8 min read

March 2026

Photo of a large orange banner with the following text in the centre: "Welkom! Badge pick-up". The KubeCon logo can be seen at the top.
KubeCon EU 2026 was a huge success

πŸ‘‹ Intro

Welcome to the March edition of CloudNative.Now - a monthly newsletter that covers all that has been happening in the cloud native world in the past month!

What. A. Month. 😳 Not sure about all of y'all but it's been hectic and full on for me, finalising with a jam-packed week of KubeCon (and then post-conference flu for several days 🀧).

I'm so happy that Rejekts was a complete success! πŸŽ‰ The organising team really did pull off some incredible achievements and I'm so proud of all of them. Everyone I've spoken to had an amazing day and things went, more or less, smoothly. It was the perfect event to kick off a week of cloud native conferences on a high note and left me pumped for the rest of KubeCon! We've also got a whole bunch of learnings to take with us for the next one to make it even better! Look out for Salt Lake City! πŸ‘€

Rejekts EU 2026 opening

KubeCon itself was pretty busy - Maintainer Summit, Co-Los and KubeCon proper all took up my time - but the thing I was mainly focussed on was my first ever KubeCon talk on the Wednesday! Me and my dear friend MΓ‘rk shared out frustrations about the various "Kube Oddities" we've encountered over the years.

MΓ‘rk and myself on stage just before giving our talk.

Our talk went SO WELL! I'm so happy with it and extremely humbled by all the kind words people have had to say about it. We even had at least a couple people tell us it was their best talk at KubeCon 🀯 I'm going to be riding on that high for a while I think!

(Also, πŸ‘‹ hello to the new subscribers that were in our talk πŸ’™)

With KubeCon now behind us I'm hoping for a more quieter, more relaxing month ahead 🀞 At least once I get over this conference flu. πŸ˜’ I have a nice holiday booked at the end of next month to relax and recharge so expect April's issue to be a little lighter than normal.

As always, you’re invited to subscribe to the email newsletter or add the RSS feed to your favourite feed reader to make sure you don’t miss anything! And please help to spread the word and recommend this to your friends and network if you find the content useful! πŸ’™

If you have any feedback or have any links you’d like to suggest please reach out on Bluesky or Mastodon! πŸ’¬

πŸ“° News & Articles

  • Before You Migrate: Five Surprising Ingress-NGINX Behaviors You Need to Know - Steven Jin
    As announced November 2025, Kubernetes has retires Ingress-NGINX this month. Despite its widespread usage, Ingress-NGINX is full of surprising defaults and side effects that are probably present in your cluster today. This blog highlights these behaviors so that you can migrate away safely and make a conscious decision about which behaviors to keep. This post also compares Ingress-NGINX with Gateway API and shows you how to preserve Ingress-NGINX behavior in Gateway API.
  • Using Mitmproxy to Observe kubectl Traffic - Scott Lowe
    Scott explains how they used mitmproxy to keep an eye on kubectl traffic. This could be useful if you'd like to learn how various kubectl commands map to multiple API calls behind the scenes.
  • The Invisible Rewrite: Modernizing the Kubernetes Image Promoter - Sascha Grunert
    Every container image you pull from registry.k8s.io got there through kpromo, the Kubernetes image promoter. It copies images from staging registries to production, signs them with cosign, replicates signatures across more than 20 regional mirrors, and generates SLSA provenance attestations. If this tool breaks, no Kubernetes release ships. Over the past few weeks, the team rewrote its core from scratch, deleted 20% of the codebase, made it dramatically faster, and nobody noticed.
  • The CRA's unexpected effect on open source - Oliver Thylmann
    Giant Swarm breaks down how EU Cyber Resilience Act compliance is pushing more companies to contribute to open source and why it matters.
  • Securing Production Debugging in Kubernetes - Shridivya Sharma
    Some tips on how to approach debugging issues in production in a secure way.
  • Announcing Ingress2Gateway 1.0: Your Path to Gateway API - Beka Modebadze & Steven Jin
    A look at how you can make use of the new Ingress2Gateway from SIG-Network to help with your migration away from ingress-nginx. Be aware that it's not a magic fix that does everything for you, not all options have a comparable alternative and it will warn you in these instances.
  • AWS Load Balancer Controller adds general availability support for Kubernetes Gateway API - Alexandra Huides & Zac Nixon
    Great news for those on on the AWS stack wanting an integrated move to gateway-api. The AWS Load Balancer Controller now officially supports Gateway API.
  • Modern BareMetal Provisioning Without PXE - Serhii Ivanov
    A look at what modern baremetal provisioning looks like when a system is built for modern server hardware.
  • Top 10 Things Not to Do at KubeCon (If You Want to Actually Enjoy It) - Diana Todea
    Diana covers all the things not to do while at KubeCon to make the most out of it. Some great advice here to take with you to the next event.
  • Kubernetes v1.36 Sneak Peek - Chad Crowell, Kirti Goyal, Sophia Ugochukwu, Swathi Rao & Utkarsh Umre
    Kubernetes v1.36 is coming at the end of April 2026. This release will include removals and deprecations, and it is packed with an impressive number of enhancements. Here are some of the features the release team are most excited about in this cycle!

πŸ”’ Security

  • ⚠️ CVE-2026-3288: ingress-nginx rewrite-target nginx configuration injection - Tabitha Sable
    CVSS Rating: 8.8 (HIGH) A security issue was discovered in ingress-nginx where the nginx.ingress.kubernetes.io/rewrite-target Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)
  • ⚠️ CVE-2026-4342: ingress-nginx comment-based nginx configuration injection - Tabitha Sable
    CVSS Rating: 8.8 (Medium) A security issue was discovered in ingress-nginx where a combination of Ingress annotations can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)
  • ⚠️ CVE-2026-3864: CSI Driver for NFS path traversal via subDir may delete unintended directories on the NFS server - Rita Zhang
    A vulnerability was discovered in the Kubernetes CSI Driver for NFS where the subDir parameter in volume identifiers was insufficiently validated. Attackers with the ability to create PersistentVolumes referencing the NFS CSI driver could craft volume identifiers containing path traversal sequences (../). During volume deletion or cleanup operations, the driver could operate on unintended directories outside the intended managed path within the NFS export.
  • Containers Are Not a Security Boundary - Luca Cavallin
    Containers changed how we package and ship software, but they did not rewrite the basic security rules. Trust boundaries, privilege, and attack surface are all still there.
  • Variance of defaults - Microk8s RBAC - Rory McCune
    Rory takes a look at why MicroK8s ships with RBAC disabled by default (yes, you hear that right!) and Canonical's response.
  • Bucketsquatting is (Finally) Dead - Ian Mckay
    AWS have finally made changes to prevent people from "bucketsquatting" where they abuse predictable S3 bucket names.
  • Trivy Compromised: Everything You Need to Know about the Latest Supply Chain Attack - Rami McCarthy
    Trivy are not having a good time right now. They've had their GitHub repo compromised and compromised images published to DockerHub. Aqua have an ongoing investigation you can read up on.
  • KubeCon CTF: The Human Viewpoint - Iain Smart
    Iain decided to set Claude loose on the Capture the Flag hosted by ControlPlane at KubeCon. It's an interesting read to see what it did and didn't manage to achieve. Overall, 6 of the 8 flags were captured.
  • Unpatchable Vulnerabilities of Kubernetes: CVE-2020-8561 - Rory McCune
    Rory takes a look at another of Kubernetes "unpatchable" vulnerabilities - CVE-2020-8561 - and how it works.

πŸ§‘β€πŸ« Tutorials, Videos & Podcasts

🧰 Tools

  • Grafana 12.4 release: faster and easier data visualization, observability as code updates, and more
    Grafana 12.4 is here, delivering a ton of updates to help you build and design dashboards faster than ever, as well as manage and scale those dashboards seamlessly over time.
  • Broadcom donates Velero to CNCF - B. Cameron Gain
    Broadcom VMware donates Velero to CNCF sandbox, expands VKS 3.6 with open-source integrations, new CNI options, and QD profiles for AI and database workloads.
  • IP66 - Cloud66, Inc.
    A free, open IP Geolocation database in MMDB format. Includes ASN, country, and continent data. Updated daily. Licensed under CC BY 4.0.
  • k8s-cleaner - Gianluca Mardente
    Cleaner is a Kubernetes controller that identifies unused or unhealthy resources, helping you maintain a streamlined and efficient Kubernetes cluster. It provides flexible scheduling, label filtering, Lua-based selection criteria, resource removal or update and notifications via Slack, Webex and Discord. it can also automate clusters operations.
  • terrapod - mattrobinsonsre
    Open-source Terraform Enterprise replacement.

🎀 Events and CFPs

CFPs

πŸ’¬ Social Post of the Month

Bluesky post from James Laverack with the following text: "Found @strongjz.bsky.social looking at ingress-nginx. #KubeCon" Below is a photo of James Strong grinning behind a bonfire.
ingress-nginx is finally done!

🀷 Misc & Fun

  • Git’s Magic Files - Andrew Nesbitt
    Magic files and where to find them: .gitignore, .gitattributes, .mailmap, .git-blame-ignore-revs, .lfsconfig, and more.
  • My AI Adoption Journey - Mitchell Hashimoto
    I generally don't include AI stuff in this newsletter (too much hype vs. quality) but I found this a really interesting read.
  • 5 quick tips for giving better presentations - Phil Nash
    Phil has been speaking publicly at developer conferences for over a decade and in that time they've seen plenty of other people giving talks. Some great, practical, tips included in here.
  • exploding-clusters-online - Tim Hockin
    An infrastructure-themed card game inspired by "Exploding Kittens", played in the browser with friends.
    Just like the original game, players take turns playing and drawing cards until someone draws an EXPLODING CLUSTER. If they don't have a DEBUG card to defuse it, they explode and are out of the game. The last player with a functional cluster wins!
Help me improve this newsletter:
✨ Feedback Form ✨

That's all for this month!
Thank you for reading! πŸ’™

If you enjoyed this post, please spread the word and share with your friends.

~ Marcus πŸ‘‹