Kubernetes 1.35 GA consolidates three releases of work: native sidecars with full lifecycle management, generalised DRA for FPGAs and NPUs, and a scheduler that cuts resource waste by 15-25% in heterogeneous clusters. An operations-side balance sheet: what to enable now, what to watch before migrating, and what path to follow from 1.30.
Kubernetes won the orchestration battle, but Docker Swarm stays maintained inside Docker Engine and makes real sense for small teams without dedicated SRE, self-hosted stacks on 1-5 VPS, and edge mini-clusters. In those contexts, Swarm's minimal learning curve and low operational cost outweigh Kubernetes's advanced features.
A principios de 2026, varias plataformas de orquestación incluyen carbon-aware scheduling como opción por defecto o muy visible. Con meses de datos reales, toca evaluar si la promesa de reducir emisiones sin dañar rendimiento se cumple y en qué escenarios.
Con 1.34 liberado en agosto de 2025 y el ciclo de 1.35 en su última fase de congelación de funciones, qué llegará estable, qué quedará en beta, qué nos interesa a quienes mantenemos clústeres pequeños o medianos y qué podemos ignorar sin culpa hasta el siguiente ciclo.
La integración de WebAssembly dentro de containerd como tiempo de ejecución alternativo ha madurado. Ya es posible desplegar cargas mixtas Linux y Wasm en el mismo clúster de Kubernetes con argumentos operativos sólidos. Cuándo compensa y cuándo no.
Four years ago it was an academic curiosity. Today, scheduling workloads by grid carbon intensity is a built-in option in Kubernetes, in several cloud provider services, and in CI tooling. We look at what genuinely changed and what is still more promise than practice.
Kubernetes 1.34 ships with Dynamic Resource Allocation (DRA) graduating to stable, scheduler improvements, and CEL-based mutating admission policies that replace webhooks. A practical rundown of what is safe to upgrade now, what can wait, and what actually changes for teams running production clusters.
Six months after containerd 2.0 reached general availability there is enough real-world mileage to judge the migration from the 1.x branch in production. We cover what changes in the config file, what breaks on Kubernetes and Docker Swarm, and when planning the jump actually pays off.
Kubernetes 1.32 Penelope shipped in December and has been running in clusters for several months. It is a good time to look at which changes have aged well, which created extra work, and what lessons to carry into the jump to 1.33.
Kubernetes 1.33 (Octarine) lands April 23. In-place pod resize moves to beta and ships on by default, sidecar containers finally reach GA, and several endpoint and security deprecations arrive that operators should review before upgrading from 1.32.
eBPF-based continuous profiling captures CPU flame graphs for every process on a Linux node around the clock, without instrumenting code or restarting services, at under 1% overhead. Parca covers the whole cluster, Beyla adds automatic HTTP/gRPC metrics and traces, and Pyroscope brings native per-language detail to the most critical services.
Kubernetes 1.30, released in April 2024, brings ValidatingAdmissionPolicy to general availability, eliminating the need for external webhooks for CEL-based admission policies. It adds pod scheduling readiness to control when a pod enters the scheduling cycle, and job success policy to define which index combination counts as success in distributed indexed Jobs.
Kubecost and OpenCost map real costs to namespaces, deployments, and labels in Kubernetes. OpenCost, the Apache 2.0 open-source core, covers essentials for free. Kubecost adds multi-cluster visibility and advanced cloud billing. For clusters spending over $5,000/month the ROI is clear: identified savings typically exceed software cost within the first month.
Kubernetes 1.31 brings no fireworks, but it closes old debts: AppArmor reaches GA, native sidecars now run enabled by default on their way to stable in 1.33, and DRA moves through alpha toward beta. A practical review from the perspective of someone operating clusters in production.
In 2024, the sidecar-or-not debate has an answer: Istio Ambient Mesh and Cilium Service Mesh bring sidecarless architecture to production, while Linkerd keeps ultra-light Rust sidecars. The right choice depends on your current CNI, the features you need, and the size of your ops team, not on which project wins in the abstract.
Carbon-aware computing runs flexible workloads when grid electricity emits less CO2, cutting emissions 10-30% without changing infrastructure. Grid carbon intensity varies up to 16x by hour and region; tools like Electricity Maps, WattTime and the Carbon Aware SDK make that scheduling possible with real grid data.
Fluent Bit is the CNCF's lightweight log collector: a ~1.5 MB C binary that rarely tops 30 MB of memory in production. It beats Promtail, Vector, and Filebeat when several destinations or resource-constrained nodes are in play, thanks to a pipeline of inputs, parsers, filters, and outputs that stays easy to reason about and debug.
Containerising SCADA makes sense for the upper architecture layers: HMI, historians, and data gateways. PLCs still control hardware with hard determinism. The biggest risk is cultural: applying DevOps patterns without adapting to OT context causes incidents. NIS2 requires managing containers as any other critical infrastructure asset.
Cilium Service Mesh replaces Istio or Linkerd sidecars with eBPF in the kernel: it handles policy, WireGuard encryption, and Hubble observability without a per-pod proxy, cutting memory overhead from roughly 100 GB to about 5 GB in a 100-node cluster. It suits large clusters with teams comfortable with eBPF.
Sigstore has become the standard signing layer for OCI artefacts. GHCR is the best-integrated registry; Harbor 2.5+ and Quay offer native support; AWS ECR pushes its own KMS scheme. Verification earns its keep at three points: the cluster admission controller, the GitOps layer, and the CI/CD pipeline. The public Rekor has rate limits that force self-hosting past a certain build volume.
Linkerd is the pragmatic service mesh for Kubernetes, prioritizing simplicity over feature catalogues. Its Rust proxy uses ~10 MB RAM per sidecar versus 50-100 MB for Envoy under Istio. This comparison explains when adopting it pays off, what it costs to operate, and when Istio makes more sense.
Falco is a graduated CNCF project that hooks the Linux kernel via eBPF and detects syscall anomalies in real time without instrumenting applications. Deployed as a DaemonSet on Kubernetes, it emits JSON events and requires a triage process to deliver value. In production, alert fatigue is the most common operational pitfall.
Flux CD and ArgoCD are the two CNCF-graduated GitOps tools for deploying to Kubernetes with Git as the source of truth. ArgoCD offers a centralised visual UI that manages several clusters from one instance, while Flux is a set of Kubernetes-native controllers with built-in image automation. Neither choice is wrong: it depends on your team and use case.
ArgoCD has established GitOps as the standard deployment practice for Kubernetes: the Git repository is the single source of truth for the desired state, and the agent continuously reconciles the cluster. This guide covers the four formal GitOps principles, sync policies, common production mistakes, and a comparison with Flux.
A service mesh adds mTLS, uniform observability, and traffic management between microservices without modifying application code. The ecosystem has consolidated: Istio is the most complete and complex, Linkerd prioritises simplicity with Rust proxies, and Cilium delivers sidecarless service mesh via eBPF.
containerd is the runtime that runs containers in most modern Kubernetes clusters, and almost nobody notices. It manages the full container lifecycle: pulling the image, starting it, networking, and mounting the filesystem. It became the default runtime after Kubernetes 1.24 removed dockershim in May 2022.
Kubernetes 1.27 ("Chill Vibes"), released in April 2023, makes SeccompDefault stable so pods get safer syscall defaults automatically, moves KMS v2 to beta with rotatable encryption keys for etcd secrets, and stabilises scheduling gates. It also removes PodSecurityPolicy for good: without migrating to Pod Security Admission first, the upgrade is blocked entirely.
Cilium replaces iptables with eBPF programs loaded directly into the Linux kernel, substituting O(n) linear chains with O(1) hash lookups. Documented benchmarks show up to 50% lower p95 latency, 2-3x more throughput, and 70% less kernel CPU in large Kubernetes clusters.
Kubernetes 1.28 introduces native sidecar containers in alpha via KEP-753: adding restartPolicy Always to initContainers ensures correct startup and shutdown ordering. It fixes Jobs that never terminate. Istio, Linkerd, and observability agents like Fluent Bit are the primary beneficiaries.
Pixie uses eBPF to automatically instrument Kubernetes clusters without modifying application code. A per-node agent captures HTTP, gRPC, SQL, and Redis traffic at the kernel level, exposing service maps, CPU profiles, and SQL traces within minutes. It complements Prometheus for reactive diagnosis with no sidecars or redeploys.
Migrating from monolith to microservices means splitting a single system into independent services that deploy and scale on their own. It gains granular scalability and team autonomy, but adds real operational complexity: stable interfaces, Kubernetes orchestration, and a mature DevOps culture are conditions, not optional extras, for the migration to pay off.
4 min2524.2
We use first- and third-party cookies to analyze site traffic. You can accept them, reject them, or configure your choice.
Learn more about cookies
Cookie preferences
NecessaryEssential for the site to work. Always on.
AnalyticsHelp us understand how the site is used (Google Analytics).