Cloud Native & Open Source: A Team Lead’s Working Journal 💻

Every technical support team I have worked with shares the same friction point: an analyst keeps four tabs open simultaneously (the EDR console, a ticketing system, an asset CMDB, and a query window) and spends a sizeable chunk of their shift copy-pasting IDs between them. The intelligence exists. The problem is getting it out fast enough. The Model Context Protocol (MCP) is the most credible attempt I have seen yet to reduce that cost. It is a small, open specification for letting LLM-driven assistants invoke external tools in a typed, structured way: a server exposes a catalogue of tools with JSON Schema input contracts, and any MCP-aware client (Claude Desktop, Claude Code, Zed, or your own automation) can call them without writing any glue code. One server definition, every compatible client for free. ...

A few months back I saw a post circulating on LinkedIn about a developer who had been targeted by a fake recruiter. The person had been invited to a “technical assessment,” cloned a repository, and ran the code provided as part of the interview. What followed was a silent drain of every credential stored on their machine. I remember reading it and feeling a specific kind of disgust, not just at the technical sophistication of the attack, but at the deliberate choice to weaponize something as emotionally charged as a job search. ...

On April 29, 2026, CVE-2026-31431 was publicly disclosed. Nicknamed “Copy Fail”, it is a local privilege escalation in the Linux kernel with a CVSS score of 7.8, present in every major distribution running kernel 4.13 or later: Ubuntu, RHEL, Amazon Linux, SUSE, Rocky Linux. What makes it stand out from most CVEs in this class is how little an attacker needs: a 732-byte Python script, standard library only, no compilation, no race conditions, no kernel offsets. First try, every time. ...

Ubuntu 26.04 LTS (“Resolute Raccoon”) shipped on April 24, 2026. Most of the coverage has focused on the desktop and the new Security Center UI, but I work almost exclusively on the server and infrastructure side, so I want to look at what actually matters for the teams I work with: those running Ubuntu Server as a base for VMs, bare-metal nodes, Kubernetes workers, and golden master images. My customers are split between RHEL and Ubuntu. The ones on Ubuntu are typically on 22.04 (few) or 24.04 LTS (most). The question I always get after a new LTS is the same: “Do we need to move now, or can we sit on the current version for another year?” This post is my attempt to give a structured answer, focused on security and container workloads, which is where I can actually add value. ...

It Happened Again On April 22, 2026, the official Bitwarden CLI npm package (@bitwarden/cli) was compromised. For roughly 90 minutes, between 5:57 PM and 7:30 PM ET, anyone who ran npm install @bitwarden/cli received a malicious package. Around 334 developers did exactly that. The attackers did not break into Bitwarden’s npm account directly. Instead, they hijacked a GitHub Actions workflow in Bitwarden’s CI/CD pipeline and weaponised npm’s Trusted Publishing mechanism to push a poisoned release. Trusted Publishing is OIDC-based and requires no stored credentials: it was introduced as a hardening measure after credential-based attacks. It became the entry point. ...

Introduction Tomorrow, April 22, 2026, Kubernetes 1.36 will be officially released. As a team leader working in security, part of my job is reading release notes to understand what is coming and, more importantly, to track the direction the developers are moving in. Some releases are routine progress; others signal a shift in priorities. This is one of those. Kubernetes 1.36 will be remembered as the release that formalized the end of Ingress NGINX. That alone would make it memorable; Ingress NGINX is too big and too deeply embedded in the ecosystem to ignore, and I will dedicate a section to it. But the focus of this post is security: alongside the NGINX retirement, 1.36 delivers meaningful hardening through the graduation of user namespace isolation to GA, faster SELinux volume labeling reaching GA, the stable release of external ServiceAccount token signing, and the permanent removal of features that have been known security liabilities for years. ...

Every few kernel cycles, a release quietly shifts what is possible for the platforms running on top of it. Linux 7.0 is one of those releases. There is no single flashy new security module, no headline-grabbing feature, but there are several changes that collectively improve weak seams that cloud-native security teams have been working around for years. Before this release reached mainstream distributions, I spent a good hour working through the upstream changelog with GitHub Copilot, running multiple state-of-the-art models, cross-referencing commit messages, kernel documentation, and coverage from the broader community, and iterating until the picture was clear. ...

Introduction I have been experimenting with Spec-Driven Development for a while now. If you are not familiar with the approach, I have a few articles tagged spec-kit that cover the theory and a real hands-on walkthrough where I built a Go TUI for Apple Container management. The short version: instead of vibe-coding with an LLM and hoping for the best, you invest upfront in a structured specification, then let the AI work against that spec. The results are measurably different. ...

A few days ago, Docker published an article on LinkedIn about a new tool called Docker Sandboxes (sbx). The pitch is simple: run AI coding agents in fully autonomous mode, without worrying about them touching your host machine. I read it and decided to install it on my MacBook Pro M4 (32 GB RAM) and test it for real. Not to read the documentation and summarize it, but to actually break things, observe what happens, and verify the security claims hands-on. ...

The Unexpected Swag from KubeCon EU 2026 KubeCon EU 2026 Amsterdam was a great edition. I walked away with good conversations, new connections, and the usual conference bag full of stickers. But one thing stood out among the swag: six months of GitHub Copilot Pro+, courtesy of GitHub. I’m not going to pretend I wasn’t excited. Copilot Pro+ isn’t cheap, and having it handed to you as conference loot—just because you showed up in the right place, accepting the right invitation—felt like a proper thank-you to the community. GitHub clearly knows its audience. ...