Cloud Native & Open Source: A Team Lead’s Working Journal 💻

Security should be a primary driver in IT! Everyone understands the importance of running secure, reliable code at every level of our infrastructure. Since the container revolution began a decade ago with Kubernetes 1.0, traditional IT administrators have lost some control to developers, who can now use Dockerfiles to package and deploy software at unprecedented speed. But at what cost? As organizations adopted runtime security tools to monitor containers and processes, it quickly became clear that pulling base images from public repositories often introduced a flood of vulnerabilities. ...

As you probably know, Apple is running WWDC 25, and yesterday there were a lot of exciting announcements. Among these, aside from the OS updates, Apple announced “container” and containerization support for macOS 26. Here are the key features: Manage OCI images Interact with remote registries Create and populate ext4 file systems Interact with the Netlink socket family Create an optimized Linux kernel for fast boot times Spawn lightweight virtual machines Manage the runtime environment of virtual machines Spawn and interact with containerized processes Use Rosetta 2 for executing x86_64 processes on Apple silicon In fact, the “container” client will be able to spawn a lightweight VM with an optimized Linux kernel and small rootFS, where you can run Linux containers using Rosetta 2 for executing x86 instructions. The interesting part from a security perspective is that every container will run isolated inside its own lightweight VM. ...

I finally did it! After years of delay, I moved my blog away from Blogger. I needed something modern and better suited to my content, so I decided to go with Hugo and the PaperMod theme. The site is stored in a GitHub repository and hosted by Cloudflare Pages, which builds my site every time I push something to the repository. I won’t bore you with details about how much better this technical solution is compared to Blogger, but I’ll leave you with some useful links if you’re curious: ...

Kubernetes 1.33 was released on April 23, 2025, and, as usual, introduces a host of fixes and new features. Be sure to check out the release notes; I assure you, you won’t be disappointed! As the Team Leader of a DevSecOps group, I tend to focus on security features. In this article, I want to highlight the new pod support for user namespaces. This feature isn’t entirely new—it was first introduced as an Alpha feature (UserNamespacesSupport) in Kubernetes 1.28. However, as of version 1.33, it is enabled by default, and there’s no longer any need to set a Kubernetes feature flag. ...

Starting with version 12, Grafana introduces the ability to configure dashboards using a GitOps approach through an experimental feature called Git Sync. This is a particularly interesting capability that can help manage dashboards in large and complex environments. Git Sync is available as an experimental feature in both Grafana OSS and Enterprise editions. Activation can also be requested for the Cloud version (currently available as a private preview). You can find the relevant documentation in this page, and below I am including a demo video. ...

Today, I want to share with you a new initiative by OpenSSF called the Open Source Project Security Baseline. The TL;DR: This initiative consists of a series of checks that project maintainers must have in place in their software repositories to demonstrate a strong security posture. The baseline is divided into three well defined levels. I find this to be an interesting and practical initiative, easy to apply for improving and certifying a project’s security level. ...

The countdown to KubeCon EU (London) has begun, and I couldn’t be more thrilled to announce that, for the third year in a row, I’ll have the incredible privilege of attending! This year is extra special because, for the second time, I’ll be managing a booth alongside my amazing colleagues. Why? Because ReeVo, the company that SIGHUP has now joined, will proudly be a sponsor of this major event! ...

As a consultant, it’s always a pleasure to explore new tools, and since the end of 2024, we have been experimenting with CyberArk’s SaaS offering. The first component we started working with is Conjur Cloud, the SaaS version of Conjur Enterprise, which we are already very familiar with. Conjur Cloud features an impressive UI that allows users to configure and manage most settings seamlessly. Like Conjur Enterprise, it also has its own dedicated CLI, available for download on the CyberArk Marketplace. After installing the Conjur Cloud CLI on macOS 15.2, I encountered the following error when attempting to execute it: ...

Using Podman as the standard tool requested by clients for running local containers outside of a Kubernetes environment, I decided to start the year by installing Podman Desktop on my company MacBook. Podman Desktop features a user interface (UI) similar to Docker Desktop, making it easier to manage containers and images. It also includes plugin management to extend its functionality, such as deploying containers on Kubernetes. After installing Podman Desktop version 1.15.0, I proceeded with the setup but encountered issues with the Podman machine (the virtual machine dedicated to running containers) which failed to start. There were no errors; it just hung during startup. ...

One of the pleasures of working with open-source software (OSS) and community-driven initiatives is the endless opportunities they offer. If you ever find yourself with “not enough” to do at work (yes, that’s ironic!), there’s always an easy way to take on something extra and meaningful. Contributing back to the community you’re part of is a wonderful way to express gratitude. After all, how could anyone be luckier than to give back to something they love? 😊 ...