April 2026

👋 Intro

Welcome to the April edition of CloudNative.Now - a monthly newsletter that covers all that has been happening in the cloud native world in the past month!

This month I took a long overdue holiday To beautiful Prague. No work, no conferences, no computers - just myself, rest and relaxation. It was lovely! The weather was great and the city was amazing. It’s been a stressful year for me so far and this was exactly what I needed, I really need to prioritise resting more.

But while I was away forgetting all about computers the cloud native world kept busy. Today’s newsletter is filled with lots of updates from the past month, including the latest Kubernetes major release!

Next month I’ll be speaking at Cloud Native Days Romania (take a look below for a discount code 😉) in wonderful Bucharest. After that I’ve got a trip to Japan planned that will coincide with both KubeCon Japan (again, discount code below) and my birthday. I’m so excited, I’ve never been to Asia before. If anyone has any tips I’d love to hear them!

As always, you’re invited to subscribe to the email newsletter or add the RSS feed to your favourite feed reader to make sure you don’t miss anything! And please help to spread the word and recommend this to your friends and network if you find the content useful! 💙

If you have any feedback or have any links you’d like to suggest please reach out on Bluesky or Mastodon! 💬

📰 News & Articles

• Kubernetes v1.36: ハル (Haru) - Chad M. Crowell, Kirti Goyal, Sophia Ugochukwu, Swathi Rao & Utkarsh Umre
  Similar to previous releases, the release of Kubernetes v1.36 introduces new stable, beta, and alpha features. This release consists of 70 enhancements. Of those enhancements, 18 have graduated to Stable, 25 are entering Beta, and 25 have graduated to Alpha. Some feature specific posts from this release:
  • New Metric for Route Sync in the Cloud Controller Manager
  • User Namespaces in Kubernetes are finally GA
  • Fine-Grained Kubelet API Authorization Graduates to GA
  • Mutable Pod Resources for Suspended Jobs (beta)
  • Staleness Mitigation and Observability for Controllers
• Live migrating hundreds of Kubernetes clusters to Cluster API - Giant Swarm
  Giant Swarm replaced a custom-built cluster management system with Cluster API. Here's what the migration took, what broke, and what was learned. This blog post is based on a talk given by Joe Salisbury at KCD UK.
• Kubernetes 1.36: Deep dive into new alpha features | Tech blog | Palark - Kirill Kononovich
  The Kubernetes v1.36 release (April 2026) introduces 20 new alpha features. Learn about these changes and motivation behind them.
• Tell HN: Docker pull fails in Spain due to football Cloudflare block - Hacker News
  This was unexpected and not fun for those impacted.
• Moving Beyond “Supports OpenTelemetry”: Why There’s a Need for a Shared Maturity Model - Kasper Borg Nissen
  "Supports OpenTelemetry" means something different for every project. In this post, Kasper looks at why the ecosystem needs a shared maturity model to help projects mature their integrations, for the benefit of both users and maintainers.
• KubeCon EU 2026: Top 5 Highlights and Trends - Artem Lajko
  Explore the top 5 KubeCon EU 2026 highlights, from Agentic AI and GPU sharing to digital sovereignty and the CRA.
• ingress-nginx to Envoy Gateway migration on CNCF internal services cluster - Koray Oksay
  CNCF hosts a Kubernetes cluster to run some services for internal purposes (namely; codimd, GUAC, kcp). This post looks at how the team at CNCF handled the migration from ingress-nginx on that cluster.
• Kairos, the immutable OS for deploying Kubernetes - Quentin JOLY
  Kairos is an interesting alternative to Talos for deploying Kubernetes clusters on immutable systems based on classic Linux distributions. Discover how to use it to automate your Kubernetes deployments.
• How GitHub uses eBPF to improve deployment safety - Lawrence Gripper & Aleksey Levenstein
  Learn how Github uses eBPF to detect and prevent circular dependencies in its deployment tooling.
• Journey of Zone Aware Traffic - Sandor Szücs
  Sandor shares details of their steps to support zone aware traffic in their Kubernetes infrastructure.
• Controller-Runtime: The Manager - Ghaith Gtari
  A deep dive into the Manager component of the controller-runtime library.
• You're probably still paying for a VMware licence you no longer need - Manuel Gawert
  Still renewing a six-figure VMware license? If your workloads run on Kubernetes, you may be paying for a layer you no longer need.
• SELinux Volume Label Changes goes GA (and likely implications in v1.37) - Jan Šafránek & Swathi Rao
  If you run Kubernetes on Linux with SELinux in enforcing mode, plan ahead: a future release (anticipated to be v1.37) is expected to turn the SELinuxMount feature gate on by default. This makes volume setup faster for most workloads, but it can break applications that still depend on the older recursive relabeling model in subtle ways (for example, sharing one volume between privileged and unprivileged Pods on the same node).

🔒 Security

• ⚠️ CVE-2026-3865: CSI Driver for SMB path traversal via subDir may delete unintended directories on the SMB server - Vinayak Goyal
  A vulnerability was discovered in the Kubernetes CSI Driver for SMB where the subDir parameter in volume identifiers was insufficiently validated. Attackers with the ability to create PersistentVolumes referencing the SMB CSI driver could craft volume identifiers containing path traversal sequences (../). During volume deletion or cleanup operations, the driver could operate on unintended directories outside the intended managed path within the SMB export.
• Unpatchable Vulnerabilities of Kubernetes: CVE-2020-8562 - Rory McCune
  Another in Rory's fantastic series looking at "unpatchable" Kubernetes CVEs, this time looking at how Kubernetes CVE-2020-8562 allows attackers to bypass API server proxy protections using DNS rebinding
• The Social Engineering Playbook Attackers Use to Target OSS Maintainers - Jenn Gile
  Account takeovers are some of the most harmful malware campaigns. Many start by compromising a maintainer account through social engineering.
• Securing GitHub: Wiz Research uncovers Remote Code Execution in GitHub.com and GitHub Enterprise Server (CVE-2026-3854) - Sagi Tzadik
  Wiz Research uncovered a critical vulnerability (CVE-2026-3854) in GitHub's internal git infrastructure that could have affected both GitHub.com and GitHub Enterprise Server. By exploiting an injection flaw in GitHub's internal protocol, any authenticated user could execute arbitrary commands on GitHub's backend servers with a single git push command - using nothing but a standard git client.

🧑‍🏫 Tutorials, Videos & Podcasts

• 📺 OpenFGA: Relationship-Based Authorization at Scale - Whitney Lee
  Most applications handle authorization by checking roles at runtime or gathering attributes from a database right when access is needed. The first approach is too coarse. The second doesn't scale.
  OpenFGA takes a different path: store relationships as they happen, so when someone tries to access something, the answer is already there. Whitney Lee and Raghd Hamzeh, Senior Software Engineer at Auth0, trace how this works and why it matters for sharing, auditability, and keeping authorization logic out of your application code.
• 🎙️ KubeCon EU 2026 Review - DevOps Paradox
  Kubernetes is boring now. That’s the whole point. KubeCon EU 2026 in Amsterdam – likely the biggest KubeCon ever at more than 13,000 attendees – made one thing extremely clear: the container orchestrator is done being interesting on its own. Every keynote, every new sandbox project, every vendor announcement pointed the same direction. AI. Inference. Agents.
• 🎙️ Platform as a Product: Why Internal Platforms Fail (and How to Fix Them) with Abby Bangser - Dash0
  Abby Bangser, founding principal engineer at Syntasso and co-author of “Platform as a Product,” joins Kasper Borg Nissen to unpack why most internal platforms struggle, and what it means to treat them like products.
• Ingress NGINX is EOL: A practical guide for migrating to Kubernetes Gateway API - David Lentz
  Migrate from Ingress NGINX to Gateway API with a step-by-step approach, including validation, traffic shifting, and monitoring to avoid regressions.
• Containers Are Not Magic: Namespaces From Scratch - Vedant
  Build a container, from scratch, using Go.

🧰 Tools

• Terragrunt Release v1.0.0 - gruntwork-io
  Terragrunt is now v1! This means that Terragrunt will no longer have any breaking changes in minor releases, with all future breaking changes taking place in (infrequent) future major releases.
• Launching S3 Files, making S3 buckets accessible as file systems | Amazon Web Services - Sébastien Stormacq
  Amazon S3 Files makes S3 buckets accessible as high-performance file systems on AWS compute resources, eliminating the tradeoff between object storage benefits and interactive file capabilities while enabling seamless data sharing with ~1ms latencies.
• kdash - kdash-rs
  A simple terminal dashboard for Kubernetes built with Rust.
• Cluster API Plugin for Headlamp - headlamp-k8s
  The Cluster API Plugin for Headlamp adds dedicated UI views for all core Cluster API resources to your Headlamp dashboard. You can browse clusters, inspect machines, track control plane health, scale deployments, and observe the full CAPI object graph — all without leaving the browser.
• kubectl-snapshot - whtssub
  A kubectl cli tool that takes a point-in-time snapshot of your cluster state and packages it into a diffable bundle for debugging, audits, and incident reviews.

🎤 Events and CFPs

Events

• 🇷🇴 Cloud Native Days Romania - 18th - 19th May
  I'll be speaking here next month. If you're interested in attending I have a 40% discount code for y'all - CLN26
• 🇯🇵 KubeCon + CloudNativeCon Japan - 29th - 30th July
  I plan to attend KubeCon Japan for the first time ever this year and CANNOT WAIT. If you'd like to join me I have a 25% off with code you can use - KCJP26AMFR25

CFPs

• 🇺🇸 KubeCon + CloudNativeCon NA 2026 - Deadline 31st May
• 🇳🇴 Cloud Native Days Norway - Deadline 1st June
• 🇬🇧 KCD UK Edinburgh 2026 - Deadline 8th June
• 🇩🇰 Cloud Native Denmark 2026 - Deadline 14th June
• 🇳🇱 Dutch Cloud Native Day 2026 - Deadline 21st June

💬 Social Post of the Month

🤷 Misc & Fun

• Kuberoke and the Art of Keeping It Real - Lian Li
  Lian shares her thoughts on Kuberoke and what it means to her and the community.

That's all for this month!
Thank you for reading! 💙

If you enjoyed this post, please spread the word and share with your friends.

~ Marcus 👋