apko + melange: Distroless OCI Images Your Scanner Can Actually Read
A working tutorial for apko and melange. Package a binary with melange, assemble it into a signed distroless image with apko, and ship it with an SBOM Trivy can actually parse.
David Flanagan: Host of AlphaBits and Cloud Native Compass and 2 more shows, 45 published stories. Watch interviews, live coding, and deep dives on Rawkode Academy.
Shows Hosted
4 episodes AlphaBits
Hosts to be announced
Latest wei/pull and tea.xyz Aug 24, 2023
View episodes →
24 episodes Cloud Native Compass
Hosts to be announced
Latest Navigating Kairos: Immutable Operating Systems with a Cloud Native Twist Dec 18, 2025
View episodes →
46 episodes Klustered
Hosts to be announced
Latest Alex Jones & Alistair Hey Nov 11, 2022
View episodes →
174 episodes Rawkode Live
Hosts to be announced
Latest Hands-on Introduction to Odin Jul 16, 2026
View episodes →
Articles
-
-
cgroups: From Chaos to Control
Learn Linux cgroups v2 through Docker and Kubernetes examples: memory.max, pids.max, cgroup.subtree_control, OOM kills, and resource-limit debugging.
-
Introducing the Technology Matrix
Your new compass for the Cloud Native landscape. Explore, filter, and learn about the technologies that power modern platforms.
-
Building a Rust Library for CUE: Architecture & Lessons
Inside cuengine, a Rust library wrapping Go's CUE evaluator via FFI. Memory safety, structured errors, and production-grade architecture.
-
Wassette: A New Era of Security for AI Agent Tooling
Wassette, a WebAssembly-based sandboxing technology for AI agent tools, and an analysis of why it represents a major step forward in security compared to traditional methods like Docker and direct execution.
-
News Digest for August 4th, 2025
A dispatch from the cloud-native world, where the height of innovation is apparently pointlessly reinventing YAML while shaking down the community for container images like a common street mugger
-
FluxCD: Why the GitOps Pioneer Remains Its Future
A definitive look at FluxCD's controller-first design and why its architectural alignment with Kubernetes offers superior security, efficiency, and operational maturity over ArgoCD.
-
KEP-2831: Kubelet Tracing Finally Brings Node-Level Observability to Kubernetes
Kubernetes 1.34 will deliver distributed tracing in the kubelet, providing unprecedented visibility into node-level operations that have been a debugging black box until now.
-
Lazyjournal: A Log Viewer for Cloud Native Environments
Lazyjournal is a TUI log viewer that aggregates logs from various sources, providing a unified interface for developers and system administrators.
-
Kyverno ValidatingPolicy with CEL: Working Examples (2026)
Replace ClusterPolicy with Kyverno ValidatingPolicy using CEL expressions. Real examples for image verification, label rules, and replica limits.
-
Deploy to Cloudflare from GitLab CI with Dagger (Tutorial)
Build a portable GitLab CI pipeline with Dagger that deploys to Cloudflare Workers. Containerless caching, local-runnable, full source included.
-
Federated GraphQL for Microservice Architecture
Learn how federated GraphQL simplifies data access across service boundaries in a microservice architecture.
-
The Rawkode Academy Architecture
A high-level overview of the Rawkode Academy platform architecture, exploring the innovative patterns and techniques that power our cloud-native platform.
Latest News
-
Envoy, Istio, and NCCL ship operator-facing fixes
Envoy and Istio published June 4 security and mesh patch releases, while NVIDIA NCCL 2.30.7-1 added zero-SM collectives and symmetric-memory improvements for GPU communication.
-
Cloud Native and AI Infrastructure Digest: June 1, 2026
Fresh analysis covers the Miasma npm supply-chain attack, vLLM serving on DGX Spark, vLLM-Omni GGUF quantization, and CNCF guidance on dynamic Swift service configuration.
-
Backstage 1.51 takes catalog list queries from seconds to milliseconds
Backstage v1.51.0 rewrites the entity listing and facets paths against PostgreSQL indexes, adds incremental Microsoft Graph ingestion, and ships breaking changes to navigation, OIDC defaults, and PortableSchema.
-
containerd patches a runAsNonRoot bypass across every supported branch
containerd v2.3.1, v2.2.4, v2.0.9, and v1.7.32 fix CVE-2026-46680, a moderate-severity flaw that lets a crafted image override a pod's numeric runAsUser by exploiting integer overflow in OCI USER parsing.
-
etcd cuts first 3.7 beta and removes the v2 API
etcd v3.7.0-beta.0 deletes client/v2, v2discovery, and the v2 request path, adds Unix socket endpoints and FastLeaseKeepAlive, and reports up to 2x faster lease, user, and role operations.
-
Flux 2.8.8 patches two go-git CVEs and stops helm-controller memory growth
Flux v2.8.8 picks up go-git v5.19.1 to address CVE-2026-45571 and CVE-2026-45570, fixes an unbounded memory leak in helm-controller's Kubernetes client transport, and adds GCP sovereign cloud artifact registry support.
-
Paper proposes OFU, a counter-based GPU efficiency metric validated on 608 production training jobs
An arXiv paper submitted on May 20 introduces Overall FLOP Utilization, a precision-agnostic GPU efficiency metric derived from two on-chip counters, and reports r = 0.78 correlation with application-level MFU across 608 production training jobs on H100 and GB200.
-
Prometheus 3.12 RC adds time-window PromQL functions and patches a STACKIT SD secret leak
Prometheus v3.12.0-rc.0 introduces experimental start(), end(), range(), and step() PromQL functions, makes head-chunk lookup constant time in range queries, and closes a plaintext-secret exposure in the STACKIT service discovery via /-/config.
-
SPIRE 1.15 promotes Sigstore attestation out of experimental and adds a Vault Key Manager
SPIRE v1.15.0 graduates Sigstore support in the Kubernetes and Docker workload attestors, ships a HashiCorp Vault Key Manager plugin, and changes CLI JSON output in a way that will break parsers.
-
vLLM 0.21 lands Transformers v5 deprecation, C++20 build, and a new Blackwell attention backend
vLLM 0.21.0 ships on May 15 with two breaking-class changes — a C++20 compiler requirement and Transformers v4 deprecation — plus the TOKENSPEED_MLA attention backend for DeepSeek-R1 and Kimi-K25 on Blackwell.
-
Helm 4.2 lands; Helm 3.21 ships with an explicit end-of-life warning
Helm v4.2.0 and v3.21.0 both released on May 14, with the v3 release notes now stating that the v3 line is approaching end-of-life — a planning trigger for the long tail of clusters still on v3 charts.
-
Kubernetes 1.36 formally deprecates Service externalIPs
The .spec.externalIPs field on Service objects is formally deprecated in Kubernetes v1.36, with kube-proxy implementation slated for removal in a future minor release. Driven by CVE-2020-8554.
-
Cilium Ships Coordinated Patch Wave Across 1.17, 1.18, and 1.19
Cilium published v1.19.4, v1.18.10, and v1.17.16 on May 13, fixing IPsec packet drops during key rotation, ARP failures for LoadBalancer services, and a CiliumLocalRedirectPolicy edge case that could override an existing Service frontend.
-
Kubernetes 1.36 splits Workload and PodGroup APIs for batch and AI scheduling
Kubernetes v1.36 introduces a new PodGroup API alongside the Workload API in scheduling.k8s.io/v1alpha2, separating static templates from runtime state and unlocking DRA for gang-scheduled workloads.
-
Kubernetes 1.36 graduates PSI metrics to GA
Pressure Stall Information metrics are now GA at node, pod, and container levels in Kubernetes v1.36, giving operators a kernel-grade signal for resource contention without out-of-band tooling.
-
Kubernetes Ships May Patch Wave Across 1.33–1.36, Fixes IPv6 ServiceCIDR Allocation Bug
Kubernetes 1.36.1, 1.35.5, 1.34.8, and 1.33.12 landed on the May 12 cherry-pick window. No CVEs, but a real correctness bug — services getting IPv6 addresses outside their allocated CIDR — is among the fixes.
-
OpenTelemetry Collector 0.152 ships GenAI normalizer and drops Sarama from the kafkametrics receiver
Released May 12, OTel Collector v0.152.0 adds an alpha processor that normalizes GenAI telemetry from OpenInference and OpenLLMetry to the official OTel GenAI semantic conventions. The Sarama-based implementation inside the kafkametrics receiver is removed and a Cardinality Guardian processor lands in alpha.
-
Kubernetes 1.36 graduates DRA prioritized list to GA and pushes five device-control features to beta
On the heels of DRA graduating to GA in v1.36, the May 7 follow-up details one new stable feature — prioritized list — and five betas covering partitionable devices, device taints, device binding conditions, resource health, and extended-resource integration. ResourceClaims also work with the new PodGroup API.
-
Microcks moves from CNCF Sandbox to Incubation
The CNCF Technical Oversight Committee voted to promote Microcks — a multi-protocol API mocking and contract-testing platform — to Incubating status, three years after Sandbox acceptance.
-
Kubernetes 1.36 lands server-side sharded list and watch in alpha
KEP-5866 ships in v1.36 with a new shardSelector field on ListOptions, moving event filtering from clients to the API server. Horizontally sharded controllers no longer pay for the full stream of deserialization on objects they don't own.
-
CRI-O 1.36 ships with CNI health monitoring; all supported branches patch a spdystream DoS
CRI-O 1.36.0 and patch releases for 1.35, 1.34, and 1.33 landed on May 5 with CVE-2026-35469 (CVSS 8.7) fixed across the board, alongside new CNI status polling and GOMAXPROCS injection.
-
Kubernetes 1.36 introduces pod-level CPU, memory, and topology managers in alpha
The kubelet's CPU, memory, and topology managers extend to pod scope behind the PodLevelResourceManagers and PodLevelResources feature gates. Performance-critical containers keep NUMA alignment while lightweight sidecars share a pod-level budget rather than burning dedicated cores.
-
Dragonfly Adds Native Hugging Face and ModelScope Protocols
Dragonfly's dfget now supports hf:// and modelscope:// with auth and revision pinning. The upside is simpler model distribution and lower origin egress, but benchmark claims still need real cluster data.
-
CVE-2026-33105: AKS Critical Privilege Escalation Hits CVSS 10.0
Microsoft disclosed a CVSS 10.0 privilege escalation vulnerability in Azure Kubernetes Service. Specific technical details are still sparse, but the confirmed characteristics make this one worth watching.
-
Kubernetes 1.36 Sneak Peek: DRA Goes GA, Ingress-NGINX Retires, HPA Scales to Zero
Kubernetes v1.36, releasing April 22, finalizes DRA to GA, graduates User Namespaces, enables HPA scale-to-zero by default, and formally retires Ingress-NGINX.
-
Istio Ships Ambient Multicluster Beta and Gateway API Inference Extension
Istio's ambient mode gains multicluster support in beta with sidecar-free cross-cluster routing, and integrates the Gateway API Inference Extension for model-aware traffic management.
-
KubeVirt v1.8: Hypervisor Abstraction Layer, Confidential VMs, and the Push Toward CNCF Graduation
KubeVirt v1.8 introduces a hypervisor abstraction layer decoupling it from KVM, Intel TDX attestation for confidential VMs, and PCIe NUMA topology awareness for near-native GPU performance.
-
Kyverno Graduates from CNCF — Policy-as-Code Goes Mainstream
Kyverno reaches CNCF Graduated status with full CEL adoption, completing its journey from Kubernetes admission controller to a broader policy engine for the cloud native stack.
-
llm-d Accepted as CNCF Sandbox Project — Kubernetes-Native Distributed LLM Inference Gets an Open Standard
The distributed LLM inference engine co-created by Red Hat, Google Cloud, IBM Research, CoreWeave, and NVIDIA joins the CNCF, establishing an open standard for inference workloads on Kubernetes.
-
NVIDIA Donates GPU DRA Driver to CNCF, Open-Sources KAI Scheduler and Grove
NVIDIA shifts governance of its Dynamic Resource Allocation driver for GPUs to the CNCF, gets KAI Scheduler accepted as a Sandbox project, and open-sources Grove for AI inference orchestration.
-
OpenAI Acquires Astral (Ruff, uv, ty) — Open Source Python Tooling Goes Corporate
OpenAI announces acquisition of Astral, the company behind Python developer tools Ruff, uv, and ty, with hundreds of millions of monthly downloads. Tools will integrate with Codex.
-
Linux Foundation Secures $12.5M to Defend Open Source from AI-Generated Vulnerability Flood
Anthropic, AWS, GitHub, Google, Microsoft, and OpenAI fund $12.5M through OpenSSF to help open source maintainers cope with the flood of AI-generated security reports and vulnerability discoveries.