September 2025

👋 Intro

Welcome to the September edition of CloudNative.Now - a monthly newsletter that covers all that has been happening in the cloud native world in the past month!

It's been a busy week for me. Not only have I been busy with my first month at Monzo I was also in Hamburg for a week while giving at talk at ContainerDays.

With all that, and the Bitnami Helm chart mess, I didn't end up having the time to do the upgrade and tweaks to this newsletter that I mentioned last month. Ah well. There's no rush. (I did have my first couple paid members sign up last month! THANK YOU! 💙)

As always, you’re invited to subscribe to the email newsletter or add the RSS feed to your favourite feed reader to make sure you don’t miss anything! And please help to spread the word and recommend this to your friends and network if you find the content useful! 💙

If you have any feedback or have any links you’d like to suggest please reach out on Bluesky or Mastodon! 💬

📰 News & Articles

• Kubernetes v1.34
  Following the release of Kubernetes v1.34 last month there has been several posts highlighting the new changes:
  - Pod Level Resources Graduated to Beta - Dixita Narang
  This significant milestone introduces a new layer of flexibility for defining and managing resource allocation for your Pods.
  - Finer-Grained Control Over Container Restarts - Yuan Wang
  This feature, named Container Restart Policy and Rules, allows you to specify a restart policy for each container individually, overriding the Pod's global restart policy. In addition, it also allows you to conditionally restart individual containers based on their exit codes.
  - DRA has graduated to GA - The DRA team
  Kubernetes 1.34 has brought a huge wave of enhancements for Dynamic Resource Allocation (DRA)!
  - Snapshottable API server cache - Marek Siarkowicz
  With each release, we've chipped away at the problem, and today, we're thrilled to announce the final major piece of this puzzle.
  - Use An Init Container To Define App Environment Variables - HirazawaUi
  The valueFrom now supports pointing to a file contained on a volume, such as an emptyDir populated by an initContainer.
• How our Edge Kubernetes Platform has Evolved - Zack Smith
  A detailed look at how the Chick-fil-a platform has evolved over the years.
• Investigating and fixing "StopPodSandbox from runtime service failed" Kubelet errors - Marcus Noble
  A shameless plug from myself - I investigate and resolve a bunch of Kubelet error logs that stem from my CRI being unable to clean up an old, deleted pod.
• Using systemd-nspawn containers as KubeEdge edge nodes - Simon Weald
  How Simon is using systemd-nspawn containers as throwaway edge nodes for testing KubeEdge.
• How Maintainer Burnout Is Causing a Kubernetes Security Disaster - Steven J. Vaughan-Nichols
  Without more support, the open source project is in a heap of trouble, which means Kubernetes is facing a potential security disaster.
• 2025 State of Internal Developer Portals - Port
  Port's second annual report on the state of internal developer portals dives deeper into the challenges engineering teams face and why they look towards platform engineering best practices as a way to overcome these challenges.
• Kubernetes CPU Limits and Go - William Kennedy
  An old article recently updated with all the latest information. Always worth brushing up on.
• Using Kyverno to Enforce Minimal Base Images - Neil Carpenter
  Secure Kubernetes deployments with Kyverno by enforcing Minimus minimal base images, reducing vulnerabilities and improving compliance.
• Tesco Sues Broadcom Over £100M Software Dispute - Rihem Akkouche
  More Broadcom drama. This time UK superstore Tesco is getting into the fight.
• Why the Frontend Should Embrace Platform Engineering - Loraine Lawson
  A look at how platform engineering on the frontend can speed development while maintaining the entire web dev technology stack.

🔒 Security

• ⚠️ CVE-2025-55190: Project API Token Exposes Repository Credentials
  Argo CD API tokens with project-level permissions are able to retrieve sensitive repository credentials (usernames, passwords) through the project details API endpoint, even when the token only has standard application management permissions and no explicit access to secrets.
• ⚠️ CVE-2020-8562: Bypass of Kubernetes API Server proxy
  A security issue was discovered in Kubernetes where an authorized user may be able to access private networks on the Kubernetes control plane components. Kubernetes clusters are only affected if an untrusted user can create or modify Node objects and proxy to them, or an untrusted user can create or modify StorageClass objects and access KubeControllerManager logs.
• Beyond the surface - Exploring attacker persistence strategies in Kubernetes - Rory McCune
  Rory has been doing a talk on Kubernetes post-exploitation for a while now and has finally got around to writing it up in blog form. Well worth a read and I also highly recommend watching a recording of the talk - it's one of my recent favourites.
• Expanding Chainguard VMs: Zero-CVE Application & Base Virtual Machine Images for Cloud and On-Prem - Mark Baker &Anushka Iyer
  Chainguard VMs is expanding with new Application and Base VM Images — giving teams a secure, zero-CVE foundation to build and innovate faster.
• Breaking Boundaries - Kubernetes Namespaces and multi-tenancy - Iain Smart
  This post aims to serve as both a collection of attack paths to watch out for when reviewing Kubernetes clusters, but also as a reference to point at when people claim that multi-tenancy is easy.
• Kubernetes Escape Room
  A tool that analyzes Kubernetes Pod manifests to identify potential container escape vulnerabilities and provides security recommendations for mitigation.
• From suspicion to published curl CVE - Daniel Stenberg
  An in-depth look at the process that goes on behind every security report that is submitted to curl.

🧑‍🏫 Tutorials, Videos & Podcasts

• Observability for Platform Engineering - Platform Engineering University
  A free, on-demand course covering the introduction to observability for platform engineers. Learn to simplify telemetry, navigate open-source solutions, and enforce effective observability practices.
• Solving Kubernetes Multi-tenancy Challenges with vCluster - Fabian Brundke
  A walkthrough on leveraging vCluster to provide multi-tenant Kubernetes clusters.
• 🎙️ The business value of developer relations, devrel history, plus more stuff, with Mary Thengvall - Software Defined Talk
  In this episode, Whitney and Coté chat with Mary Thengvall, exploring the development and significance of Developer Relations (devrel) over the years.
• 📺 Cluster API + Proxmox = Local Kubernetes Magic! (Step-by-Step Tutorial) - Is it Observable
  This episode is a deep dive into automating Kubernetes cluster creation using Cluster API (CAPI) on a Proxmox-base.
• 📺 Beyond Standard Kubernetes: Why Argo Rollouts Is a Game-Changer - Whitney Lee
  In this episode of 🌩️ Thunder, Whitney Lee talks with Nicholas Morey about Argo Rollouts: a CNCF project that is a controller and set of CRDs that bring progressive delivery to Kubernetes.
• 🎙️ Aflevering 111: Beyond Orchestration: CNCF’s Past, Present and Future - Jan Stomphorst
  Chris explains that Kubernetes is much more than just a container orchestrator. Thanks to extensions and CRDs, it is increasingly seen as the “Linux of the cloud”.

🧰 Tools

• Announcing the OPA Control Plane - open-policy-agent
  The Open Policy Agent team have announce OPA Control Plane (OCP) as a new OPA subproject. OCP simplifies how you manage policies for your OPA deployments and provides a centralized management system.
• yaml/go-yaml: The YAML org maintained fork - yaml
  The YAML org maintained fork of https://github.com/go-yaml/yaml now that the original project is archived.

🎤 Events and CFPs

Events

• 🇺🇸 Cloud Native Rejekts NA 2025 - 4th November, 2025
  Tickets are now available for Rejekts NA, and they're FREE!
• 🇰🇷 OpenSourceSummit Korea - 4th → 5th November, 2025
  The schedule for OpenSourceSummit in Korea is now available.
• 🌐 Announcing H1 2026 KCDs
  The KCDs scheduled for the first half of 2026 has been announced by the CNCF. This year will include 5 new locations!
  If you're looking to organise a KCD for the second half of 2026, the applications open in December.

CFPs

• 🇳🇱 KubeCon + CloudNativeCon Europe 2026 - Deadline 12th October
• 🇨🇭 Voxxed Days CERN 2026 - Deadline 21st October
• 🇬🇧 Container Days London - Deadline 31st October
• 🇳🇱 KubeCon EU Co-located Events - Deadline 2nd November

💬 Social Post of the Month

🤷 Misc & Fun

• Not a Robot - Neal
  Really prove that you're not a robot with a series of increasingly difficult captchas you need to solve. I only made it as far as the maths one. 🙈
• Messenger
  It's a small planet, but someone's gotta make the deliveries. A very cute realtime game, all in the browser.

That's all for this month!
Thank you for reading! 💙

If you enjoyed this post, please spread the word and share with your friends.

~ Marcus 👋