< ciso
brief />
Tag Banner

All news with #kubernetes tag

41 articles

16-year KVM bug allows guest-to-host escape

🛡️ A critical KVM vulnerability, tracked as CVE-2026-53359 and nicknamed Januscape, lets an attacker with root in a guest VM execute code on the Linux host by exploiting a use-after-free in KVM's shadow MMU emulation on x86. Discovered by Hyunwoo Kim and present for 16 years, it affects both Intel and AMD servers and can enable host kernel panic, denial-of-service, or full RCE; some distros also allow local escalation via world-writable /dev/kvm. The Linux kernel was patched on June 16, but distribution rollouts may lag.
read more →

Amazon EKS adds Kubernetes version rollback support

🔧 Amazon Elastic Kubernetes Service (Amazon EKS) now supports Kubernetes minor version rollback, letting you revert to the prior minor version within 7 days if an upgrade causes issues. You can start a rollback via the Amazon EKS console, AWS CLI, or AWS SDKs, and EKS evaluates cluster rollback readiness with automated checks for API compatibility, version skew, add-on compatibility, and cluster health. For clusters using EKS Auto Mode, worker nodes are automatically managed during rollback to respect configured disruption controls, and the feature is available at no additional cost in all AWS Regions where EKS is offered.
read more →

CloudWatch OTel Container Insights for Amazon EKS

🚀 Amazon CloudWatch now offers OTel Container Insights for Amazon EKS, collecting infrastructure metrics at 30-second granularity using open-source receivers like cAdvisor, Kube State Metrics, and NVIDIA DCGM. Each metric includes OpenTelemetry semantic conventions and Kubernetes labels to simplify correlation across nodes, pods, and workloads with a single PromQL query. Pre-built dashboards provide immediate visibility into cluster health, node performance, and pod-level resource usage, and the CloudWatch PromQL endpoint enables direct connection of existing Prometheus and Grafana dashboards. Enable the feature from the EKS console, the CloudWatch Observability add-on (v6.2.0+), Helm, or CloudFormation; it is available in all commercial AWS Regions except UAE, Bahrain, and Israel (Tel Aviv).
read more →

EKS local clusters now support EC2 instance store on Outposts

🆕 AWS now supports Amazon EKS local clusters on first- and second-generation AWS Outposts racks that boot Amazon EC2 instances from EC2 instance store. This extends Outposts’ static stability benefits to EKS local clusters, keeping the entire Kubernetes control plane on the Outpost to meet data residency needs and reduce impact from temporary network disconnects. The updated architecture brings greater operational parity with cloud EKS, includes managed control plane responsibilities, and adds support for EKS add-ons and modern auth mechanisms.
read more →

Deploy ADK agents on GKE Autopilot securely

🚀 This tutorial shows how to build an AI agent with Google’s Agent Development Kit (ADK), containerize it, and deploy it to GKE Autopilot using Vertex AI (Gemini) as the model backend. It walks through local testing, creating a multi-stage Docker image, pushing to Artifact Registry, and configuring a Kubernetes Deployment and Service. The guide emphasizes secure authentication with Workload Identity and exposes the agent via the Kubernetes Gateway API with a Google-managed TLS certificate.
read more →

Amazon EKS and EKS Distro add Kubernetes 1.36 support

🔔 AWS now supports Kubernetes version 1.36 in Amazon EKS and Amazon EKS Distro. You can create new clusters or upgrade existing ones using the EKS console, eksctl, or infrastructure-as-code tools across all AWS Regions, including GovCloud. Key features in 1.36 include GA User Namespaces, Mutating Admission Policies for CEL, In-Place Pod-Level Vertical Scaling, and Resource Health Status reporting. EKS Distro images are available in ECR Public Gallery and GitHub, with documentation covering upgrade guidance and lifecycle policies.
read more →

Azure enables seamless cross-cluster networking for AKS

🚀 Microsoft announces the public preview of cross-cluster networking for Azure Kubernetes Fleet Manager, bringing transparent east‑west multi-cluster connectivity powered by Advanced Container Networking Services. Built on Cilium and Kubefleet, this managed capability extends the Kubernetes networking model across clusters to enable direct pod-to-pod communication, policy enforcement, and observability while preserving cluster isolation. The managed approach reduces operational overhead for multi-cluster fleets and supports resilient, global, and shared‑services architectures.
read more →

PCPJack Campaign Removes TeamPCP Artifacts from Cloud

🔒 Security researchers uncovered PCPJack, a credential‑theft framework that targets exposed cloud infrastructure and removes artifacts tied to TeamPCP. SentinelOne reports PCPJack worms through services to harvest credentials from Docker, Kubernetes, Redis, MongoDB, RayML and vulnerable web apps. Unlike many cloud campaigns it omits crypto‑mining and actively removes TeamPCP miner code, indicating monetization through credential theft, resale, fraud or extortion.
read more →

GKE Active Buffer reduces Kubernetes scale-out latency

⚡Active Buffer is a GKE preview that implements the Kubernetes CapacityBuffer API to remove scale-out latency by keeping spare node capacity warm. It replaces manual 'balloon' pod hacks and costly over-provisioning with a declarative resource the Cluster Autoscaler treats as pending demand, so critical pods can land instantly. Buffers can be sized by fixed replicas, percentage of deployments, or resource limits.
read more →

Cloud SQL Powers Manhattan Associates' AI Supply Chain

🚀 Manhattan Associates modernized its Manhattan Active SaaS platform by migrating from legacy Oracle and DB2 to Google Cloud databases. Cloud SQL and BigQuery now power core transactions and real-time analytics, enabling over a billion API calls per day with average responses under 150 ms. Containerized microservices on GKE, Pub/Sub streaming, and managed observability deliver automated failover, cross-region recovery, and faster feature delivery. The shift reduced manual scaling and licensing overhead while boosting operational agility and resilience.
read more →

Red Hat OpenShift on Google Cloud: Migration Updates

🔔 Google Cloud announced integrations and product updates to simplify running Red Hat OpenShift on its platform, including Google Cloud Cluster Services for OpenShift, a guided console cluster-creation experience, and the general availability of OpenShift Virtualization on OpenShift Dedicated. The updates emphasize cost optimization via custom machine types, Hyperdisk, and Axion processors, joint engineering with Red Hat, and configuration validation through Workload Manager to help migrate and modernize clusters. Supported integrations and middleware plugins aim to preserve OpenShift-native architecture while enabling selective adoption of managed Google services.
read more →

One-line Kubernetes fix reclaimed 600 hours for Atlantis

🔧 Cloudflare engineers traced repeated 30-minute Atlantis restarts to Kubernetes recursively changing file ownership on a large PersistentVolume. The default pod securityContext behavior (fsGroup combined with fsGroupChangePolicy: Always) caused kubelet to run an expensive recursive chgrp across millions of files, creating a mounting bottleneck. By validating that file group ownership would remain stable and setting fsGroupChangePolicy: OnRootMismatch, restarts dropped to ~30 seconds. That single-line change recovered roughly 50 engineering hours per month (about 600 hours per year).
read more →

DRA: Dynamic Resource Allocation for Kubernetes Devices

⚡ DRA (Dynamic Resource Allocation) modernizes Kubernetes device management by replacing static Device Plugins with a request-based model built on ResourceSlice and ResourceClaim. It enables granular, attribute-based requests such as minimum VRAM, specific hardware models, or PCIe locality, and abstracts hardware via DeviceClass so the scheduler can match workloads to suitable devices. NVIDIA contributed a GPU driver and Google donated a TPU driver, and DRA is generally available in GKE. This reduces manual node pinning and improves utilization for LLM and AI workloads.
read more →

Kubernetes as AI Infrastructure: llm-d Joins CNCF Sandbox

🚀 Google Cloud and partners announced that llm-d has been accepted into the CNCF Sandbox to promote open, accelerator-agnostic standards for distributed LLM inference. As a founding contributor alongside Red Hat, IBM Research, CoreWeave, and NVIDIA, Google emphasizes running any model on any accelerator in any cloud without vendor lock-in. GKE Inference Gateway now integrates the llm-d Endpoint Picker (EPP) to enable model-aware routing that optimizes for KV-cache hits, inflight requests, and queue depth, yielding concrete production gains in Vertex AI tests. Complementary work on the Kubernetes LeaderWorkerSet (LWS) API and vLLM extensions for Cloud TPUs targets scalable multi-node orchestration and up to 5x throughput improvements.
read more →

GKE and OSS Innovation Highlights at KubeCon EU 2026 Updates

🚀 Google Cloud previews GKE and open-source innovations at KubeCon Europe 2026, focusing on making Kubernetes the best platform for AI and agentic workloads. Autopilot compute classes can now be enabled per workload on Standard clusters, and GKE Cluster Autoscaler will be open-sourced to advance vendor-neutral provisioning. GKE is certified for the CNCF Kubernetes AI Conformance program, and projects like llm-d, DRA drivers for TPUs, and DRANET aim to standardize inference and resource management. Features such as the Model Context Protocol, Kubernetes Agent Sandbox, and GKE Pod Snapshots target secure, fast startup and manageability for agents.
read more →

TeamPCP Deploys Iran-Targeted Wiper via Kubernetes

🧨 The TeamPCP group is deploying a geopolitically targeted wiper that seeks out Iranian systems and either destroys host data or implants a persistent backdoor on Kubernetes nodes. Aikido researchers link the campaign to the earlier CanisterWorm and Trivy supply-chain incidents, noting identical C2 infrastructure and the same /tmp/pglog drop path. When Iran indicators (timezone/locale) and Kubernetes are detected, the malware creates a privileged DaemonSet named Host-provisioner-iran that mounts the host root and runs Alpine containers called "kamikaze" to delete top-level directories and force a reboot. If Kubernetes is present but the host is not identified as Iranian, it deploys host-provisioner-std to write a Python backdoor and install it as a systemd service; variants also propagate via SSH or unauthenticated Docker APIs.
read more →

Amazon EKS Adds 99.99% SLA and 8XL Control Plane Tier

🔒 Amazon EKS now offers a 99.99% Service Level Agreement for clusters running on the Provisioned Control Plane, up from the 99.95% SLA on the standard control plane. The upgraded SLA is measured in 1-minute intervals to deliver a more granular availability commitment for mission-critical workloads. At the same time, EKS introduces an 8XL scaling tier that doubles Kubernetes API server request processing capacity compared with the 4XL tier. Both the new SLA and the 8XL tier are available today in all regions where the Provisioned Control Plane is offered.
read more →

AWS Neuron DRA Driver Adds Hardware-Aware Scheduling

🔧 AWS announced the Neuron Dynamic Resource Allocation (DRA) driver for Amazon EKS, enabling Kubernetes-native, hardware-aware scheduling on Trainium-based instances. The driver publishes detailed device attributes — including hardware topology and Neuron-EFA PCIe co-location — directly to the Kubernetes scheduler, removing the need for custom scheduler extensions. Infrastructure teams can publish reusable ResourceClaimTemplates, while ML engineers reference them to deploy workloads without manual hardware tuning.
read more →

Kubernetes security: strengthening cluster defenses

🔒 New Kubernetes clusters are probed and often attacked within minutes, with honeypots run by Palo Alto Networks, Wiz and Aqua Security showing initial compromise attempts in roughly twenty minutes and repeated automated scans against container ports. The platform's permissive defaults and complex model make standard cloud controls insufficient. Organizations should adopt Kubernetes-specific controls: harden and automate RBAC, isolate workloads with network and namespace policies, store secrets in dedicated key management services, perform regular audits, and train developers on platform-specific threats and secure CI/CD practices.
read more →

GKE Inference Gateway Cuts Latency for Vertex AI Performance

🚀 The Vertex AI team deployed the GKE Inference Gateway, built on the Kubernetes Gateway API, to reduce inference latency and improve cache efficiency without a custom scheduler. The gateway applies load-aware routing—scraping Prometheus metrics like KV cache utilization and queue depth—and content-aware routing that inspects request prefixes to send traffic to pods with warm context. In production this cut Time to First Token by ~35% for Qwen3-Coder, improved P95 by ~52% for a bursty chat model, and doubled prefix-cache hit rates from 35% to 70%.
read more →