Learn Kubernetes Weekly issue 133

Writing my own Kubernetes, Scaling VMs in Kubernetes, API Server Proxy, CVE-2024–10220, Exploit me, baby, one more time

28 May 2025

This newsletter is brought to you by Fairwinds — expert-led, fully managed Kubernetes that frees your engineers from infrastructure headaches and puts you on the fast track to production-grade success.

Articles

1. A journey of writing my own Kubernetes

   Jonatan Ezron

   This article walks through building a reimplementation of Kubernetes built in Go with etcd, containerd, custom kubelet, API server, and kube-proxy.

   It creates pods, services, endpoints, and manages networking via direct IPTables manipulation.

2. In-House Kubernetes vs. Managed Kubernetes-as-a-Service

   Spending more time managing Kubernetes than building your product? You’re not alone.

   Explore the pros and cons of "build vs. buy" to find the right fit for your team.

   sponsored

3. Scaling Virtual Machines in Kubernetes Clusters: Insights for Kubernetes Applications

   Martijn Schuman

   This study benchmarks Vultr-based clusters using K6 to compare Regular, AMD EPYC, and Intel Xeon node pools under synthetic load.

   Results show Intel nodes achieve the highest stability and RPS, and a 1:1 pod:vCPU ratio ensures optimal performance.

4. Exploring the Kubernetes API Server Proxy

   raesene

   The Kubernetes API server includes an HTTP proxy that allows authorized users to access pods, nodes, and external hosts from the cluster network.

   With proxy and node rights, attackers can SSRF into the API server or override pod IPs to exfiltrate data.

5. CVE-2024–10220: Attack and Defense

   Filip Žagar

   This analysis details how Kubernetes' deprecated gitRepo volume enables root-level container escape via Git hook injection using a fake bare repo to exploit default behavior in kubelet.

6. Exploit me, baby, one more time: command injection in Kubernetes Log Query

   Tomer Peled

   This article breaks down a critical RCE flaw in Kubernetes Log Query.

   Attackers could inject PowerShell commands through unvalidated pattern input, leading to SYSTEM-level access on Windows nodes.

Articles worth checking out:

• Calico eBPF Source IP Preservation: The Unexpected Story of High Tail Latency

• Topology Aware Routing/Hints

• Understanding the impact of externalTrafficPolicy on Kubernetes services

• Continuous Promotion on Kubernetes with GitOps

• The World of Kubernetes Cluster Topologies: A Guide to Choosing the Right Architecture

• Managing Over 6,000 Self-Hosted Databases Without a DBA — How a Single Engineer Leverages Kubernetes

• Gracefully Terminating Pods in Kubernetes: Handling SIGTERM

• Managing resources in Kubernetes cluster

Kubernetes Best Practices in 2025

A strong cloud native foundation starts with Kubernetes done right.

Avoid pitfalls, implement smart policies, and unlock the full value of Kubernetes with these best practices.

Learn more about the Kubernetes best practices in 2025

Tutorials

1. Chaos testing a Postgres cluster managed by cloud-nativepg

   Nikolay Sivko

   This article tests Postgres HA under chaos in Kubernetes using CloudNativePG for DB management and Coroot for full-stack observability.

   It simulates CPU noise, query locks, and pod kills, showing how eBPF + pg_stat reveal root cause.

2. Discover How Fathom Transformed Infrastructure and Deployment Speed

   Fathom partnered with Fairwinds to streamline its AWS infrastructure and move to Kubernetes. The result?

   Faster deployments, fewer incidents, and more time for innovation—enabling their small team to operate more efficiently at scale.

   sponsored

3. Scaling under pressure: Chaos Mesh stress tests on EKS auto mode

   Miguel Ángel Chuecos

   This chaos engineering experiment simulates resource spikes on EKS Auto Mode using Chaos Mesh, NGINX, and HPA.

   It shows how Karpenter scales nodes dynamically under CPU stress, respects anti-affinity, and reclaims resources post-load to optimize cost.

4. Istio Gateways and VirtualServices: Locally Exposing Kubernetes Services Made Easy

   Joseph Whiteaker

   The article details using Istio Gateways and VirtualServices to expose Kubernetes services locally, enabling shared gateways with TLS.

   This decouples networking from app code, simplifying traffic management in dev environments.

5. Exploring Istio: The power of service mesh in Kubernetes

   Blogs4devs

   Learn how to use Istio, a service mesh, to manage microservices in Kubernetes.

   This article covers traffic control, mTLS security, and observability with Kiali, Prometheus, and Jaeger, using a Garage Management System as a practical example.

Kubernetes jobs

1. • Software Engineer with Hootsuite

   • Salary: CA$80.7K to CA$113.1K a year

   • Location: remote from Canada, the United States

   • Tech stack: Kubernetes, Docker, Go, Javascript, Java, Scala, PHP, Mongo, MySQL

2. • Site Reliability Engineer with SpaceX

   • Salary: $120K to $170K a year

   • Location: based in the office in Hawthorne, CA, USA

   • Tech stack: Kubernetes, On-premise, Docker, Go, Shell, Python, C++, C, Terraform, Ansible

3. • Data Engineer with Black Canyon Consulting

   • Salary: $115K to $150K a year

   • Location: remote from the United States

   • Tech stack: Kubernetes, AWS, Azure, GCP, Anthos, ArgoCD, Docker, Python, C++, Spark

4. • Software Engineer with CookUnity

   • Salary: $150K to $165K a year

   • Location: remote from the United States

   • Tech stack: Kubernetes, AWS, On-premise, Docker, Javascript, GraphQL, Typescript, Kotlin, Redis, PostgreSQL

5. • Software Engineer with ClickHouse

   • Salary: $118K to $209.5K a year

   • Location: remote from the United States

   • Tech stack: Kubernetes, AWS, Azure, GCP, Go, SQL, Terraform, Gitlab

Discover more Kubernetes jobs on Kube Careers →

Code & tools

1. The Bare Metal Operator

   The Bare Metal Operator implements a Kubernetes API for managing bare metal hosts.

   It maintains an inventory of available hosts as instances of the BareMetalHost Custom Resource Definition.

2. Lazy-Pull OCI Images

   containerd

   Stargz Snapshotter is a containerd plugin enabling lazy pulling of eStargz-formatted OCI images.

   It fetches image data on demand, reducing startup time by avoiding full-image pre-pulls.

3. Kubernetes History Inspector: Interactive Timeline Debugging

   GoogleCloudPlatform

   Kubernetes History Inspector (KHI) turns raw Kubernetes logs into a visual, filterable timeline.

   It correlates multi-type logs, diffs resource states, and shows topology.

4. Freelens: Cross-Platform GUI for Kubernetes Cluster Management

   freelensapp

   Freelens is a cross-platform GUI for managing Kubernetes clusters.

   It bundles kubectl/Helm, supports kubeconfig, and runs on macOS, Linux, and Windows.

5. Helm-mapkubeapis: Fix Deprecated APIs in Helm Releases

   mapkubeapis is a Helm v3 plugin which updates in-place Helm release metadata that contains deprecated or removed Kubernetes APIs to a new instance with supported Kubernetes APIs.

Other interesting projects:

• Timoni: package manager for Kubernetes

• KubeBlocks: manage database workloads

• LLMariner (= LLM + Mariner)

• Sealos: Kubernetes distribution

• Kleidi: Kubernetes KMSv2 Plugin for Secure Secret Management

• kapi: Lightweight Kubernetes API Proxy and Audit Tool

Upcoming Kubernetes events

1. May

   29

   Kubernetes Topics Trends

   Online webinar organized by Learnk8s.

   • This is a virtual event

   • This is a free event.

2. Jun

   2

   Docker vs. Podman & Development of Spegel, a stateless OCI registry mirror for clusters

   In-person meetup organized by Cloud Native Nürnberg.

   • Location: Nürnberg, DE

   • This is a free event.

3. Jun

   4

   Kubernetes Community Days New York 2025

   In-person conference organized by KCD New York.

   • Location: New York, NY, USA

   • This event requires an entrance fee

   • • Use LEARNK8S to get 10% off

4. Jun

   5

   Kubernetes Community Days Czech & Slovak 2025

   In-person conference organized by KCD Czech & Slovak.

   • Location: Bratislava, SK

   • This event requires an entrance fee

5. Jun

   26

   Advanced Kubernetes course

   Online workshop organized by Learnk8s.

   • This is a virtual event

   • This event requires an entrance fee

Discover more Kubernetes events on Kube Events →

Kubernetes Call for Papers

1. expired

   Cloud Native Days Austria

   The Call For Paper was open until 31 May 2025 at UTC. More info →

   • Location: Vienna, AT

   • In-person conference organized by CNDA Austria.

   • The conference starts on the 8 October 2025.

   • Apply here

2. expired

   Cloud Native Denmark 2025

   The Call For Paper was open until 16 June 2025 at UTC. More info →

   • Location: Aarhus, DK

   • In-person conference organized by CND.

   • The conference starts on the 17 April 2025.

   • Apply here

3. 0

   days

   Kubernetes Community Days Porto 2025

   The Call For Paper is open until 30 June 2025 at UTC. More info →

   • Location: Porto, PT

   • In-person conference organized by KCD Porto.

   • The conference starts on the 4 November 2025.

   • Apply here

4. expired

   Kubernetes Community Days Warsaw 2025

   The Call For Paper was open until 16 June 2025 at UTC. More info →

   • Location: Warsaw, PL

   • In-person conference organized by KCD Warsaw.

   • The conference starts on the 9 October 2025.

   • Apply here

5. expired

   Kubernetes Community Days UK Edinburgh 2025

   The Call For Paper was open until 9 June 2025 at UTC. More info →

   • Location: Edinburgh, UK

   • In-person meetup organized by KCD UK.

   • The meetup starts on the 21 October 2025.

   • Apply here

6. 34

   days

   Texas Linux Festival 2025

   The Call For Paper is open until 3 August 2025 at UTC. More info →

   • Location: Austin, TX, USA

   • In-person conference organized by TXLF.

   • The conference starts on the 4 October 2025.

   • Apply here

7. expired

   Devopsdays Tel Aviv

   The Call For Paper was open until 15 June 2025 at UTC. More info →

   • Location: Tel Aviv, IL

   • In-person conference organized by Devopsdays.

   • The conference starts on the 11 December 2025.

   • Apply here

8. 35

   days

   Open Source Summit Japan 2025

   The Call For Paper is open until 4 August 2025 at UTC. More info →

   • Location: Tokyo, JP

   • In-person conference organized by Linux Foundation.

   • The conference starts on the 10 December 2025.

   • Apply here

9. expired

   Devopsdays Dallas

   The Call For Paper was open until 2 June 2025 at UTC. More info →

   • Location: Dallas, TX, USA

   • In-person conference organized by Devopsdays.

   • The conference starts on the 17 September 2025.

   • Apply here

Until next time!

— Dan

Subscribe and, every Wednesday, receive the latest Kubernetes news!