Dow DevOps

Kyverno apiCall SSRF: Policy Engines Need Egress Boundaries Too

Kyverno's apiCall feature is exactly the kind of capability platform teams end up wanting after the first wave of policy adoption. Static admission checks are useful, but real clusters are full of context. A namespace may need to be compared against an inventory system. A deployment may need

Admission Webhooks Are Control Plane Dependencies, Not Just Add-ons

A moderate Kubernetes ecosystem CVE does not always deserve a full incident response. It does often deserve a design review. CVE-2026-44247, published through the GitHub advisory database for Volcano, is a good example. Volcano is a Kubernetes-native batch scheduling system. The advisory says its webhook server did not enforce a

Argo CD ServerSideDiff and the Secrets Hiding in Kubernetes Annotations

Argo CD’s recent ServerSideDiff advisories show why read-only GitOps access, Kubernetes dry-run behavior, and old last-applied annotations deserve more operational respect.

Installing SigNoz Is the Easy Part: Turning Observability Into Operational Leverage

A practical model for turning SigNoz from a telemetry destination into operational leverage: service health, Tier 0 dependencies, trace/log correlation, alert quality, and telemetry hygiene.

VIPs, DNS, and a Conntrack Ghost: Post-mortem of an Intermittent Ingress Outage

While building a DNS round robin ingress design for multiple Traefik instances, I accidentally built an asymmetric packet path that my hypervisor firewall interpreted as “INVALID” and quietly dropped. The cluster looked guilty. The underlay did the crime.

Policy Engine Face-off: Azure Policy vs. Kyverno for AKS Governance

Last month, while implementing governance controls for a client's AKS environment, I discovered something that Azure's documentation glosses over: Azure Policy for Kubernetes, despite its seamless integration, cannot automatically generate resources based on policy violations.

Azure CNI with Cilium: Beyond the Basics - Unlocking Enterprise eBPF Security

When Microsoft announced Azure CNI powered by Cilium, the community celebrated the arrival of eBPF networking to AKS. However, enterprise security teams are noticing a critical gap: Azure's managed offering lacks the advanced features that make Cilium the choice for zero-trust architectures.

Part 8: Security Hardening and Production Readiness

Building a Production-Grade Kubernetes Homelab - Part 8 of 8

Part 7: Complete Observability Stack

Building a Production-Grade Kubernetes Homelab - Part 7 of 8

Part 6: Ingress and Certificate Management

Building a Production-Grade Kubernetes Homelab - Part 6 of 8