40% OFF Linux Foundation Tech Talent sale🚀 Use code TECHTALENT26CT at kube.promo/cyber to get flat 40% discount on Individual certifications like CKA, CKAD etc. Using code TECHTALENT26CT you can save up to 45% on the following k8s certification bundles. - CKA CKAD: kube.promo/cka-ckad - CKA CKS Bundle: kube.promo/bundle - CKA CKAD CKS Exam bundle: kube.promo/k8s-bundle - KCNA CKA: kube.promo/kcka-bundle - KCSA CKS Exam Bundle: kube.promo/kcsa-cks - KCNA KCSA Exam Bundle: kube.promo/kcna-kcsa - KCNA KCSA CKA CKAD CKS: kube.promo/kubestronaut ♻️ P.S. Don’t forget to repost and share it with the DevOps community and your friends! #kubernetes #devops #cka #ckad #cks

DevOps Tool of the Week: AirLLM 🛠️ You don't need a powerful GPU to run large models locally. AirLLM is an open-source tool that lets you run large models on a single GPU without needing the whole model in VRAM at once. It splits the model into layers and loads one layer at a time during inference. Here is what it does 👇 - Initially, AirLLM pulls the full model, splits it into per-layer shards, and saves on local disk. - When you send a query, it loads the model into VRAM one layer at a time. - It loads Layer 1 from disk into GPU VRAM, processes it, then clears VRAM and calls the next layer. - It repeats this for every layer, and once all layers are processed, it returns the response to your query. With this, even a 4GB GPU can run a 70B model. 𝗦𝘁𝗮𝗿𝘁 𝗛𝗲𝗿𝗲: github.com/lyogavin/airllm #LLM #MLOps #devopstools

VPN and mTLS are essential and must-know concepts for DevOps engineers This guide aims to teach you the following practically. - Client to Site VPN - Client and Server Certificates Generation using EasyRSA - Mutual TLS Authentication (mTLS) So, why is it important to learn these? Every organization uses VPN connectivity to securely connect to cloud resources. The best way to understand VPN & mTLS is by setting up one. 𝗗𝗲𝘁𝗮𝗶𝗹𝗲𝗱 𝗚𝘂𝗶𝗱𝗲: devopscube.com/aws-client-vp… The following topics are covered in a theoretical format: - SAML/Active Directory-based authentication. - TCP vs UDP Do further research and gain a detailed understanding of the above topics. They are fundamental for DevOps engineers PS: ♻️ Repost if you find this useful. It helps the Learning community 🙂 Got any tips or info to share with the community? Drop a comment :) #devops #aws #practicaldevops

This Kubernetes feature changes how containers handle root privileges 👇 User Namespaces is security feature that maps user and group IDs inside a container to a different set of IDs on the host (Rootless Isolation) Here is the key idea. A process running as root (UID 0) inside the container runs an unprivileged user (eg, UID 100000) on the host. Without user namespaces, when a container runs as root uses the same root identity as the host. So If an attacker breaks out of the container, they get full host privileges. I have published a hands-on guide convering the following. - What are User Namespaces - How kernel does the root to non-root user mapping - What changes when you set hostUsers: false - Limiting host UID ranges using /etc/subuid file - Hands on deployment to understand User Namespace - User Namespace limitations 𝗥𝗲𝗮𝗱 𝗶𝘁 𝗛𝗲𝗿𝗲: newsletter.devopscube.com/p/… Have you tried this feature it? ♻️ PS: Repost and share this with the community! #devops #kubernetes

Kubernetes NodeLocal DNSCache Explained 🚀 When it comes to performance, Every DNS lookup in Kubernetes matters. Without NodeLocal DNSCache, Pods send DNS queries to the kube-dns/CoreDNS Service IP. These requests go through kube-proxy, DNAT rules, and conntrack before reaching CoreDNS. In busy clusters, this can add latency and increase pressure on the conntrack table. NodeLocal DNSCache solves this by running a local DNS cache on every node as a DaemonSet. So, instead of talking to CoreDNS directly, Pods send DNS queries to the local cache on the same node. Here are its key benefits, - It Reduces average DNS lookup time as the DNS queries are resolved locally using DNS cache - It reduces load on CoreDNS - It prevents conntrack table exhaustion as Connections from Pods to their local cache don't create conntrack table entries - DNS queries for external URLs fcan be forwarded directly without involving CoreDNS We share deep dives on Kubernetes, DevOps, MLOps, Cloud and GitOps → 𝗝𝗼𝗶𝗻 𝗛𝗲𝗿𝗲 (𝟭𝟬𝟬% 𝗳𝗿𝗲𝗲): newsletter.devopscube.com/su… ♻️ PS: Repost and share it with the DevOps community. Note: NodeLocal DNSCache it is not enabled by default in Kubernetes. It must be deployed manually as a DaemonSet (except on managed platforms like GKE Autopilot where it's now default). Got any tips? ⬇️ Share and discuss in the comments below! ⬇️ #devops #kubernetes

DevOps Tool of the Week: Dragonfly 🛠️ Pulling a 130 GB model to 200 GPU nodes generates 26 TB of traffic. But what if nodes pulled from each other instead of the source? That is where Dragonfly helps. It is an open-source peer-to-peer file distribution system. The initial downloading node becomes a local cache. The model hub is hit once, and the rest of the cluster pulls from each other. Here is what it does 👇 - Supports direct model downloads from Hugging Face and ModelScope. - Split files and start sharing peer-to-peer before the first download finishes. - Reduce origin bandwidth from 26 TB to ~130 GB across 200 nodes. - Supports private repos with token authentication. - Deploys on Kubernetes as a DaemonSet. 👉𝗚𝗶𝘁𝗵𝘂𝗯 𝗥𝗲𝗽𝗼: github.com/dragonflyoss/drag… #devopstools #devops

Kubernetes Secret: Data vs. StringData 🚀 When you create a k8s secret, You can specify secret data in two different fields: - Data - StringData What is the difference? If you specify the Data field, the secret values must be base64-encoded (pre-encoded). However, if you want to use plain text in the manifest, you can use the StringData field. When you create a secret using StringData, it automatically gets converted to Data and stored in the data field as Base64-encoded value. So the purpose of stringData is simply developer convenience during secret creation and updates. The actual Secret object always stores data in the data field Additionally, you can use both StringData and Data in the same manifest. For duplicate keys, StringData takes precedence over Data. For example, if you specify username in both Data and StringData, the key from StringData takes precedence, and the key in Data is ignored. However, if you have distinct keys, all of them will be available in the created secret. If you have any insights or tips to share, do share them in the comments below! We share deep dives on Kubernetes, DevOps,MLOps, Cloud and GitOps → 𝗝𝗼𝗶𝗻 𝗛𝗲𝗿𝗲 (𝟭𝟬𝟬% 𝗳𝗿𝗲𝗲): newsletter.devopscube.com/su… ♻️ PS: Repost and share it with the DevOps community. --- ⚠️ Important note: Base64 is encoding, not encryption. Anyone with access to the secret manifest or etcd can decode it in seconds. It offers zero security. For proper secret management, use dedicated tools like: - HashiCorp Vault - AWS Secrets Manager / Azure Key Vault - Sealed Secrets Also, enable encryption at rest for etcd and use RBAC to restrict secret access. ⬇️ Discuss in the comments below! ⬇️ #devops #kubernetes

Kubernetes Interview Question 🚀 How to fix conntrack exhaustion in Kubernetes? Conntrack is one of the most critical and overlooked parts of Kubernetes networking. The conntrack table on the nodes has a maximum size. Kubernetes generates huge amounts of NAT traffic because of ClusterIP Services, kube-proxy iptables mode, readiness/liveness probes, service mesh traffic etc.. So, in a busy cluster with hundreds of pods making thousands of connections, that table fills up fast. Many Linux systems default to values around 131072 entries, though the actual value depends on kernel and system memory. If conntrack is full, the following happens. - Random connection timeouts - Intermittent DNS failures - API calls that fail with no clear error - Works sometimes, fails sometimes behavior - Services that appear healthy but connections randomly drop There are several ways to mitigate and prevent the issue. We have explained all the solutions in our detailed conntrack guide. 𝗥𝗲𝗮𝗱 𝗶𝘁 𝗛𝗲𝗿𝗲: newsletter.devopscube.com/p/… ♻️ If you find it useful, share it with fellow DevOps and Cloud Engineers. #devops #kubernetes

DevOpsCube Weekly: Edition #2 is out ☕ Conntrack In Kubernetes, AgentGateway, GitHub OIDC on AWS, Remote Jobs & More.. 𝗥𝗲𝗮𝗱 𝗶𝘁 𝗛𝗲𝗿𝗲: newsletter.devopscube.com/p/… ♻️ If you find it useful, share it with fellow DevOps and Cloud Engineers. #devops

DevOps Tool of the Week: Agentgateway 🛠️ As AI agents become part of production systems, managing how they connect to LLMs, tools, APIs, and MCP servers becomes difficult. Agentgateway solves this by acting as a central gateway for AI agents. Here is what it does 👇 - Routes traffic between agents, tools, APIs, and LLMs. - Provides a single endpoint for MCP servers and agent communication. - Adds authentication, security policies, and rate limiting. - Gives visibility into agent requests, failures, and usage. Think of it as an API Gateway for Agentic AI systems. 👉𝗚𝗶𝘁𝗵𝘂𝗯 𝗥𝗲𝗽𝗼: github.com/agentgateway/agen… #devops #aiops #mlops

Free Claude Courses 🚀 If you are a DevOps engineer trying to understand how AI fits into infrastructure and automation these Claude courses are worth checking out. Anthropic has structured learning paths around: - AI Fluency and prompt engineering - Claude API development - Claude Code for engineering workflows - MCP (Model Context Protocol) - AI agent workflows and integrations 👉 𝗦𝘁𝗮𝗿𝘁 𝗛𝗲𝗿𝗲: claude.com/resources/courses ♻️ P.S. Dont forget to repost and share with the DevOps community. #devops #aiops #PlatformEngineering

How Conntrack Powers Kubernetes Services 🚀 In this guide, You will understand conntrack through real Kubernetes networking scenarios and see why it plays a critical role behind Kubernetes Services, kube-proxy, NAT, and DNS traffic. You will learn, - What conntrack is and why it exists - Why Kubernetes Services depend on it - How to inspect the conntrack table - What happens when the table gets full - How to troubleshoot and fix conntrack exhaustion in production 𝗗𝗲𝘁𝗮𝗶𝗹𝗲𝗱 𝗚𝘂𝗶𝗱𝗲: newsletter.devopscube.com/p/… ♻️ P.S. Repost and share with the DevOps community. #devops #kubernetes

CKA Exam Guide With Study Notes 🚀 As per the community request, we have added study notes section with illustrations. It covers key areas like Gateway API, Network Policies, Cluster administration etc.. 𝗚𝗶𝘁𝗛𝘂𝗯 𝗥𝗲𝗽𝗼: github.com/techiescamp/cka-c… Bookmark the repo and start your CKA prep this week. Found it useful? Star the repo ⭐ and share it with someone prepping for CKA. Got questions on any CKA topic? Drop them in the comments 👇 #cka #kubernetes

What is NOTES.txt in Helm Chart? In this guide, you will learn about: - What is Helm Notes.txt - How it works and its use cases - How to view notes before and after chart installation. - Simple hands-on guide to show the Notes.txt functionality. - How to suppress notes output Detailed Blog: devopscube.com/helm-notes-tx… ♻️ P.S. Repost and share with the DevOps community.

GitHub Actions AWS Without Long-Lived Secrets? 🚀 Modern DevOps pipelines should not depend on hardcoded AWS access keys. Because leaked CI/CD credentials are still one of the biggest cloud security risks. That is where OIDC helps. Instead of storing AWS secrets in GitHub, your workflow gets short-lived, temporary credentials directly from AWS at runtime. - No static keys. - No secret rotation headaches. - Less blast radius if something goes wrong. In this blog, We will look at GitHub Actions OIDC AWS Integration using a step-by-step example that secures access to the AWS cloud. By the end of this guide, you will understand: - Why OIDC is a secure way to connect GitHub Actions with AWS - How GitHub’s OIDC integration works with AWS - A step-by-step method to set up OIDC using IAM roles - How to test the setup using AWS CLI and deploy to EKS with GitHub Actions workflows 𝗗𝗲𝘁𝗮𝗶𝗹𝗲𝗱 𝗕𝗹𝗼𝗴: devopscube.com/github-action… 𝗡𝗼𝘁𝗲: A fully private GitHub Enterprise Server setup cannot use AWS OIDC unless AWS can access the GHES OIDC metadata endpoint over HTTPS #devops #GithubActions #OIDC #aws

What is the Difference Between Self-Managed vs Public SSL/TLS Certificates? 🚀 DevOps Engineers often work with TLS certificates, and understanding the difference between self-managed and paid certificates is very important. So lets understand the basics. 𝗪𝗵𝗮𝘁 𝗶𝘀 𝗮 𝗖𝗲𝗿𝘁𝗶𝗳𝗶𝗰𝗮𝘁𝗲 𝗔𝘂𝘁𝗵𝗼𝗿𝗶𝘁𝘆? Certificate Authority (CA) is usually a company or organization that issues digital certificates. Here's how to request a TLS certificate from a well-known Certificate Authority (CA) like Verisign, LetsEncrypt or Comodo: - Create a Certificate Signing Request (CSR) with a private key. The CSR includes details about your location, organization, and FQDN (Fully Qualified Domain Name). - Send the CSR to the trusted CA. - The CA validates the request and sends back a TLS certificate signed using the CA’s private key. - Validate and use this TLS certificate with your applications. Most browsers and operating systems 𝘀𝘁𝗼𝗿𝗲 𝗿𝗼𝗼𝘁 𝗖𝗔 𝗰𝗲𝗿𝘁𝗶𝗳𝗶𝗰𝗮𝘁𝗲𝘀 from all the trusted CAs. You can view them from the browser settings. That is why browsers don’t show security messages when visiting websites using TLS from a trusted and well-known commercial CA. Each browser has its own set of criteria and processes for accepting and trusting CAs. 𝗦𝗼, 𝘄𝗵𝗼 𝗱𝗲𝗰𝗶𝗱𝗲𝘀 𝗶𝗳 𝗮 𝗖𝗔 𝗰𝗮𝗻 𝗯𝗲 𝘁𝗿𝘂𝘀𝘁𝗲𝗱? Well, they are vetted by independent audit organizations like webtrust. The results of these audits are important for a CA to be trusted by web browsers and operating systems. Now let’s look at self-managed certificates. For internal applications, organizations often run their own private CA (PKI infrastructure). The workflow looks like this: - Create your own Root CA certificate and CA private key - Generate a server private key and CSR - Use the CA private key to sign the CSR and generate the TLS certificate - Install the Root CA certificate in browsers or operating systems to avoid HTTPS warnings Without installing the Root CA certificate, browsers will show security warnings because the CA is not publicly trusted. For public endpoints, organizations always use certificates from well-known CAs (LetsEncrypt or paid ones) We share deep dives on Kubernetes, DevOps,MLOps, Cloud and GitOps → 𝗝𝗼𝗶𝗻 𝗛𝗲𝗿𝗲 (𝟭𝟬𝟬% 𝗳𝗿𝗲𝗲): newsletter.devopscube.com/ ♻️ PS: Repost and share it with the DevOps community. Got any tips? ⬇️ Discuss in the comments below! ⬇️ #devops #devopscommunity

☕ This Week in DevOpsCube Here’s the TLDR 👇 • Feature Store explained for DevOps Engineers • Deploy a ML Feature Store on Kubernetes • Reducing Kubeflow image size from 3.17 GB to 354 MB • Real Kubernetes CNI troubleshooting scenario on AWS • How Uber runs 60,000 AI agent tasks • Free Claude courses & learning resources 𝗥𝗲𝗮𝗱 𝗶𝘁 𝗛𝗲𝗿𝗲: newsletter.devopscube.com/p/… ♻️ PS: If you find these resources useful, share this with your network. #devops #mlops

You won't see this 65% Discount again until Cyber Monday👇 Use code MM26CCCT at kube.promo/cyber to get flat 50% discount on Individual certifications like CKA, CKAD etc. Using code MM26BUNCT you can save up to 60% on the following k8s certification bundles. - CKA CKAD: kube.promo/cka-ckad - CKA CKS Bundle: kube.promo/bundle - CKA CKAD CKS Exam bundle: kube.promo/k8s-bundle - KCNA CKA: kube.promo/kcka-bundle - KCSA CKS Exam Bundle: kube.promo/kcsa-cks - KCNA KCSA Exam Bundle: kube.promo/kcna-kcsa You can save up to 65% off on Kubestronaut Bundle as compare to individual purchase. Use code MM26K8BUNCT for the following Kubestronaut Bundle - KCNA KCSA CKA CKAD CKS: kube.promo/kubestronaut Kubestronaut Benefits Includes the following. - Five 50%-off certification coupons each year to use or share - 20% off select CNCF events - Exclusive Kubestronaut community access - The iconic blue Kubestronaut jacket Grab these offers before it end. ♻️ P.S. Don’t forget to repost and share it with the DevOps community and your friends! #kubernetes #devops #cka #ckad #cks

DevOps Tool of the Week: Kafbat UI ⚒️ Running Kafka in production is great until you need to actually look inside it. Kafbat UI is a free, open-source web UI to monitor and manage Apache Kafka clusters. It gives you a single pane of glass for your Kafka clusters. Brokers, topics, partitions, consumer groups, schema registry, Kafka Connect, all in one dashboard. You can browse messages in JSON, Avro, or Protobuf, filter live streams with CEL expressions, check consumer lag per partition, and create or reconfigure topics without touching a CLI. 𝗚𝗶𝘁𝗛𝘂𝗯 𝗥𝗲𝗽𝗼: github.com/kafbat/kafka-ui #devops #devopstool