-Native HCI on Bare Metal SUSE and Rancher's modern hyperconverged platform that runs VMs as Kubernetes resources — KVM via KubeVirt, Longhorn for storage, the whole thing managed as Kubernetes. The most current architecture in the private-cloud field, what you gain from the Kubernetes-everything bet, and the operational weight you inherit whether you wanted it or not.
-
Knative: Serverless on Your Own Cluster Knative brings the Cloud Run experience to any Kubernetes cluster: request-driven scale-to-zero via the Knative Pod Autoscaler, revision-based traffic splitting for blue-green and canary deployments, and a full CloudEvents-native eventing layer with brokers and triggers. This post covers the architecture in depth, the data path through the activator during cold start, and an honest comparison with KEDA and plain HPA — including when Knative's operational weight makes it the wrong choice.
-
KubeVirt: Running VMs on Kubernetes KubeVirt makes virtual machines first-class Kubernetes objects: each VM becomes a CRD, runs inside a virt-launcher pod backed by libvirt and QEMU, and is managed with kubectl like any other workload. This post covers the architecture, the VirtualMachine and VMI CRDs, live migration, CDI disk import, Multus and SR-IOV networking, and the honest question of when running VMs on Kubernetes actually makes sense versus a dedicated hypervisor.
-
Kyverno vs OPA Gatekeeper A deep look at the two dominant Kubernetes policy engines: Kyverno's YAML-native approach with validate, mutate, generate, and image-verification capabilities versus Gatekeeper's Rego-powered ConstraintTemplate model and its reach beyond Kubernetes — plus an honest reckoning with whether Kubernetes' built-in CEL admission policies are making both redundant.
-
Ray: Distributed Python Without the Pain A deep technical look at Ray's core primitives, scheduling model, high-level ML libraries, KubeRay on Kubernetes, and honest trade-offs versus Dask and Spark.
-
Rook: Ceph as a Kubernetes Operator Rook turns Ceph into a Kubernetes-native workload: it deploys and reconciles monitors, OSDs, and managers as pods, exposes block, filesystem, and object storage through a handful of CRDs, and handles day-2 operations — scaling, upgrades, failure recovery — through the operator loop. This post covers the full architecture, the key CRDs with YAML, StorageClass patterns for RBD and CephFS, external-cluster mode, and an honest verdict on when Rook-Ceph is the right tool versus when Longhorn or cloud-native block storage is the better answer.
-
Velero: Backup and DR for Kubernetes The honest operator's guide to Velero: what it actually backs up (API objects and persistent volume data), how CSI snapshot integration and the Kopia-powered built-in DataMover work together, how to schedule backups and scope them by namespace or label, and why your DR plan is fiction until you have tested a restore end to end.
-
gVisor and Kata Containers: Sandboxed Container Runtimes for Multi-Tenant Kubernetes A deep dive into gVisor's Sentry syscall interception and Kata Containers' microVM approach — architecture, installation, RuntimeClass, performance trade-offs, and when your workloads actually need hardware isolation.
-
Keycloak in Production: Realm Design, Federation, Kubernetes HA, and the Operational Reality of Running Your Own Identity Provider A comprehensive guide to running Keycloak in production: realm design strategies, client scopes and protocol mappers, LDAP/AD federation, authentication flows with WebAuthn and passkeys, Kubernetes HA deployment with the Operator, theme customization, and the operational reality nobody warns you about.
-
Vault PKI Secrets Engine in Production: Intermediate CAs, cert-manager, and Short-Lived Certificates as a Security Primitive A deep-dive into running Vault's PKI secrets engine in production: two-tier CA hierarchy, auto-rotating certificates, cert-manager integration, SPIFFE SVIDs, the revocation story, and operational hardening.
-
Kubernetes Network Policies in Depth: The Complete Guide A comprehensive deep-dive into Kubernetes NetworkPolicy: the ingress/egress model, default-deny patterns, the DNS gap, namespace selectors, Cilium L7/FQDN policies, AdminNetworkPolicy, and debugging blocked traffic.
-
NGINX Unit: The Application Server Nobody Talks About A deep-dive into NGINX Unit — the language-agnostic application server with a REST API-driven configuration model that eliminates uWSGI, Gunicorn, and separate process managers. Covers architecture, live config reloads, Python/PHP/Go/Node/Java setup, TLS, routing, Docker, and Kubernetes, plus an honest assessment of its archived status and when it still makes sense to use.
-
SLO-as-Code with Sloth and Pyrra: Multi-Window Burn-Rate Alerts, Error Budget Policy, and Grafana Dashboards A deep-dive into SLO-as-code workflows using Sloth v0.16 and Pyrra v0.10: complete YAML specs, generated PrometheusRules, multi-window multi-burn-rate alerting math, Grafana integration, and the organizational error budget policy conversation.
-
AWS EKS Deep Dive: Managed Kubernetes on AWS A comprehensive technical guide to Amazon EKS covering node groups vs Fargate vs Karpenter, IRSA, Pod Identity, add-ons lifecycle, networking choices, cluster upgrades with zero downtime, EKS Anywhere, and cost optimization.
-
Kafka Connect Deep Dive A comprehensive guide to Kafka Connect — connector architecture, Debezium CDC, Single Message Transforms, exactly-once delivery, schema evolution with Schema Registry, and running at scale on Kubernetes with Strimzi.
-
Open Policy Agent and Gatekeeper: Policy as Code for Kubernetes and Beyond A deep dive into OPA, Rego, and Gatekeeper — covering admission webhooks, ConstraintTemplates, external data providers, mutations, conftest testing, and policy-as-code patterns beyond Kubernetes.
-
Container Security in the Cloud: From Image to Runtime Supply chain hardening with Cosign and Syft, ECR scanning, Pod Security Standards, Falco runtime detection, network policies, External Secrets Operator, and admission controllers.
-
Crossplane: Kubernetes-Native Cloud Infrastructure Managed Resources, Composite Resources, Claims, XRDs, and Compositions in depth. Provider auth, composition functions, ArgoCD integration, and an honest comparison with Terraform.
-
etcd: The Brain of Kubernetes What lives in etcd, Raft consensus and quorum, backup and restore with etcdctl/etcdutl, compaction and defragmentation, the NOSPACE alarm, sizing guidelines, and the disaster recovery playbook.
-
Karpenter: Kubernetes Node Autoscaling Done Right A practical guide to Karpenter: how it differs from cluster-autoscaler, NodePool and EC2NodeClass configuration, Spot instance handling with automatic fallback, consolidation and disruption budgets, weighted NodePools for multi-tier workloads, GPU node provisioning, drift detection, and the operational patterns that reduce your EC2 bill.
-
Kubernetes Debugging in Production A systematic approach to CrashLoopBackOff, OOMKilled, Pending pods, DNS failures, network policy blocks, and certificate errors — with the exact commands to run at each stage.
-
OpenSearch in Production Index lifecycle management, shard sizing decisions, dashboards, alerting, k-NN neural search, the OpenSearch vs Elasticsearch question in 2026, and running OpenSearch on Kubernetes.
-
OpenTelemetry in Practice: Tracing, Metrics, and Logs Without Vendor Lock-In A practical guide to OpenTelemetry: instrumenting real services with the SDK, running the Collector as a telemetry pipeline, exporting traces to Grafana Tempo, metrics to Prometheus, logs to Loki, and understanding context propagation and baggage.
-
Azure Linux 4.0 and Azure Container Linux GA: Microsoft's Hardened OS for Cloud-Native and AI Workloads Microsoft announced Azure Linux 4.0 preview and Azure Container Linux GA at OSS Summit NA 2026 — a Fedora-based VM OS with atomic updates, AI-workload hardening, and a TCMalloc-Azure performance upgrade, alongside a sub-300MB container-only image purpose-built for AKS.
-
Temporal and Workflow Orchestration: Durable Execution for Engineers Who've Been Burned What makes Temporal different from a job queue, how event history replay achieves durable execution, activities vs workflows with real code, retries that actually work, self-hosting on Kubernetes, and an honest comparison with Celery, Airflow, and Step Functions.
-
Writing a Kubernetes Operator: The Complete Pattern Custom Resource Definitions, controllers, reconciliation loops, finalizers, status conditions, and building a real operator with controller-runtime that manages a stateful workload — with every pattern you need to do it right.
-
Kubernetes for the Homelab: K3s from Scratch to Production An end-to-end guide to running Kubernetes at home with K3s — single-node and HA setups, ingress, persistent storage with Longhorn, MetalLB, cert-manager with DNS-01, automated upgrades, and a pragmatic path to migrate Docker Compose workloads without overengineering it.
-
ArgoCD ApplicationSets Patterns How to stop hand-writing hundreds of near-identical ArgoCD Application manifests — list, cluster, and matrix generators plus templating strategies for managing many apps across many environments and clusters with GitOps.
-
Cilium as a Full CNI: Beyond Observability Cilium is far more than eBPF observability — a full Kubernetes CNI that replaces kube-proxy, enforces identity-based network policy, peers BGP, meshes services, and load-balances in hardware. How it works and how to run it as your networking layer.
-
HashiCorp Nomad: A Simpler Kubernetes Alternative HashiCorp Nomad as a simpler alternative to Kubernetes — a single binary that schedules containers, VMs, and raw binaries — covering its model, where it beats Kubernetes on operational overhead, and where its smaller ecosystem costs you.
-
Traefik as a Kubernetes Ingress Controller: The Complete Guide A technically deep guide to running Traefik as a Kubernetes ingress controller — covering Helm installation, IngressRoute CRDs, Middleware resources, TLS with cert-manager, Gateway API, RBAC, high availability, observability, and production-grade patterns including canary deployments, TCP/UDP routing, and ForwardAuth with Authentik.
-
Perses: The Open Dashboarding Standard Perses is a CNCF sandbox project that treats dashboards as code — versioned in Git, validated in CI, deployed as Kubernetes CRDs. Here's what it is, how it works, and when to use it.
-
Port: The Internal Developer Portal That Works Out of the Box A deep dive into Port (getport.io) — the SaaS internal developer portal. Covers blueprints, software catalog, self-service actions, scorecards, the Ocean integration framework, and an honest comparison with Backstage.
-
Pyroscope: Continuous Profiling in Production Pyroscope brings always-on profiling to production systems — flame graphs for CPU hotspots, memory leaks, and goroutine issues, correlated with your traces and metrics.
-
Radius: Microsoft's Open-Source Application Platform for Cloud-Native Teams A comprehensive deep dive into Radius — the CNCF sandbox application platform that separates developer concerns from infrastructure concerns. Covers the application model, Recipes, Environments, Connections, the rad CLI, architecture, and how it compares to Crossplane, Score, and Humanitec.
-
Score: Developer-Centric Workload Specification Score lets developers write a single score.yaml that deploys to Docker Compose locally and Kubernetes in production — without rewriting config for each environment.
-
Alloy: The OpenTelemetry Collector from Grafana Grafana Alloy replaces Grafana Agent, Grafana Agent Flow, and promtail with a single programmable OpenTelemetry collector. Here's how it works, how to deploy it, and how to build real pipelines with it.
-
Teleport: Zero-Trust Access for Infrastructure Replace SSH keys, VPN, and static database credentials with Teleport's certificate-based access plane — covering servers, Kubernetes, databases, web apps, CI/CD bots, and audit logs.
-
Trivy: Container and IaC Vulnerability Scanning A complete guide to Trivy — scanning container images, filesystems, Terraform, Kubernetes clusters, and generating SBOMs with a single tool.
-
OpenCost: Kubernetes Cost Attribution How to install and use OpenCost to break down Kubernetes spending by namespace, team, and workload — with Prometheus metrics, Grafana dashboards, and the allocation API.
-
Argo CD and GitOps in Production: App of Apps, Rollouts, and Multi-Cluster Management A deep dive into Argo CD in production: the App of Apps pattern for managing entire clusters, progressive delivery with Argo Rollouts, RBAC for multi-team environments, multi-cluster management, and drift detection.
-
Chaos Engineering in Practice: Breaking Things on Purpose to Build Unbreakable Systems A comprehensive guide to chaos engineering—covering the steady-state hypothesis, designing safe experiments, running game days, using Chaos Monkey, Litmus Chaos, and k6, and building a chaos program that actually improves reliability.
-
Chaos Engineering on a Budget: Building Resilience Without Breaking the Bank Run controlled failure experiments with Chaos Monkey, Pumba, and Litmus on a shoestring budget. Learn to design steady-state hypotheses, run game days, and build genuine confidence in your runbooks.
-
Gateway API: The Future of Kubernetes Ingress The Kubernetes Gateway API replaces Ingress with a role-oriented, expressive API for HTTP routing, traffic splitting, header manipulation, and TCP/gRPC routing. Here's everything you need to migrate.
-
Internal Developer Platforms with Backstage: Building the Golden Path How to build an Internal Developer Platform with Spotify's Backstage: setting up the software catalog, scaffolding golden-path templates, publishing TechDocs, and wiring up plugins for a self-service developer experience.
-
Karpenter: Intelligent Node Autoscaling for Kubernetes How Karpenter outperforms Cluster Autoscaler with just-in-time node provisioning, flexible NodePool configuration, spot instance handling, bin-packing, and intelligent cost optimization strategies.
-
mTLS Everything: Certificate-Based Service Identity with SPIFFE, SPIRE, and Envoy A comprehensive guide to mutual TLS—covering certificate-based service identity, SPIFFE/SPIRE workload attestation, mTLS with Envoy sidecars, Istio's control plane, and building a zero-trust service mesh from the ground up.
-
Progressive Delivery: Safe Deployments with Feature Flags, Canaries, and Argo Rollouts A comprehensive guide to progressive delivery—covering the spectrum from feature flags and canary releases to blue-green deployments and traffic splitting with Argo Rollouts, with real-world patterns for reducing deployment risk to near zero.
-
Real-Time Streaming with Apache Flink: Stateful Stream Processing at Scale A deep dive into Apache Flink — stateful stream processing, windowing, exactly-once semantics, checkpointing, and deploying production Flink jobs on Kubernetes.
-
Runtime Security with Falco: Syscall-Level Threat Detection for Kubernetes A comprehensive guide to Falco—covering how it works at the kernel level with eBPF, writing custom detection rules, integrating with alerting pipelines, and building a complete runtime security posture for Kubernetes workloads.
-
Secrets Rotation Without Downtime: Rotating Credentials in Live Systems Patterns for rotating database passwords, API keys, and TLS certificates in production systems with zero application restarts — covering the dual-credential pattern, dynamic secrets with Vault, automated certificate rotation, and the operational runbook for each scenario.
-
Self-Hosted GitHub Actions Runners: Ephemeral, Scalable, and Cost-Effective CI A deep dive into self-hosted GitHub Actions runners: deploying ephemeral runners on Kubernetes with Actions Runner Controller, build caching strategies, security hardening, and a real cost comparison against GitHub-hosted runners.
-
VictoriaMetrics: Prometheus at Scale How VictoriaMetrics handles Prometheus at scale — architecture deep dive, vminsert/vmselect/vmstorage clustering, MetricsQL extensions, remote_write migration, and achieving 10x better storage efficiency.
-
Apache Kafka Deep Dive A comprehensive guide to Apache Kafka — how it works internally, producers and consumers, partitions and consumer groups, exactly-once semantics, schema management, and running Kafka reliably in Kubernetes with Strimzi.
-
Crossplane: Infrastructure as Kubernetes — Composites, Providers, and Replacing Terraform A comprehensive guide to Crossplane — the Kubernetes-native control plane for infrastructure. Covers providers, managed resources, composite resource definitions, compositions, claims, RBAC, and running a production platform that lets developers self-serve cloud resources safely.
-
Developer Portals with Backstage: Catalog, Scaffolding, TechDocs, and Plugins A practical guide to Backstage — setting up the software catalog, creating service templates for self-service scaffolding, writing TechDocs, building plugins, and deploying Backstage to Kubernetes.
-
Distributed Tracing with Tempo and Grafana: From Zero to TraceQL A comprehensive guide to distributed tracing with Grafana Tempo—covering trace storage internals, TraceQL queries, correlating traces with logs and metrics, and production deployment patterns.
-
Ephemeral Environments: Preview Deployments, Branch Environments, and Testing in Isolation Ephemeral environments spin up a complete, isolated copy of your application for every branch or pull request — automatically. This guide covers the patterns, tooling, and trade-offs for building preview deployments that actually improve your development workflow.
-
GPU Infrastructure for ML: CUDA, MIG, Kubernetes Device Plugins, and Cost-Efficient Training A practical guide to GPU infrastructure for machine learning — CUDA fundamentals, NVIDIA MIG for multi-tenancy, sharing GPUs in Kubernetes with device plugins and time-slicing, building cost-efficient training clusters, and monitoring GPU utilization.
-
Internal Developer Platforms: Building the Golden Path A practical guide to designing and building an Internal Developer Platform — self-service infrastructure, service templates, environment management, and the abstractions that let product teams ship without becoming Kubernetes experts.
-
K3s on Raspberry Pi and Homelab: Lightweight Kubernetes That Actually Works A complete hands-on guide to running K3s on Raspberry Pi hardware and homelab servers — from bare-metal bootstrap to production-grade workloads with ingress, persistent storage, and GitOps deployments.
-
Kubernetes Cost Optimization: Rightsizing, Spot Nodes, Bin Packing, Kubecost, and Scale-to-Zero A practical guide to cutting Kubernetes infrastructure costs — rightsizing workloads with VPA, leveraging spot/preemptible nodes, improving bin packing, measuring cost with Kubecost, and eliminating idle compute with KEDA scale-to-zero.
-
Kubernetes Networking Internals: kube-proxy, iptables vs eBPF, CNI Plugins, and DNS A deep dive into how Kubernetes networking actually works — the pod network model, kube-proxy and Service implementation, iptables vs eBPF data planes, CNI plugin comparison, and CoreDNS resolution internals.
-
Kubernetes Operators Deep Dive A comprehensive guide to writing production-grade Kubernetes operators — CRD design, controller-runtime reconcile loops, finalizers, status conditions, event handling, leader election, and a complete testing strategy.
-
Multi-Cluster Kubernetes: Fleet Management, Cross-Cluster Service Discovery, and Traffic Routing A practical guide to running multiple Kubernetes clusters — when and why to go multi-cluster, fleet management with Cluster API, workload distribution with Karmada, cross-cluster service discovery, and traffic routing strategies.
-
Network Observability with Cilium and Hubble: Complete Visibility Into Your Kubernetes Network A comprehensive guide to Cilium and Hubble — installing the eBPF-based CNI, capturing flow logs, debugging network policies, building Grafana dashboards, and achieving complete network visibility in Kubernetes.
-
Secrets Management with HashiCorp Vault A practical guide to HashiCorp Vault — deploying it in production, using dynamic secrets, issuing certificates with the PKI engine, authenticating workloads with AppRole and Kubernetes auth, and integrating with CI/CD pipelines.
-
Service Meshes with Istio and Linkerd A practical guide to service meshes — what they are, when you actually need one, and how to use Istio and Linkerd for mTLS, traffic splitting, observability, and fault injection.
-
Talos Linux: The Immutable, API-Driven Kubernetes OS with No SSH A comprehensive guide to Talos Linux — the minimal, immutable OS designed exclusively for Kubernetes. Covers the architecture, bootstrapping clusters from scratch, machine configs, day-2 operations, upgrades, and why no SSH makes your infrastructure more secure and reproducible.
-
WebAssembly Beyond the Browser: WASI, Kubernetes Sidecars, Spin, and the Future of Serverless A practical guide to server-side WebAssembly — WASI and the component model, running Wasm workloads in Kubernetes with runtimes like wasmtime and spin, Fermyon's Spin framework for serverless functions, and why Wasm may reshape the edge and serverless landscape.
-
GitOps with Flux and ArgoCD: Declarative Deployments Driven by Git A comprehensive guide to GitOps using Flux v2 and ArgoCD — covering the four GitOps principles, repository structure strategies, full setup walkthroughs for both tools, secrets management with SOPS and Sealed Secrets, progressive delivery with Flagger, multi-cluster management, and practical day-to-day workflows.
-
Helm Charts: Packaging, Templating, and Managing Kubernetes Applications A comprehensive guide to Helm — the package manager for Kubernetes — covering chart structure, Go templating, building charts from scratch, managing releases in production, chart dependencies, CI/CD integration, and essential community charts for homelabs.
-
Hetzner Cloud for Homelab Overflow: Cost-Effective Cloud Bursting and Geo-Redundancy How to use Hetzner Cloud as a cost-effective overflow for your homelab — bursting compute to the cloud, adding geo-redundancy, and building hybrid setups that combine the best of on-premises and cloud infrastructure.
-
Kubernetes for the Homelab: K3s Setup, Workloads, and Beyond A thorough guide to running Kubernetes in your homelab using K3s — covering installation, core concepts, workload deployment, ingress with TLS, persistent storage, migrating from Docker Compose, Helm, GitOps, and cluster operations.
-
Traefik: The Complete Guide to the Cloud-Native Reverse Proxy A comprehensive deep-dive into Traefik — the modern cloud-native reverse proxy and load balancer. Covers core architecture, Docker auto-discovery with labels, automatic HTTPS via Let's Encrypt, the full middleware ecosystem, routing rules, ForwardAuth and SSO, observability, HTTP/3, and the tips and tricks that make it the go-to proxy for home labs and production Kubernetes clusters alike.
-
Kubernetes Basics: Getting Started with Container Orchestration Learn the fundamental concepts of Kubernetes and how to deploy your first application.