cgroups: From Chaos to Control
A deep dive into Linux cgroups v1 vs v2: the history, the architecture, and what it means for Kubernetes.
David Flanagan: Host of AlphaBits and Cloud Native Compass and 2 more shows, 35 published stories. Watch interviews, live coding, and deep dives on Rawkode Academy.
Shows Hosted
4 episodes
AlphaBits
Hosts to be announced
Latest: wei/pull and tea.xyz Aug 24, 2023
View episodes
24 episodes
Cloud Native Compass
Hosts to be announced
Latest: Navigating Kairos: Immutable Operating Systems with a Cloud Native Twist Dec 18, 2025
View episodes
46 episodes
Klustered
Hosts to be announced
Latest: Alex Jones & Alistair Hey Nov 11, 2022
View episodes
171 episodes
Rawkode Live
Hosts to be announced
Latest: Hands-on Introduction to sympozium Apr 17, 2026
View episodes
Articles
-
-
Introducing the Technology Matrix
Your new compass for the Cloud Native landscape. Explore, filter, and learn about the technologies that power modern platforms.
-
Building a Rust Library for CUE: Architecture & Lessons
Inside cuengine, a Rust library wrapping Go's CUE evaluator via FFI. Memory safety, structured errors, and production-grade architecture.
-
Wassette: A New Era of Security for AI Agent Tooling
Wassette, a WebAssembly-based sandboxing technology for AI agent tools, and an analysis of why it represents a major step forward in security compared to traditional methods like Docker and direct execution.
-
News Digest for August 4th, 2025
A dispatch from the cloud-native world, where the height of innovation is apparently pointlessly reinventing YAML while shaking down the community for container images like a common street mugger
-
FluxCD: Why the GitOps Pioneer Remains Its Future
A definitive look at FluxCD's controller-first design and why its architectural alignment with Kubernetes offers superior security, efficiency, and operational maturity over ArgoCD.
-
KEP-2831: Kubelet Tracing Finally Brings Node-Level Observability to Kubernetes
Kubernetes 1.34 will deliver distributed tracing in the kubelet, providing unprecedented visibility into node-level operations that have been a debugging black box until now.
-
Lazyjournal: A Log Viewer for Cloud Native Environments
Lazyjournal is a TUI log viewer that aggregates logs from various sources, providing a unified interface for developers and system administrators.
-
Kyverno ValidatingPolicy with CEL: Working Examples (2026)
Replace ClusterPolicy with Kyverno ValidatingPolicy using CEL expressions. Real examples for image verification, label rules, and replica limits.
-
Deploy to Cloudflare from GitLab CI with Dagger (Tutorial)
Build a portable GitLab CI pipeline with Dagger that deploys to Cloudflare Workers. Containerless caching, local-runnable, full source included.
-
Federated GraphQL for Microservice Architecture
Learn how federated GraphQL simplifies data access across service boundaries in a microservice architecture.
-
The Rawkode Academy Architecture
A high-level overview of the Rawkode Academy platform architecture, exploring the innovative patterns and techniques that power our cloud-native platform.
Latest News
-
vLLM 0.21 lands Transformers v5 deprecation, C++20 build, and a new Blackwell attention backend
vLLM 0.21.0 ships on May 15 with two breaking-class changes — a C++20 compiler requirement and Transformers v4 deprecation — plus the TOKENSPEED_MLA attention backend for DeepSeek-R1 and Kimi-K25 on Blackwell.
-
Helm 4.2 lands; Helm 3.21 ships with an explicit end-of-life warning
Helm v4.2.0 and v3.21.0 both released on May 14, with the v3 release notes now stating that the v3 line is approaching end-of-life — a planning trigger for the long tail of clusters still on v3 charts.
-
Kubernetes 1.36 formally deprecates Service externalIPs
The .spec.externalIPs field on Service objects is formally deprecated in Kubernetes v1.36, with kube-proxy implementation slated for removal in a future minor release. Driven by CVE-2020-8554.
-
Cilium Ships Coordinated Patch Wave Across 1.17, 1.18, and 1.19
Cilium published v1.19.4, v1.18.10, and v1.17.16 on May 13, fixing IPsec packet drops during key rotation, ARP failures for LoadBalancer services, and a CiliumLocalRedirectPolicy edge case that could override an existing Service frontend.
-
Kubernetes 1.36 splits Workload and PodGroup APIs for batch and AI scheduling
Kubernetes v1.36 introduces a new PodGroup API alongside the Workload API in scheduling.k8s.io/v1alpha2, separating static templates from runtime state and unlocking DRA for gang-scheduled workloads.
-
Kubernetes 1.36 graduates PSI metrics to GA
Pressure Stall Information metrics are now GA at node, pod, and container levels in Kubernetes v1.36, giving operators a kernel-grade signal for resource contention without out-of-band tooling.
-
Kubernetes Ships May Patch Wave Across 1.33–1.36, Fixes IPv6 ServiceCIDR Allocation Bug
Kubernetes 1.36.1, 1.35.5, 1.34.8, and 1.33.12 landed on the May 12 cherry-pick window. No CVEs, but a real correctness bug — services getting IPv6 addresses outside their allocated CIDR — is among the fixes.
-
OpenTelemetry Collector 0.152 ships GenAI normalizer and drops Sarama from the kafkametrics receiver
Released May 12, OTel Collector v0.152.0 adds an alpha processor that normalizes GenAI telemetry from OpenInference and OpenLLMetry to the official OTel GenAI semantic conventions. The Sarama-based implementation inside the kafkametrics receiver is removed and a Cardinality Guardian processor lands in alpha.
-
Kubernetes 1.36 graduates DRA prioritized list to GA and pushes five device-control features to beta
On the heels of DRA graduating to GA in v1.36, the May 7 follow-up details one new stable feature — prioritized list — and five betas covering partitionable devices, device taints, device binding conditions, resource health, and extended-resource integration. ResourceClaims also work with the new PodGroup API.
-
Microcks moves from CNCF Sandbox to Incubation
The CNCF Technical Oversight Committee voted to promote Microcks — a multi-protocol API mocking and contract-testing platform — to Incubating status, three years after Sandbox acceptance.
-
Kubernetes 1.36 lands server-side sharded list and watch in alpha
KEP-5866 ships in v1.36 with a new shardSelector field on ListOptions, moving event filtering from clients to the API server. Horizontally sharded controllers no longer pay for the full stream of deserialization on objects they don't own.
-
CRI-O 1.36 ships with CNI health monitoring; all supported branches patch a spdystream DoS
CRI-O 1.36.0 and patch releases for 1.35, 1.34, and 1.33 landed on May 5 with CVE-2026-35469 (CVSS 8.7) fixed across the board, alongside new CNI status polling and GOMAXPROCS injection.
-
Kubernetes 1.36 introduces pod-level CPU, memory, and topology managers in alpha
The kubelet's CPU, memory, and topology managers extend to pod scope behind the PodLevelResourceManagers and PodLevelResources feature gates. Performance-critical containers keep NUMA alignment while lightweight sidecars share a pod-level budget rather than burning dedicated cores.
-
Dragonfly Adds Native Hugging Face and ModelScope Protocols
Dragonfly's dfget now supports hf:// and modelscope:// with auth and revision pinning. The upside is simpler model distribution and lower origin egress, but benchmark claims still need real cluster data.
-
CVE-2026-33105: AKS Critical Privilege Escalation Hits CVSS 10.0
Microsoft disclosed a CVSS 10.0 privilege escalation vulnerability in Azure Kubernetes Service. Specific technical details are still sparse, but the confirmed characteristics make this one worth watching.
-
Kubernetes 1.36 Sneak Peek: DRA Goes GA, Ingress-NGINX Retires, HPA Scales to Zero
Kubernetes v1.36, releasing April 22, finalizes DRA to GA, graduates User Namespaces, enables HPA scale-to-zero by default, and formally retires Ingress-NGINX.
-
Istio Ships Ambient Multicluster Beta and Gateway API Inference Extension
Istio's ambient mode gains multicluster support in beta with sidecar-free cross-cluster routing, and integrates the Gateway API Inference Extension for model-aware traffic management.
-
KubeVirt v1.8: Hypervisor Abstraction Layer, Confidential VMs, and the Push Toward CNCF Graduation
KubeVirt v1.8 introduces a hypervisor abstraction layer decoupling it from KVM, Intel TDX attestation for confidential VMs, and PCIe NUMA topology awareness for near-native GPU performance.
-
Kyverno Graduates from CNCF — Policy-as-Code Goes Mainstream
Kyverno reaches CNCF Graduated status with full CEL adoption, completing its journey from Kubernetes admission controller to a broader policy engine for the cloud native stack.
-
llm-d Accepted as CNCF Sandbox Project — Kubernetes-Native Distributed LLM Inference Gets an Open Standard
The distributed LLM inference engine co-created by Red Hat, Google Cloud, IBM Research, CoreWeave, and NVIDIA joins the CNCF, establishing an open standard for inference workloads on Kubernetes.
-
NVIDIA Donates GPU DRA Driver to CNCF, Open-Sources KAI Scheduler and Grove
NVIDIA shifts governance of its Dynamic Resource Allocation driver for GPUs to the CNCF, gets KAI Scheduler accepted as a Sandbox project, and open-sources Grove for AI inference orchestration.
-
OpenAI Acquires Astral (Ruff, uv, ty) — Open Source Python Tooling Goes Corporate
OpenAI announces acquisition of Astral, the company behind Python developer tools Ruff, uv, and ty, with hundreds of millions of monthly downloads. Tools will integrate with Codex.
-
Linux Foundation Secures $12.5M to Defend Open Source from AI-Generated Vulnerability Flood
Anthropic, AWS, GitHub, Google, Microsoft, and OpenAI fund $12.5M through OpenSSF to help open source maintainers cope with the flood of AI-generated security reports and vulnerability discoveries.