Best of KubernetesDecember 2025

  1. 1
    Article
    Avatar of infoworldInfoWorld·20w

    Seven coding domains no developer really understands

    Explores seven notoriously difficult programming concepts that most developers struggle with, including complex boolean expressions, multithreading and concurrency, floating point math, Kubernetes configuration, Unicode character encoding, time zones and Daylight Saving Time, and regular expressions. The piece acknowledges the complexity inherent in software development and how developers often rely on copying solutions or pretending to fully understand these challenging areas.

  2. 2
    Article
    Avatar of bytebytegoByteByteGo·19w

    How DoorDash Moved to a Service Mesh to Handle 80M Requests/Second

    DoorDash experienced a platform-wide outage in 2021 caused by cascading failures in their microservices architecture. The payment service's high latency triggered retry storms that overwhelmed dependent services. This incident exposed inconsistent reliability patterns across their 1,000+ microservices. The engineering team responded by implementing a custom service mesh using Envoy as the data plane, rejecting both Istio (too complex) and Linkerd2 (insufficient features). They built a minimal control plane focused on adaptive concurrency, outlier detection, and traffic metrics. Starting with an MVP using file-based configuration and canary deployments, they gradually evolved to include zone-aware routing, header-based routing, and distributed tracing. The system now handles 80M requests/second across 2,000 Kubernetes nodes, with automated onboarding reducing migration time from days to under an hour.

  3. 3
    Article
    Avatar of gitlabGitLab·20w

    Deploying the world's largest GitLab instance 12 times daily

    GitLab deploys code to GitLab.com up to 12 times daily using their own CI/CD platform, handling millions of developers without downtime. The deployment pipeline uses progressive rollouts through staging and production Canary environments (5% traffic), followed by full staging and production deployments. Key technical challenges include managing hybrid infrastructure (Helm charts for containers, Omnibus packages for Gitaly), handling database migrations with backward compatibility, and maintaining multi-version compatibility during deployments. The expand-migrate-contract pattern ensures safe schema changes, while post-deploy migrations run only after multiple successful deployments to minimize rollback risks. This approach validates GitLab's deployment features at massive scale before customers use them.

  4. 4
    Article
    Avatar of infoqInfoQ·17w

    Decathlon Switches to Polars to Optimize Data Pipelines and Infrastructure Costs

    Decathlon migrated data pipelines processing small to mid-size datasets (under 50 GiB) from Apache Spark clusters to Polars running on single Kubernetes pods. The switch reduced compute launch time from 8 to 2 minutes and significantly lowered infrastructure costs. Polars' streaming engine enables processing datasets larger than available memory on modest hardware. The team now uses Polars for new pipelines with stable, smaller input tables that don't require complex joins or aggregations, while keeping Spark for terabyte-scale workloads. Challenges include managing Kubernetes infrastructure and limitations with certain Delta Lake features.

  5. 5
    Article
    Avatar of mercariMercari Engineering·19w

    Enhancing Developer Experience through Mercari’s Unified Platform Interface

    Mercari built Single Front Door (SFD), a unified platform interface that consolidates multiple developer tools and workflows into a single entry point. The system uses Argo Workflows to execute GitOps operations through CLI or AI-powered IDE integrations via Model Context Protocol. Key technical challenges included implementing OAuth-based credential management to maintain proper access control at scale, and configuring IAM with Kubernetes RBAC for secure access to external services like GCP and GitHub. The platform aims to become a modular workflow engine with reusable building blocks for infrastructure provisioning, service configuration, and CI/CD operations.

  6. 6
    Article
    Avatar of cncfCNCF·19w

    Building microservices the easy way with Dapr

    Dapr is a CNCF graduated project that simplifies microservices development by providing a sidecar runtime that handles distributed system concerns like messaging, pub-sub, service communication, storage, and secrets management. Built with observability in mind, Dapr automatically propagates traces and metrics across asynchronous and synchronous systems without requiring manual instrumentation. Recent additions include workflow orchestration, AI/LLM integration through a Conversation API, and Dapr Agents for durable autonomous workflows. The project was open source from inception, joined CNCF as an incubating project in 2021, and graduated in October 2024 with thousands of contributors from hundreds of organizations.

  7. 7
    Article
    Avatar of jetbrainsJetBrains·19w

    GoLand 2025.3 Is Out!

    GoLand 2025.3 introduces on-the-fly resource leak detection to catch unclosed files and connections, bundled Terraform plugin with syntax highlighting and code completion, and multi-agent AI support with Claude Agent and Junie. The release includes Kubernetes deployment improvements with in-editor secret management and port forwarding, single-file editing without project setup, and golangci-lint formatting support enabled by default. Performance enhancements reduce memory warnings and improve indexing for large projects, while the new Islands theme becomes the default UI.

  8. 8
    Article
    Avatar of neontechNeon·20w

    Improving DNS performance with NodeLocalDNS

    Neon deployed NodeLocalDNS across their Kubernetes clusters to optimize DNS performance for hundreds of thousands of ephemeral Postgres databases. By caching DNS requests locally on each node instead of routing them to central CoreDNS pods, they achieved an 84% reduction in 99th percentile latency and 87% improvement in 99.9th percentile latency. The deployment reduced network DNS traffic by 97% (from 2k to 60 requests/s), made traffic scale with nodes rather than pods, and unexpectedly helped identify DNS misconfigurations. The implementation required careful sequencing to avoid race conditions between kube-proxy and the DaemonSet, particularly on nodes with slow iptables rule installation.

  9. 9
    Article
    Avatar of thnThe Hacker News·18w

    React2Shell Exploitation Escalates into Large-Scale Global Attacks, Forcing Emergency Mitigation

    CISA has accelerated the patching deadline for React2Shell (CVE-2025-55182), a critical vulnerability with a CVSS score of 10.0 affecting React Server Components and frameworks like Next.js. The flaw allows unauthenticated remote code execution through unsafe deserialization. Since disclosure on December 3, 2025, threat actors have conducted widespread exploitation with over 35,000 attempts recorded in a single day, targeting government sites, critical infrastructure, and technology companies. Over 137,000 vulnerable IP addresses remain exposed globally, with attackers deploying cryptocurrency miners, botnet malware, and conducting reconnaissance for supply chain attacks.

  10. 10
    Video
    Avatar of techworldwithnanaTechWorld with Nana·16w

    From Non IT to Lead DevOps Engineer | The Exact Roadmap

    A civil engineer from Nigeria transitioned to a Lead DevOps Engineer role in the UK within 9 months through structured learning, strategic career planning, and hands-on practice. Starting with zero IT experience while working retail night shifts and facing visa pressure, he chose DevOps for its high salary threshold enabling visa sponsorship. After scattered learning attempts, he enrolled in a structured DevOps bootcamp, passed the CKA certification, and built comprehensive projects demonstrating integrated tool knowledge. His deep conceptual understanding of CI/CD optimization, Docker layer caching, and Kubernetes fundamentals helped him excel in technical interviews. He negotiated between two offers, choosing the role with modern tech stack (Kubernetes, Terraform, Ansible) over legacy tools, resulting in 25% higher salary. On the job, he immediately added value by building production Kubernetes clusters from scratch and implementing security scanning pipelines, earning a 10% raise within his first year.

  11. 11
    Article
    Avatar of zalandoZalando·17w

    Contributing to Debezium: Fixing Logical Replication at Scale

    Zalando contributed two features to Debezium to solve WAL growth issues in PostgreSQL logical replication at scale. The first contribution introduced an opt-in `lsn.flush.mode` configuration to prevent WAL accumulation on low-activity databases. The second added `offset.mismatch.strategy` to handle conflicts between stored offsets and replication slot positions, enabling safer operation with durable offset stores. These features allow users to trust the replication slot position when appropriate, preventing unnecessary full re-syncs and enabling recovery from corrupted WAL segments.

  12. 12
    Video
    Avatar of dreamsofcodeDreams of Code·17w

    Doppler is without a doubt my favorite secrets management platform

    Doppler is a secrets management platform that provides a centralized solution for storing, managing, and syncing secrets across local development, multiple environments, CI/CD pipelines, and production deployments. It eliminates the limitations of .env files by offering features like automatic synchronization with cloud platforms (Vercel, Railway, Netlify), Kubernetes operator support, audit logging, automatic rotation, and webhook integrations. The platform supports both CLI and web UI workflows, allows personal environment overrides, and works offline with encrypted cached secrets. It integrates with deployment platforms natively or through custom webhooks for platforms like Dockploy.

  13. 13
    Article
    Avatar of halodocHalodoc·18w

    Kubernetes OptimizationInPlace Pod Resizing,ZoneAware Routin

    Halodoc reduced Kubernetes infrastructure costs by implementing two optimization strategies: in-place pod resizing to dynamically adjust resources during low-traffic periods without restarts (achieving ~15% CPU and ~10% memory reduction), and zone-aware routing to minimize cross-AZ traffic (reducing data transfer costs by ~25% and latency by ~5%). The approach uses a custom scheduler for periodic resource patching and Kubernetes' trafficDistribution: PreferClose feature combined with topology spread constraints to keep traffic within availability zones.

  14. 14
    Article
    Avatar of colkgirlCode Like A Girl·20w

    CKAD Certified! A Guide to Passing the Exam

    A personal account of preparing for and passing the Certified Kubernetes Application Developer (CKAD) exam. Covers a structured 45-day preparation timeline using KodeKloud's Udemy course, mock tests from killer.sh, and hands-on practice exercises. Emphasizes the practical, hands-on nature of the exam with 17 questions in 2 hours, importance of mastering Kubernetes documentation, time management strategies, and exam day logistics. Includes specific tips like using copy-paste to avoid errors, flagging difficult questions, and understanding partial scoring.

  15. 15
    Article
    Avatar of istioIstio·20w

    Announcing Istio 1.28.1

    Istio 1.28.1 is a patch release that addresses multiple bug fixes and security vulnerabilities. Key improvements include support for multiple targetPorts in InferencePool, fixes for ambient mode issues with ServiceEntry resources and multi-network connections, resolution of EDS endpoint configuration problems in waypoints and gateways, and corrections for nftables rules and DNS name table creation. The release also implements security updates detailed in ISTIO-SECURITY-2025-003.

  16. 16
    Article
    Avatar of ayendeAyende @ Rahien·18w

    RavenDB Kubernetes Operator

    RavenDB has released an official Kubernetes Operator that simplifies deploying and managing RavenDB clusters in Kubernetes environments. The Operator automates certificate management, handles safe rolling upgrades with health checks, provides flexible external access options for major cloud providers and ingress controllers, and offers declarative storage orchestration. It eliminates the manual complexity of configuring StatefulSets, Services, and TLS certificates by using a single RavenDBCluster custom resource. The Operator is available via Helm and supports EKS, AKS, Kind, Minikube, and Kubeadm clusters.

  17. 17
    Article
    Avatar of cloudnativenowCloud Native Now·16w

    Best of 2025: Hardening Kubernetes Security with DevSecOps Practices

    Kubernetes security requires a fundamental shift from traditional perimeter-based approaches to DevSecOps practices. The article explores common security pitfalls including misconfigurations, runtime blind spots, and under-secured internal APIs. Key strategies include automation throughout the development lifecycle, policy-as-code enforcement using tools like OPA Gatekeeper, runtime security monitoring, and risk-based vulnerability prioritization. Success depends on cultural transformation with executive support, blameless postmortems, and shared responsibility. Emerging trends like GitOps for security management, eBPF for deeper observability, and AI-enhanced threat detection promise to further strengthen cloud-native security postures.

  18. 18
    Video
    Avatar of techworldwithnanaTechWorld with Nana·19w

    12 Networking Fundamentals Every Engineer Should Know

    Networking fundamentals are explained through the evolution of a fictional travel booking website from a single server to a complex cloud system. The content covers IP addresses and DNS for device identification, ports for application routing, subnets and routing for network segmentation, firewalls for security, and NAT for private-to-public address translation. It then progresses to cloud concepts like VPCs, containerization with Docker including bridge and overlay networks, and Kubernetes orchestration with pods, services, and ingress. The core principle is that fundamental networking concepts remain constant across physical servers, cloud infrastructure, containers, and orchestration platforms, even as the tools evolve.

See all Kubernetes archives