May 2026
π Intro
Welcome to the May edition of CloudNative.Now - a monthly newsletter that covers all that has been happening in the cloud native world in the past month!
This month I had the absolute pleasure of giving a talk at Cloud Native Days Romania. It was such a well run event, incredible organisers and a truly wonderful local community of people eager to learn.
I was meant to give my Kube-Oddities talk with MΓ‘rk but unfortunately the morning of our talk he woke up with a high fever and was unable to make it. Thankfully we'd worked on both parts of our talk together so with a little last minute tweaks I managed to make it work as a solo talk which seemed to go down quite well. Thank you to everyone that came and to those that I chatted with afterwards. π
In the world of tech this month there's been a flurry of CVEs and vulnerabilities that have been keeping me, and plenty of others, quite busy scrambling to get things patched and updated. It seems like now is a really busy time for the folks working in infrastructure security. π I hope y'all are getting the rest you need!
As always, youβre invited to subscribe to the email newsletter or add the RSS feed to your favourite feed reader to make sure you donβt miss anything! And please help to spread the word and recommend this to your friends and network if you find the content useful! π
If you have any feedback or have any links youβd like to suggest please reach out on Bluesky or Mastodon! π¬
π° News & Articles
- CNCF Ambassador Application
Applications are now open for the new round of CNCF Ambassadors. If you're an active member in the cloud native community that focuses on teaching and sharing knowledge with others I highly recommend you consider applying. I've been an ambassador for a few years now and have loved it! - KubeCon + CloudNativeCon Europe 2026 Transparency Report - CNCF
CNCF have release the transparency report from KubeCon Amsterdam this year. Some big numbers in this! KubeCon EU just keeps getting bigger. - Kloak: kernel-space secret injection via eBPF on Kubernetes - Quentin JOLY
How Kloak intercepts TLS traffic from your pods at the kernel level with eBPF uprobes to inject your secrets transparently, without modifying your applications or deploying a sidecar. - 5 Things you didnβt know about Cilium Network Polices - Christian Hernandez
Not all CNIs are created equal, and many assume that CiliumNetworkPolicies are the same as standard Kubernetes NetworkPolicies. At first glance, they can look similar. In this blog, Christian goes over the top 5 things you may not know about Cilium Network Policies. - Kubernetes v1.36: Admission Policies That Can't Be Deleted - Anish Ramasekar & Benjamin Elder
If you've ever tried to enforce a security policy across a fleet of Kubernetes clusters, you've probably run into a frustrating chicken-and-egg problem. Your admission policies are API objects, which means they don't exist until someone creates them, and they can be deleted by anyone with the right permissions. There's always a window during cluster bootstrap where your policies aren't active yet, and there's no way to prevent a privileged user from removing them. - Observability Has a Data Hoarding Problem - Diana Todea
Diana takes a look at a very common pattern of collecting as much observability data "just in case". - Blocking Copy Fail (CVE-2026-31431) in Kubernetes with Tetragon - Isala Piyarisi
A 732-byte Python script roots every Linux distro since 2017. Kernel patches are still rolling out. Here is how to block it at the syscall level with Tetragon and 22 lines of YAML. - Kubernetes finally lands user namespace support, but shared kernel problem remains - Kaylin Trychon
User namespaces are here, but true security isolation is still out of reach. Discover why the shared kernel remains a persistent threat. - Kubernetes v1.36: Server-Side Sharded List and Watch - Jeffrey Ying
As Kubernetes clusters grow to tens of thousands of nodes, controllers that watch high-cardinality resources like Pods face a scaling wall. Every replica of a horizontally scaled controller receives the full stream of events from the API server, paying the CPU, memory, and network cost to deserialize everything, only to discard the objects it is not responsible for. Scaling out the controller does not reduce per-replica cost; it multiplies it. - Kubernetes v1.36: PSI Metrics for Kubernetes Graduates to GA - Maria Fernanda Romano Silva
Since its original implementation in the Linux kernel in 2018, Pressure Stall Information (PSI) has provided users with the high-fidelity signals needed to identify resource saturation before it becomes an outage. Unlike traditional utilization metrics, PSI tells the story of tasks stalled and time lost, all in nicely-packaged percentages of time across the CPU, memory, and I/O. With the recent release of Kubernetes v1.36, users across the ecosystem have a stable, reliable interface to observe resource contention at the node, pod, and container levels. This post dives into the improvements and performance testing that proved its readiness for production. - Securing CI/CD for an open source project: lessons from Cilium - AndrΓ© Martins & Feroz Salam
A case study of how Cilium secures its CI/CD pipeline end to end. - The Engineering Behind the Platform - Dom Goodwin & Ettie Eyre
A nice blog post from my teammates at Monzo on how we approach platform engineering. - cgroups: From Chaos to Control - David Flanagan
A deep dive into Linux cgroups v1 vs v2: the history, the architecture, and what it means for Kubernetes. - Zero-Downtime migration from ingress NGINX to Envoy Gateway - Andrew Katsikas
This post covers a case study about a recent migration from Ingress NGINX to Envoy Gateway - covering the reasons behind the choices made and how testing was performed. - How we replaced Ingress-NGINX at Stack Overflow - Michael Frankβββββο»Ώβο»Ώββββββο»Ώο»Ώβο»Ώβββββββββο»Ώββββββο»Ώββββββο»Ώβββββββο»Ώβο»Ώββββββο»Ώββββββο»Ώβββο»Ώββββο»Ώβββββββο»Ώο»Ώββββββο»Ώββββββββββο»Ώβββββββββββββββο»Ώβββββββββββο»Ώβββο»Ώβββο»Ώβββο»Ώβο»Ώβο»Ώββββο»Ώο»Ώββο»Ώο»Ώβββο»Ώββο»Ώββο»Ώβο»Ώββο»Ώββο»Ώβο»Ώβο»Ώβββββββββο»Ώβββο»Ώββο»Ώο»Ώβο»Ώβββββββο»Ώββββββββο»Ώβββο»Ώο»Ώβο»Ώβο»Ώββο»Ώββββο»Ώββο»Ώο»Ώββο»Ώο»Ώββββββο»Ώββο»Ώββββββββο»Ώββο»Ώββββο»Ώο»Ώβββββββββββββο»Ώββββο»Ώο»Ώββο»Ώβββο»Ώο»Ώβββββββββο»Ώο»Ώββο»Ώβββο»Ώβββββββο»Ώβο»Ώββββββο»Ώββο»Ώβββββββο»Ώββββββββο»Ώο»Ώββο»Ώββο»Ώβο»Ώβββββββββο»Ώο»Ώββο»Ώβββο»Ώβββο»Ώβββο»Ώβββο»Ώβββο»Ώβο»Ώββββββββββο»Ώββο»Ώβββο»Ώβββο»Ώβο»Ώβο»Ώβο»Ώββο»Ώββο»Ώβββο»Ώβο»Ώβο»Ώβββο»Ώββββο»Ώβββββββββββββββββββο»Ώββββββββο»Ώβο»Ώβββο»Ώβββο»Ώβββββββο»Ώβββο»Ώβββο»Ώβββο»Ώβο»Ώβββββο»Ώβββο»Ώβο»Ώβο»Ώβββο»Ώβββο»Ώβββββββο»Ώο»Ώβββββββο»Ώβββο»Ώο»Ώβββο»Ώβββββο»Ώβββο»Ώββββββββο»Ώο»Ώβο»Ώβββο»Ώβο»Ώβο»Ώβββββββο»Ώβββββββο»Ώο»Ώβββο»Ώβββββββο»Ώββββββο»Ώο»Ώο»Ώβββββββββο»Ώβο»Ώβββββββββο»Ώββββο»Ώββο»Ώο»Ώββββββο»Ώβββο»Ώβββο»Ώβββο»Ώβο»Ώβββββο»Ώβο»Ώβββββββββο»Ώβββββββββββο»Ώβββββββββο»Ώββο»Ώββο»Ώβο»Ώββο»Ώββο»Ώβο»Ώβο»Ώβββββββββο»Ώβββο»Ώββο»Ώο»Ώβο»Ώβββββββο»Ώββββββββο»Ώβββο»Ώο»Ώβο»Ώβο»Ώββο»Ώββββο»Ώββο»Ώο»Ώβββββββββββββο»Ώο»Ώββο»Ώβββο»Ώβββο»Ώβββο»Ώβββο»Ώβββο»Ώβο»Ώββββββββββο»Ώββο»Ώβββο»Ώβββο»Ώβο»Ώβο»Ώβο»Ώββο»Ώββο»Ώβββο»Ώβο»Ώβο»Ώβββο»Ώββββο»Ώβββββββββββββββββββο»Ώββββββββο»Ώβο»Ώβββο»Ώβββο»Ώβββββββο»Ώβββο»Ώβββο»Ώβββο»Ώβο»Ώβββββο»Ώβββββββο»Ώβββο»Ώβββο»Ώβββββββο»Ώο»Ώβββββββο»Ώβββο»Ώο»Ώβββο»Ώβββββο»Ώβββο»Ώββββββββο»Ώο»Ώβο»Ώβββββββο»Ώβββββββο»Ώβββββββο»Ώο»Ώβββο»Ώβββββββο»Ώββββββββββο»Ώβββββββο»Ώβββο»Ώβο»Ώβο»Ώβββββββββο»Ώβο»Ώβββββββο»Ώβββββββο»Ώο»Ώββο»Ώβββο»Ώββββββββο»Ώββββββο»Ώβο»Ώβββββββββββββββββο»Ώο»Ώβ
Another post on migrating from Ingres NGINX, this time from Stack Overflow. Lots of details in this one so it's well worth a read.
π Security
- Copy Fail: From Unprivileged Pod to Kubernetes Node Root - ClΓ©ment Nussbaumer
This article covers two complementary paths: the CNI wrapper staging chain, and the fully autonomous operator-SA compromise that eliminates the external trigger dependency. Both are proven on Talos Linux v1.12.4, Cilium v1.18.x, kernel 6.18.9. - Why every organization should make it easy to report security flaws - Zack Whittaker
Companies make it too challenging to report security bugs and data leaks. Having a dedicated security email address could save your company from a damaging hack. - Vulnerability Garden
A growing list of named vulnerabilities, attack techniques and exploits. It seems every new exploit discovered these days needs a marketing campaign and fancy name to go with it. This site nicely collects them all. - Podman rootless containers and the Copy Fail exploit - Gabriel Garrido
This article analyses the implications of the 'Copy Fail' exploit for Podman rootless containers and examines how user namespaces play a role in this specific attack vector. Be sure to take a look at the defence in depth section for mitigations. - Unpatchable Vulnerabilities of Kubernetes: CVE-2021-25740 - Rory McCune
The final post in Rory's series on "unpatchable" vulnerabilities in Kubernetes. This one looks at how Kubernetes CVE-2021-25740 allows users with EndpointSlice access to redirect traffic via shared ingress and load balancer services. - Reconciling the Past: Correcting Records for Unfixed Kubernetes CVEs - Pushkar Joglekar & Tabitha Sable
The Kubernetes project relies on transparency to empower cluster administrators and security researchers. One important way they do that is by publishing CVE records into the Common Vulnerabilities and Exposures database. As part of their ongoing effort to mature the official Kubernetes CVE Feed, they have identified some discrepancies. CVE records for a few older, unfixed issues incorrectly include a fixed version field. The Kubernetes Security Response Committee (SRC) will correct the affected CVE records on June 1, 2026. This may result in vulnerability scanners identifying these vulnerabilities in places where they were previously not detected.
π§βπ« Tutorials, Videos & Podcasts
- Klustered: Level One - Rawkode Academy
The cluster is broken. Fix the plumbing to bring the app to life (you'll know it's working when Rawkode taps his watch at you), then ship the v2 image to unlock his victory dance. - πΊ Headlamp: A User-Friendly, Extensible Kubernetes Dashboard - Whitney Lee
Kubectl is enough to run Kubernetes, but not everyone wants to live at the command line. A Kubernetes dashboard can make clusters easier to explore, visualize, and communicate about. Before Headlamp, most Kubernetes UIs were limited in scope and hard to adapt, leaving teams stuck with narrow views or maintaining forks.
π§° Tools
- radar - skyhook-io
Modern Kubernetes visibility. Topology, event timeline, and service traffic β plus resource browsing and Helm management. - pii-shield - aragossa
Zero-code K8s sidecar for log sanitization. Detects secrets via Entropy Analysis, preserves JSON integrity, and redacts PII deterministically. - crossview - crossplane-contrib
A standard Crossplane UI dashboard. - Helm v3.21.0 - helm
Helm v3 is approaching end-of-life. Please update to Helm v4 when possible. - Announcing etcd 3.7.0-beta.0 - SIG-etcd Leads
SIG-Etcd announces the availability of the first beta release of etcd v3.7.0. This new version of the popular distributed database and key Kubernetes component includes the long-requested RangeStream feature, as well as a refactoring and cleanup of multiple legacy components and interfaces. - agent-sandbox - kubernetes-sigs
agent-sandbox enables easy management of isolated, stateful, singleton workloads, ideal for use cases like AI agent runtimes.
π€ Events and CFPs
Events
- π―π΅ KubeCon + CloudNativeCon Japan - July 28th β 20th
I'm going to be attending KubeCon Japan for the first time this year and I CANNOT WAIT. I'm so excited as it will also be my first time in Asia.
If your interested in joining me, I have a 25% discount you can use on tickets:KCJP26AMFR25 - π§π¬ KCD Sofia 2026 - September 29th
I heard SO MANY good things about KCD Sofia last year and was really sad to have not been able to go. That's why I'm β¨ SUPER EXCITED β¨ to have been invited to host this year! π
Early bird tickets are still available but they are sure to go fast so don't miss out!
CFPs
- π΅π± Cloud Native Days Poland 2026 - Deadline 1st June β οΈ
- πΊπΈ KCD SF Bay Area 2026 - Deadline 14th June
- π¨πΏ Open Source Summit + Embedded Linux Conference Europe 2026 - Deadline 24th June
- π΅πΉ KCD Porto x DevOps Days Portugal 2026 - Deadline 15th July
π¬ Social Post of the Month
π€· Misc & Fun
- From Builder to Architect - Adriana Villela
Adriana very nicely sums up a lot of thoughts I've been having lately around AI and our industry and what the future holds.
Help me improve this newsletter:
β¨ Feedback Form β¨
β¨ Feedback Form β¨
That's all for this month!
Thank you for reading! π
If you enjoyed this post, please spread the word and share with your friends.
~ Marcus π
Comments ()