Kyverno: Kubernetes-Native Policy-as-Code for Platform Governance
Kyverno provides Kubernetes-native Policy-as-Code using YAML instead of Rego, with validation, mutation, and generation policies for cluster governance.
Tag: security
IngressNightmare: Critical RCE Vulnerabilities in Kubernetes NGINX Ingress Controller
Five critical vulnerabilities dubbed IngressNightmare affect Kubernetes NGINX Ingress Controller versions prior to 1.12.1, with CVE-2025-1974 enabling unauthenticated RCE. Patch immediately.
CiliumCon Returns to Amsterdam: Cilium v1.19 and the Future of eBPF Networking
Cilium celebrates 10 years at KubeCon Europe with CiliumCon 2026, featuring Cilium v1.19, Tetragon security advances, and sessions on multi-cluster networking at scale.
Amazon EKS Hybrid Nodes: what ‘Kubernetes outside AWS’ really changes
EKS Hybrid Nodes lets you pair an AWS-managed control plane with on‑prem or edge worker nodes. Here’s what changes operationally, what doesn’t, and how to evaluate it against EKS Anywhere and plain upstream Kubernetes.
GitHub Enterprise Governance Gets Sharper: Custom Org Roles GA and IP Allow Lists for EMU Namespaces
GitHub is tightening the screws on enterprise governance: enterprise-defined custom org roles are GA, and IP allow lists now extend deeper into EMU user namespaces. Here’s what it changes for platform teams.
Running Harbor in Production on Kubernetes: HA, Storage, and Supply-Chain Guardrails
Harbor is easy to install, hard to productionize. Here’s a practical checklist for HA, storage, signing/scanning, and day-2 ops when Harbor becomes your cluster’s artifact backbone.
Agentics Day at KubeCon EU 2026: Why MCP Is Becoming ‘Cloud-Native Plumbing’ for AI Agents
CNCF is spotlighting Agentics Day at KubeCon EU 2026 with a focus on MCP and production-grade agents. The real story: interoperability layers are becoming infrastructure. Here’s how to think about MCP as platform plumbing—and how to operate it safely.
OpenClaw 2026.2.15: Components v2, Nested Subagents, and Safer Automation—What the New Release Enables
OpenClaw 2026.2.15 focuses on better human-in-the-loop UX (especially on Discord) and stronger safety/operability guardrails. Here’s what’s new—and concrete ways teams can use it.
DevOps without long-lived secrets: GitHub Actions OIDC to cloud and Kubernetes
OIDC in GitHub Actions has quietly become the default pattern for ‘secretless’ CI/CD. Here’s how to think about it as a platform primitive: trust boundaries, short-lived credentials, and how it changes the way you deploy into Kubernetes and cloud APIs.
OpenTofu 1.11.5 and the rise of ‘security-first IaC’ in platform engineering
OpenTofu 1.11.5 ships with upstream Go security fixes and continues a trend: infrastructure-as-code tools are becoming security products as much as automation products. Here’s what that means for platform teams.
OSSA-2026-001: why OpenStack identity boundaries still deserve your attention
OpenStack’s latest security advisory (OSSA-2026-001) describes a privilege escalation path involving identity headers in external OAuth2 tokens. Here’s the bigger lesson: identity boundaries are where multi-cloud platforms most often leak.
Ingress NGINX retires in March 2026: a practical migration playbook for Gateway API
Kubernetes SIG Network is retiring the ubiquitous Ingress NGINX controller in March 2026. Here’s how to inventory impact, choose a replacement, and migrate safely—ideally to Gateway API—without breaking traffic.
MCP in the Real World: Standardizing Tool Access for Agentic Ops (and the Security Gotchas)
Model Context Protocol (MCP) is emerging as the ‘USB-C’ of agent tooling: a standard way to expose tools and context to LLMs. Here’s how it fits in ops workflows—and what to secure first.
Claude Opus 4.6 and ‘agent teams’: what changes for enterprise platform governance
Opus 4.6 is being positioned as stronger at coding and longer-running agentic tasks, with ‘agent teams’ entering preview. For platform leaders, the real story is operational: least privilege, audit trails, evals, and a clean boundary between propose vs execute.
Ingress-NGINX security advisory: what the new CVEs mean for Kubernetes operators (and how to respond)
A new ingress-nginx advisory discloses multiple CVEs. Here’s how to triage impact, patch safely, and reduce blast radius with practical hardening steps.