Categories

Architecture

Kubernetes 1.35 GA: an operations-side balance sheet

Kubernetes 1.35 GA consolidates three releases of work: native sidecars with full lifecycle management, generalised DRA for FPGAs and NPUs, and a scheduler that cuts resource waste by 15-25% in heterogeneous clusters. An operations-side balance sheet: what to enable now, what to watch before migrating, and what path to follow from 1.30.

Architecture

Docker Swarm in 2023: When It Still Makes Sense

Kubernetes won the orchestration battle, but Docker Swarm stays maintained inside Docker Engine and makes real sense for small teams without dedicated SRE, self-hosted stacks on 1-5 VPS, and edge mini-clusters. In those contexts, Swarm's minimal learning curve and low operational cost outweigh Kubernetes's advanced features.

Methodologies

Carbon-aware scheduling by default: first balance

A principios de 2026, varias plataformas de orquestación incluyen carbon-aware scheduling como opción por defecto o muy visible. Con meses de datos reales, toca evaluar si la promesa de reducir emisiones sin dañar rendimiento se cumple y en qué escenarios.

Architecture

Kubernetes 1.35: what you can already see coming

Con 1.34 liberado en agosto de 2025 y el ciclo de 1.35 en su última fase de congelación de funciones, qué llegará estable, qué quedará en beta, qué nos interesa a quienes mantenemos clústeres pequeños o medianos y qué podemos ignorar sin culpa hasta el siguiente ciclo.

Architecture

containerd with Wasm: mixed workloads in production

La integración de WebAssembly dentro de containerd como tiempo de ejecución alternativo ha madurado. Ya es posible desplegar cargas mixtas Linux y Wasm en el mismo clúster de Kubernetes con argumentos operativos sólidos. Cuándo compensa y cuándo no.

Methodologies

Carbon-aware computing: now the default behavior

Four years ago it was an academic curiosity. Today, scheduling workloads by grid carbon intensity is a built-in option in Kubernetes, in several cloud provider services, and in CI tooling. We look at what genuinely changed and what is still more promise than practice.

Architecture

Kubernetes 1.34: a summary for teams with little time

Kubernetes 1.34 ships with Dynamic Resource Allocation (DRA) graduating to stable, scheduler improvements, and CEL-based mutating admission policies that replace webhooks. A practical rundown of what is safe to upgrade now, what can wait, and what actually changes for teams running production clusters.

Architecture

containerd 2.0 in production: real migrations

Six months after containerd 2.0 reached general availability there is enough real-world mileage to judge the migration from the 1.x branch in production. We cover what changes in the config file, what breaks on Kubernetes and Docker Swarm, and when planning the jump actually pays off.

Technology

eBPF for Continuous Profiling: Parca and Beyla

eBPF-based continuous profiling captures CPU flame graphs for every process on a Linux node around the clock, without instrumenting code or restarting services, at under 1% overhead. Parca covers the whole cluster, Beyla adds automatic HTTP/gRPC metrics and traces, and Pyroscope brings native per-language detail to the most critical services.

Architecture

Kubernetes 1.30: The Improvements Operators Actually Appreciate

Kubernetes 1.30, released in April 2024, brings ValidatingAdmissionPolicy to general availability, eliminating the need for external webhooks for CEL-based admission policies. It adds pod scheduling readiness to control when a pod enters the scheduling cycle, and job success policy to define which index combination counts as success in distributed indexed Jobs.

Architecture

Kubecost and OpenCost: Native FinOps in Kubernetes

Kubecost and OpenCost map real costs to namespaces, deployments, and labels in Kubernetes. OpenCost, the Apache 2.0 open-source core, covers essentials for free. Kubecost adds multi-cluster visibility and advanced cloud billing. For clusters spending over $5,000/month the ROI is clear: identified savings typically exceed software cost within the first month.

Architecture

Kubernetes 1.31: the stabilisations that matter day to day

Kubernetes 1.31 brings no fireworks, but it closes old debts: AppArmor reaches GA, native sidecars now run enabled by default on their way to stable in 1.33, and DRA moves through alpha toward beta. A practical review from the perspective of someone operating clusters in production.

Architecture

Service Mesh in 2024: Istio Ambient and Cilium Mesh

In 2024, the sidecar-or-not debate has an answer: Istio Ambient Mesh and Cilium Service Mesh bring sidecarless architecture to production, while Linkerd keeps ultra-light Rust sidecars. The right choice depends on your current CNI, the features you need, and the size of your ops team, not on which project wins in the abstract.

Tools

Fluent Bit: Lightweight Log Collection in Production

Fluent Bit is the CNCF's lightweight log collector: a ~1.5 MB C binary that rarely tops 30 MB of memory in production. It beats Promtail, Vector, and Filebeat when several destinations or resource-constrained nodes are in play, thanks to a pipeline of inputs, parsers, filters, and outputs that stays easy to reason about and debug.

Architecture

Modern SCADA in Containers: Advantages and Risks

Containerising SCADA makes sense for the upper architecture layers: HMI, historians, and data gateways. PLCs still control hardware with hard determinism. The biggest risk is cultural: applying DevOps patterns without adapting to OT context causes incidents. NIS2 requires managing containers as any other critical infrastructure asset.

Architecture

Cilium Service Mesh: When You Don’t Need Sidecars

Cilium Service Mesh replaces Istio or Linkerd sidecars with eBPF in the kernel: it handles policy, WireGuard encryption, and Hubble observability without a per-pod proxy, cutting memory overhead from roughly 100 GB to about 5 GB in a 100-node cluster. It suits large clusters with teams comfortable with eBPF.

Methodologies

Sigstore in Image Registries: Adoption and Reality

Sigstore has become the standard signing layer for OCI artefacts. GHCR is the best-integrated registry; Harbor 2.5+ and Quay offer native support; AWS ECR pushes its own KMS scheme. Verification earns its keep at three points: the cluster admission controller, the GitOps layer, and the CI/CD pipeline. The public Rekor has rate limits that force self-hosting past a certain build volume.

Architecture

Linkerd: The Pragmatic Service Mesh Alternative

Linkerd is the pragmatic service mesh for Kubernetes, prioritizing simplicity over feature catalogues. Its Rust proxy uses ~10 MB RAM per sidecar versus 50-100 MB for Envoy under Istio. This comparison explains when adopting it pays off, what it costs to operate, and when Istio makes more sense.

Technology

Falco: Runtime Threat Detection with eBPF

Falco is a graduated CNCF project that hooks the Linux kernel via eBPF and detects syscall anomalies in real time without instrumenting applications. Deployed as a DaemonSet on Kubernetes, it emits JSON events and requires a triage process to deliver value. In production, alert fatigue is the most common operational pitfall.

Methodologies

Flux CD vs ArgoCD: Which to Choose for Your Platform

Flux CD and ArgoCD are the two CNCF-graduated GitOps tools for deploying to Kubernetes with Git as the source of truth. ArgoCD offers a centralised visual UI that manages several clusters from one instance, while Flux is a set of Kubernetes-native controllers with built-in image automation. Neither choice is wrong: it depends on your team and use case.

Architecture

GitOps With ArgoCD: From Hype to Stable Production

ArgoCD has established GitOps as the standard deployment practice for Kubernetes: the Git repository is the single source of truth for the desired state, and the agent continuously reconciles the cluster. This guide covers the four formal GitOps principles, sync policies, common production mistakes, and a comparison with Flux.

Architecture

Service Mesh in 2023: Istio, Linkerd, and the Cilium Option

A service mesh adds mTLS, uniform observability, and traffic management between microservices without modifying application code. The ecosystem has consolidated: Istio is the most complete and complex, Linkerd prioritises simplicity with Rust proxies, and Cilium delivers sidecarless service mesh via eBPF.

Architecture

containerd: The Runtime Underpinning Kubernetes

containerd is the runtime that runs containers in most modern Kubernetes clusters, and almost nobody notices. It manages the full container lifecycle: pulling the image, starting it, networking, and mounting the filesystem. It became the default runtime after Kubernetes 1.24 removed dockershim in May 2022.

Architecture

Kubernetes 1.27: The Changes That Matter to Operators

Kubernetes 1.27 ("Chill Vibes"), released in April 2023, makes SeccompDefault stable so pods get safer syscall defaults automatically, moves KMS v2 to beta with rotatable encryption keys for etcd secrets, and stabilises scheduling gates. It also removes PodSecurityPolicy for good: without migrating to Pod Security Admission first, the upgrade is blocked entirely.

Architecture

Cilium and the Future of Container Networking with eBPF

Cilium replaces iptables with eBPF programs loaded directly into the Linux kernel, substituting O(n) linear chains with O(1) hash lookups. Documented benchmarks show up to 50% lower p95 latency, 2-3x more throughput, and 70% less kernel CPU in large Kubernetes clusters.

Architecture

Kubernetes 1.28: Sidecar Containers as First-Class Citizens

Kubernetes 1.28 introduces native sidecar containers in alpha via KEP-753: adding restartPolicy Always to initContainers ensures correct startup and shutdown ordering. It fixes Jobs that never terminate. Istio, Linkerd, and observability agents like Fluent Bit are the primary beneficiaries.

Architecture

Pixie: Native Kubernetes Observability Powered by eBPF

Pixie uses eBPF to automatically instrument Kubernetes clusters without modifying application code. A per-node agent captures HTTP, gRPC, SQL, and Redis traffic at the kernel level, exposing service maps, CPU profiles, and SQL traces within minutes. It complements Prometheus for reactive diagnosis with no sidecars or redeploys.

Architecture

From Monolith to Microservices: Transforming the Architecture

Migrating from monolith to microservices means splitting a single system into independent services that deploy and scale on their own. It gains granular scalability and team autonomy, but adds real operational complexity: stable interfaces, Kubernetes orchestration, and a mature DevOps culture are conditions, not optional extras, for the migration to pay off.