August 2026 Countdown: Are Your K8s AI Workloads EU AI Act Ready?

The countdown is on. As of March 2026, we are less than five months away from the full applicability of the EU AI Act (August 2, 2026). For those of us running AI workloads on Kubernetes, whether it’s self-hosted inference engines like vLLM or RAG-based agentic systems, compliance is no longer a legal “later” problem. It’s an engineering “now” problem. Before we dive into the technical implementation, let’s look at the critical roadmap and the cost of getting it wrong: ...

March 16, 2026 · 5 min · 1040 words · Matteo Bisi

The Exploitability Gap: Insights from Datadog’s State of DevSecOps 2026

Intro We have all been there: a Slack notification triggers an alert for a “Critical” CVE, and the scramble to patch begins. But as our clusters grow, so does the noise. The most jarring security stories are often the ones happening silently inside our own production environments. Datadog recently released its State of DevSecOps 2026 report, and the numbers provide a sobering reality check for anyone managing cloud-native infrastructure. The report reveals that 87% of organizations are currently running at least one known exploitable vulnerability in their deployed services. Even more concerning is that many of these services rely on libraries that have been abandoned by their maintainers. This is not just a theoretical problem; it is based on telemetry from thousands of real-world cloud environments, making the findings impossible to dismiss. ...

March 6, 2026 · 3 min · 626 words · Matteo Bisi

Amsterdam Bound: Gearing Up for KubeCon EU 2026

The countdown to KubeCon + CloudNativeCon Europe 2026 has officially entered its final stage! In just a few weeks, the global cloud-native community will descend upon the RAI Amsterdam (March 23–26), and I couldn’t be more excited. For ReeVo, this is a massive and strategic milestone. We are returning as a proud sponsor, and we are arriving in force. This isn’t just a marketing trip; it’s a mission. ...

March 4, 2026 · 3 min · 535 words · Matteo Bisi

Back to Basics: Why Containers Are Just Fancy Linux Processes

The path into platform engineering has changed. Many engineers today start their careers working directly with Kubernetes, writing YAML and managing Helm charts before they ever spend extended time at a Linux terminal. The tooling is so well-abstracted that you can be genuinely productive for months before the underlying system ever becomes relevant. That is a real achievement for the ecosystem. The gap shows up at the worst moments, though: a container crashes with a permission error, a security team flags a pod running as root, a privilege escalation CVE lands and it is not clear whether the cluster is exposed. These are Linux problems, and they are much easier to reason about once you understand what the YAML actually maps to at the kernel level. I have been in those conversations many times, and I always come back to the same set of fundamentals. ...

February 20, 2026 · 11 min · 2292 words · Matteo Bisi

Evaluating Oss Security Fresh Editor s2c2f

It’s December 27th, and like most of you, I’m somewhere between “fully checked out for the holidays” and “can’t stop tinkering with new tools on my laptop.” Nobody’s at work. Teams is shut down and Slack is quiet. The corporate VPN can wait until January. But my curiosity? That’s working overtime. A couple of weeks ago, I discovered Fresh, a Rust-based terminal text editor that feels like it was designed specifically for people like me who live in terminals. Here’s what caught my attention: ...

December 27, 2025 · 10 min · 2034 words · Matteo Bisi

Kubernetes Security: 2025 Stable Features & 2026 preview

Like your favorite music streaming service’s 2025 Wrapped®, here’s my recap of Kubernetes security highlights from 2025, plus predictions for features likely graduating to stable in early 2026. As a DevSecOps Team Leader, I bridge development speed with security rigor daily. Kubernetes and cloud-native security are my passion, especially hardening workloads for production. With Kubernetes v1.35 releasing December 17, now’s the perfect time to review 2025’s security wins and plan for 2026. ...

December 8, 2025 · 4 min · 707 words · Matteo Bisi

Beyond CVE Scanning: The Case for a Hardened Container Image Catalog

In my last few years as a Team Leader DevSecOps, I’ve spent a significant amount of time helping customers, mostly in the financial sector, navigate the complexities of cloud-native security. I have seen companies invest heavily in state-of-the-art runtime protection, CNAPPs, and sophisticated CI/CD security gates. Yet, a familiar pattern emerges time and again: the moment security teams start looking at vulnerability reports, chaos ensues. The numbers are just too high to handle, creating a paralyzing sense of alert fatigue. ...

November 29, 2025 · 10 min · 1954 words · Matteo Bisi

Runc Container Breakout Vulnerabilities

On November 5th, 2025, a set of high-severity vulnerabilities in runc were publicly disclosed, allowing for full container breakouts. Runc is the cornerstone of containerization on Linux, serving as the default low-level container runtime for industry-standard tools like Docker, Podman, and Kubernetes. Its ubiquity means that a vulnerability in runc has far-reaching implications for the entire cloud-native ecosystem. This post summarizes the vulnerabilities, the affected versions, and the recommended actions to mitigate them. ...

November 7, 2025 · 4 min · 725 words · Matteo Bisi

External Secrets Operator: Releases Resume and Governance Matures

This article is a follow-up to my previous post about the state of the External Secrets Operator project. Let’s start with the most important news: External Secrets Operator is set to resume releases on September 22!!! What changed More than 300 volunteers have signed up to contribute across organizations, far exceeding expectations and widening the pipeline of future Members, Reviewers, and Maintainers. Governance has been clarified with a formal Contribution Ladder and focused tracks (Core, Providers, CI, Testing), plus interim roles to spread the load and reduce burnout risk. ...

September 14, 2025 · 1 min · 146 words · Matteo Bisi

External Secrets Operator Team needs help!

External Secrets Operator is a great FOSS project that, over the last few years, has gained traction in Kubernetes environments, becoming one of the standard security tools for managing and integrating Kubernetes secrets from external sources. ESO is an operator and can be installed in different ways, for example via HELM or the OpenShift Operator Catalog. Here’s their GitHub repo. A couple of weeks ago, the team raised a giant RED FLAG with the following announcement: ...

August 15, 2025 · 1 min · 155 words · Matteo Bisi