DevOps Daily with Fexingo: CI/CD, Kubernetes, and Modern Software Operations podcast artwork

PODCAST · business

DevOps Daily with Fexingo: CI/CD, Kubernetes, and Modern Software Operations

Lucas and Luna dissect the daily realities of DevOps, from CI/CD pipeline design to Kubernetes cluster management and the human systems that keep software running. Each episode grounds abstract principles in real incidents—a failed deployment at a major retailer, a postmortem from a cloud outage, a configuration drift disaster—and traces the operational decisions that turned them around. Lucas brings the technical precision of a working engineer, while Luna pushes on the team dynamics, cost trade-offs, and organizational bottlenecks that separate resilient operations from fragile ones. They discuss monitoring strategies, incident response playbooks, infrastructure-as-code trade-offs, and the cultural friction between development velocity and operational stability—always with concrete examples, never with buzzwords. This is the show for engineers, SREs, and platform leads who want to hear two seasoned practitioners argue through the hard choices: when to rewrite vs. patch, how much obse

Publisher-supplied feed metadata · PodParley refreshed Jun 13, 2026 · Source feed

  1. 47

    Why Kubernetes Pod Disruption Budgets Fail Under Spot Node Drains

    Episode 60 of DevOps Daily with Fexingo: Lucas and Luna dig into a common but poorly understood Kubernetes failure mode — Pod Disruption Budgets (PDBs) that actually accelerate downtime during spot instance preemptions. Using AWS Spot Node draining as the concrete case (similar dynamics apply on GKE Preemptible and Azure Spot), they trace why PDBs designed to protect availability can paradoxically block node drains, leaving workloads stranded. They walk through a real scenario: a stateless microservice with minAvailable=2, three replicas, and a single-node spot pool. The drain command hangs because Kubernetes can't find a second node to reschedule to, triggering a timeout instead of a graceful eviction. They discuss the root cause — PDBs don't consider node topology — and offer two practical mitigations: setting maxUnavailable instead of minAvailable where possible, and combining PDBs with cluster autoscaler priority classes. No theory, no fluff — just a production pitfall you'll face if you use spot instances at scale. #Kubernetes #PodDisruptionBudget #SpotInstances #AWS #DevOps #CloudNative #SiteReliabilityEngineering #ClusterAutoscaler #NodeDrain #K8sFailures #Microservices #ProductionIncidents #CloudCostOptimization #Technology #SoftwareEngineering #FexingoBusiness #BusinessPodcast #DevOpsDaily Keep every episode free: buymeacoffee.com/fexingo

  2. 46

    Why Kubernetes ResourceQuotas Starve Your Batch Jobs

    Lucas and Luna dig into a common but overlooked Kubernetes pain point: how ResourceQuotas designed to prevent resource abuse can accidentally deadlock your batch processing pipeline. They walk through a real incident at a mid-size fintech that ran 24,000 short-lived Pods per day, where namespace-level quotas caused cascading failures during a routine data-backfill job. Lucas explains the mechanics—how admission controllers evaluate quotas at Pod creation time, why burst concurrency matters more than total resource limits, and the counterintuitive fix: lowering quota ceilings to raise throughput. Luna pushes back on the conventional wisdom that more quota always means more capacity. The episode closes with a practical monitoring heuristic using the 'kubectl describe quota' command to spot the problem before it hits production. #Kubernetes #ResourceQuotas #BatchJobs #DevOps #CloudNative #Fintech #PodLifecycle #AdmissionController #Concurrency #Backfill #Kubectl #ProductionIncident #CapacityPlanning #ClusterAutoscaling #Scheduling #FexingoBusiness #BusinessPodcast #Technology Keep every episode free: buymeacoffee.com/fexingo

  3. 45

    Why Kubernetes Container Images Bloat Your Node Disk

    Lucas and Luna break down how container image layers silently consume node disk space in Kubernetes clusters. Using real numbers from a 500-node production cluster, Lucas explains the hidden cost of unused base images, intermediate layers, and stale tags that build up over time. Luna shares a horror story of a team that had to drain an entire node because garbage collection ran too late. The episode covers practical strategies to audit image usage, configure image garbage collection thresholds in kubelet, and set up a retention policy. No abstract theory: listeners get a concrete checklist they can apply to their clusters by end of day. This episode is for DevOps engineers who want to keep their nodes healthy without buying more storage. #Kubernetes #ContainerImages #DevOps #NodeDisk #ImageGC #Kubelet #TechOperations #CloudNative #Docker #ContainerLayers #DiskPressure #ClusterHealth #ImageAudit #Storage #SRE #FexingoBusiness #BusinessPodcast #Technology Keep every episode free: buymeacoffee.com/fexingo

  4. 44

    How Kubernetes Cluster DNS Caches Amplify Failures

    Lucas and Luna unpack a specific Kubernetes failure pattern: cluster DNS caching. When one node experiences a DNS resolution error, cached negative responses can propagate across the cluster, causing cascading service discovery failures. They walk through how the NodeLocal DNSCache plugin can actually make this worse under certain conditions, and dig into a real incident at a mid-size fintech where a single misconfigured CoreDNS pod took down three microservices for 12 minutes. They also explain why the default 'ndots:5' setting causes unnecessary upstream lookups, and share concrete tuning strategies for reducing DNS latency in high-traffic deployments. If you run Kubernetes in production and your services talk to each other, this episode is a troubleshooting cheat sheet. #Kubernetes #DNS #CoreDNS #NodeLocalDNSCache #ServiceDiscovery #ClusterNetworking #SiteReliabilityEngineering #Microservices #ProductionIncidents #KubernetesTroubleshooting #CloudNative #DevOps #Infrastructure #Technology #FexingoBusiness #BusinessPodcast #Podcast #SoftwareOperations Keep every episode free: buymeacoffee.com/fexingo

  5. 43

    How Kubernetes Node Local DNS Cache Reduces Latency

    In this episode of DevOps Daily, Lucas and Luna dive into the specific mechanics and benefits of Kubernetes Node Local DNS cache (NodeLocal DNSCache). They explain how it reduces DNS latency by up to 30 percent, prevents conntrack table exhaustion, and alleviates pressure on CoreDNS in large clusters. The discussion covers real-world deployment configurations, including the use of iptables rules to intercept DNS queries, the trade-offs with cluster DNS autoscaling, and a concrete migration strategy for production clusters running 500+ nodes. Tune in for actionable insights on optimizing DNS resolution in Kubernetes. #Kubernetes #DNS #NodeLocalDNSCache #CoreDNS #Latency #Optimization #DevOps #CloudNative #CNCF #K8s #Performance #Scalability #Network #Technology #FexingoBusiness #BusinessPodcast #Podcast #SoftwareOperations Keep every episode free: buymeacoffee.com/fexingo

  6. 42

    How Kubernetes QOS Classes Cause OOM Kills in Production

    Episode 55 of DevOps Daily dives into Kubernetes Quality of Service (QOS) classes — Guaranteed, Burstable, and BestEffort — and how they determine which pods get killed when memory runs out. Lucas explains why a Burstable pod with a 1GB limit but a 500MB request is more likely to be OOM-killed than a BestEffort pod using 100MB, using a real-world case from a fintech startup that lost payment-processing pods during a memory spike. Luna shares a counterintuitive example from her own Kubernetes cluster where setting requests equal to limits actually reduced total utilization. The hosts discuss the trade-offs between resource efficiency and reliability, and why many teams blindly set requests too low. The episode also covers practical strategies: using Vertical Pod Autoscaler to tune requests, setting memory limits with a 20% headroom buffer, and monitoring the oom_kill counter in Prometheus. A must-listen for any engineer running stateful workloads on Kubernetes. #Kubernetes #QOS #OOMKill #DevOps #ContainerOrchestration #PodScheduling #MemoryManagement #CloudNative #Fintech #SiteReliabilityEngineering #Prometheus #VerticalPodAutoscaler #KubernetesBestPractices #ProductionIncidents #ResourceManagement #Technology #FexingoBusiness #BusinessPodcast Keep every episode free: buymeacoffee.com/fexingo

  7. 41

    How Kubernetes Network Policies Create Silent Outages

    Lucas and Luna dig into a specific Kubernetes failure pattern that most teams discover the hard way: network policies that block healthy traffic after a rollout. They walk through a real incident at a mid-size fintech company where a seemingly innocuous deny-all ingress policy took down payment processing for 47 minutes. Lucas explains how Kubernetes NetworkPolicy objects are evaluated, why default-deny patterns can backfire, and why teams should use audit-mode logging before enforcing. Luna shares a pragmatic checklist for testing network policies in staging. They close with the one label selector rule every DevOps engineer should memorize before their next production deploy. A solid episode for anyone running Kubernetes beyond a hobby cluster. #Kubernetes #NetworkPolicy #DevOps #ProductionIncident #Fintech #PodNetworking #CNI #Calico #Cilium #DefaultDeny #LabelSelector #SilentOutage #InfrastructureAsCode #CloudNative #Technology #FexingoBusiness #BusinessPodcast #TechOps Keep every episode free: buymeacoffee.com/fexingo

  8. 40

    Why Kustomize Overlays Create Configuration Drift

    In this episode of DevOps Daily, Lucas and Luna tackle a subtle but costly problem in Kubernetes configuration management: Kustomize overlays that silently diverge from their base configurations. Using a real-world example from a mid-size e-commerce company, they break down how three overlays intended to customize deployments for dev, staging, and production environments ended up creating a cascade of misconfigurations. Lucas explains the root cause—a common anti-pattern where overlay patches override base fields without version control warnings—and walks through how a simple diff-and-lint pipeline could have caught the drift before it caused a production outage. Luna challenges the assumption that Kustomize alone is enough for configuration hygiene, and they discuss when teams should consider tools like Helm or Jsonnet for tighter validation. If you are using Kustomize in your Kubernetes workflows, this episode will save you from a painful debugging session. #Kustomize #ConfigurationDrift #Kubernetes #DevOps #CI/CD #InfrastructureAsCode #GitOps #ConfigurationManagement #KubernetesDeployment #OverlayPatches #YAML #ProductionOutage #TechPodcast #SoftwareEngineering #FexingoBusiness #BusinessPodcast #CloudNative #DevOpsDaily Keep every episode free: buymeacoffee.com/fexingo

  9. 39

    Why Kubernetes EndpointSlice Delays Break Service Discovery

    In episode 52 of DevOps Daily with Fexingo, Lucas and Luna dig into a hidden performance gotcha in Kubernetes service discovery: the EndpointSlice controller's default sync interval. Lucas walks through a real incident at a mid-size e-commerce company where a deployment rollout caused five minutes of traffic blackholing because EndpointSlices lagged behind pod readiness. They compare EndpointSlice to the older Endpoints API, explain the kube-controller-manager flags that control sync timing, and discuss the trade-offs between faster propagation and API server load. Luna challenges Lucas on whether most teams should even tweak these defaults, and they land on a practical recommendation: monitor your service propagation latency before you tune anything. If you manage Kubernetes at scale and have ever seen 'no endpoints available' for longer than you expected, this episode explains why. #Kubernetes #EndpointSlice #ServiceDiscovery #kubeControllerManager #PodLifecycle #TrafficBlackholing #CloudNative #DevOps #SiteReliabilityEngineering #KubernetesNetworking #EndpointsAPI #ContainerOrchestration #KubernetesPerformance #RollingUpdate #FexingoTechnology #TechnologyPodcast #FexingoBusiness #BusinessPodcast Keep every episode free: buymeacoffee.com/fexingo

  10. 38

    Why Kubernetes Service Mesh Sidecars Drain Your Memory Budget

    In this episode of DevOps Daily, Lucas and Luna explore a hidden cost of Kubernetes service meshes: the memory overhead of sidecar proxies. They break down how Istio's Envoy sidecars commonly consume 50-100 MB per pod, and how a 50-node cluster with 200 pods can waste over 10 GB of RAM just on proxy overhead. They compare sidecar-less alternatives like Cilium's eBPF-based mesh and Istio's ambient mode, and share real benchmarks from large-scale deployments that saved 30-40% on compute costs by switching. The hosts also discuss practical strategies—like tuning proxy resource limits and using selective sidecar injection—to avoid blowing your cluster's memory budget. A must-listen for any Kubernetes operator optimizing cloud costs. #Kubernetes #ServiceMesh #Istio #Envoy #Sidecar #MemoryOverhead #Cilium #eBPF #AmbientMesh #CloudCosts #ResourceOptimization #DevOps #Technology #FexingoBusiness #BusinessPodcast #Podcast #CloudNative #SRE Keep every episode free: buymeacoffee.com/fexingo

  11. 37

    Why Kubernetes Priority Classes Create Scheduling Chaos

    Episode 50 of DevOps Daily with Fexingo takes a hard look at Kubernetes PriorityClasses — the feature meant to ensure critical pods run first but often backfires into scheduling chaos. Lucas and Luna unpack a real production outage at a mid-sized fintech company where misconfigured priority classes caused a cascade of evictions and resource starvation. They walk through the mechanics of preemption, the hidden cost of default priorities, and why many teams set up their priority tiers wrong. The conversation also touches on the tension between reliability engineers and cost optimizers, and offers a practical heuristic for assigning priority classes that won't surprise you during a traffic spike. If you've ever wondered why your cluster autoscaler is scaling up like crazy while pods are still pending, this episode explains the silent culprit. #Kubernetes #DevOps #PriorityClasses #Scheduling #CloudNative #Preemption #ClusterAutoscaler #PodLifecycle #Fintech #ProductionOutage #ResourceManagement #SRE #PlatformEngineering #K8sBestPractices #TechPodcast #DevOpsDaily #FexingoBusiness #BusinessPodcast Keep every episode free: buymeacoffee.com/fexingo

  12. 36

    How Kubernetes Node Draining Can Cause Cascading Failures

    In this episode of DevOps Daily with Fexingo, Lucas and Luna dive into a specific failure mode that often surprises even experienced Kubernetes operators: cascading failures caused by mishandled node draining. They walk through a real-world scenario where a routine node drain for a kernel patch triggered a chain reaction: PodDisruptionBudgets were respected on paper, but the remaining nodes couldn't handle the load, leading to resource starvation and a partial cluster outage. They break down why the Kubernetes scheduler doesn't account for combined resource pressure during draining, how default eviction timeouts can mask the problem, and what operational practices — like pre-drain load testing and gradual cordoning — can prevent the cascade. No fluff, just one concrete angle with actionable takeaways. #Kubernetes #NodeDraining #CascadingFailures #PodDisruptionBudget #ClusterResilience #SRE #DevOps #CloudNative #Operations #ProductionIncident #KubernetesScheduler #EvictionTimeout #LoadTesting #HighAvailability #Infrastructure #Technology #FexingoBusiness #BusinessPodcast Keep every episode free: buymeacoffee.com/fexingo

  13. 35

    Why Kubernetes CronJob Timezones Break Production Schedules

    In this episode, Lucas and Luna dive into a deceptively tricky Kubernetes feature: CronJob timezone handling. They break down how CronJobs default to UTC regardless of the cluster's regional settings, leading to off-schedule jobs, missed backups, and batch processing failures. Using a real-world example from a fintech company that lost two hours of payment reconciliation data, they explain why the .spec.schedule timezone field added in Kubernetes 1.27 is still underused, and why operators relying on TZ environment variables are playing with fire. They also cover how kube-controller-manager's timezone drift can compound the problem, and share a simple audit command to check all CronJobs for implicit UTC assumptions. If you manage scheduled jobs in Kubernetes, this episode will save you from a midnight pager. #Kubernetes #CronJob #Timezone #DevOps #CloudNative #Scheduling #ProductionBug #Fintech #BatchProcessing #KubeControllerManager #UTC #SiteReliability #PlatformEngineering #TechPodcast #FexingoBusiness #BusinessPodcast #DevOpsDaily #SoftwareOperations Keep every episode free: buymeacoffee.com/fexingo

  14. 34

    Why Kubernetes Pod Security Standards Still Leak

    Lucas and Luna revisit pod security standards in Kubernetes, digging into a specific case where a restricted PSP still allowed privilege escalation through a misconfigured seccomp profile. They walk through a real-world example from a fintech startup that ran a compliance audit and discovered their 'secure' pods were running with default-deny seccomp disabled. The conversation covers why PSPs and PSS profiles are not a silver bullet, how admission controllers can be bypassed, and what operators should actually check in their cluster logs. No fluff, just the concrete gap between policy intent and runtime reality. #Kubernetes #PodSecurity #Seccomp #ContainerSecurity #DevOps #Technology #CloudNative #SecurityAudit #PSP #PSS #AdmissionController #RuntimeSecurity #Fintech #Compliance #FexingoBusiness #BusinessPodcast #Podcast #DevOpsDaily Keep every episode free: buymeacoffee.com/fexingo

  15. 33

    Why Kubernetes Pod Priority Preemption Wastes Cluster Resources

    Lucas and Luna break down a subtle but costly Kubernetes anti-pattern: using pod priority and preemption without proper resource accounting. They walk through how a mid-stage startup accidentally triggered a cascading preemption storm by misconfiguring priority classes on their CI/CD runners and ML training pods, leading to 40% wasted compute and unpredictable evictions. Lucas explains the math behind the scheduler's preemption logic, why lower-priority pods can still cause cluster thrashing, and three concrete fixes: bin packing via node selectors, using descheduler plugins, and setting priority thresholds based on actual workload criticality. Luna pushes back on the 'just set higher priority' mindset and asks whether priority classes even make sense without guaranteed QoS. The episode includes a natural donation segment around the 25% mark where the hosts reflect on the value of ad-free content. Perfect for anyone managing Kubernetes clusters who has ever wondered why their nodes look full but their applications feel empty. #Kubernetes #PodPriority #Preemption #ClusterScheduler #ResourceManagement #CloudNative #DevOps #K8sAntiPatterns #NodePressure #BinPacking #Descheduler #QualityOfService #CICD #MLTraining #ClusterThrashing #FexingoBusiness #BusinessPodcast #Technology Keep every episode free: buymeacoffee.com/fexingo

  16. 32

    Why Kubernetes Topology Spread Constraints Create Unbalanced Nodes

    Episode 45 of DevOps Daily with Fexingo digs into Kubernetes topology spread constraints – the feature meant to spread pods evenly across failure domains, but that can actually create severe node imbalances. Lucas and Luna explore a real incident where a three-node cluster ended up with 40 pods on one node and 4 each on the others, causing resource exhaustion and cascading failures. They explain how 'maxSkew' and 'whenUnsatisfiable' interact in surprising ways, why topology spread constraints don't play well with autoscalers, and how to avoid the 'spread paradox' where enforcing balance creates imbalance. Tune in for practical configuration advice and a breakdown of when to use topology spread instead of pod affinity. #Kubernetes #TopologySpreadConstraints #MaxSkew #PodScheduling #DevOps #K8s #ClusterBalancing #NodeImbalance #PodAffinity #CloudNative #FexingoBusiness #BusinessPodcast #Technology #CI/CD #SoftwareOperations #Scheduling #Autoscaler #KubernetesFailure Keep every episode free: buymeacoffee.com/fexingo

  17. 31

    How Kubernetes Node Priority Expands Your Cluster Costs

    Lucas and Luna dive into a hidden cost driver in Kubernetes clusters: node priority and the scheduler's 'most requested' scoring. They explain how default scheduling behavior over-provisions nodes, why even well-tuned clusters run 15-30% extra capacity, and a concrete fix using pod priority classes and node affinity. The episode walks through a real-world case where a mid-size fintech reduced its GKE bill by 22% by adjusting priority scoring weights. A must for DevOps engineers wondering why their cloud spend keeps creeping up despite right-sizing. #Kubernetes #DevOps #CloudCost #NodePriority #Scheduler #ClusterAutoscaling #GKE #PodPriorityClass #NodeAffinity #CostOptimization #CloudNative #FinOps #K8s #Infrastructure #Technology #FexingoBusiness #BusinessPodcast #DevOpsDaily Keep every episode free: buymeacoffee.com/fexingo

  18. 30

    Kubernetes Cluster Autoscaler Fails Under Spot Instance Interruptions

    Episode 43 of DevOps Daily with Fexingo dives into a hidden failure mode of the Kubernetes Cluster Autoscaler: it frequently fails to scale up new nodes quickly enough after a spot instance interruption. Lucas explains how the default unready-node-taint strategy can delay scale-up by several minutes, causing pods to stay pending and potentially triggering cascading failures. He walks through a real incident at a mid-size SaaS company where a 40% spot interruption rate led to 15-minute scale-up latencies and broken SLOs. Luna challenges whether unscheduled pods on a tainted node really need to be recreated from scratch, and the pair discuss workarounds like increasing the scale-up ratio of the CA's expansion options, using the new PodTopologySpread constraints, and pre-provisioning a small buffer of on-demand nodes. The episode also covers upcoming Kubernetes 1.32 changes to the Cluster Autoscaler's handling of instance interruptions. No ad breaks, ever. If today's tech conversation gave you something usable, consider supporting the show at buy me a coffee dot com slash fexingo. #Kubernetes #ClusterAutoscaler #SpotInstances #DevOps #CloudNative #SRE #K8sScaling #PodDisruption #InstanceInterruption #NodePool #Autoscaling #K8sFailureMode #CloudEconomics #SaaSInfrastructure #PodScheduling #K8s1.32 #Technology #FexingoBusiness Keep every episode free: buymeacoffee.com/fexingo

  19. 29

    Why Kubernetes Horizontal Pod Autoscaler Lags Behind Traffic Spikes

    Episode 42 of DevOps Daily with Fexingo digs into a concrete problem with Kubernetes Horizontal Pod Autoscaler (HPA): it reacts to past metrics, not future demand. Lucas and Luna walk through a real-world scenario where a flash sale at an e-commerce company caused a five-minute latency spike before HPA caught up. They explain how the default two-minute cooldown window, aggregation intervals, and metric collection delays compound into a blind spot for bursty traffic. The conversation covers tweaks like reducing stabilization windows, using custom metrics tied to queue depth, and combining HPA with cluster autoscaler or predictive scaling via Vertical Pod Autoscaler and proactive budget-based approaches. No silver bullets, but a clear diagnosis: if your traffic comes in waves, default HPA settings will leave you exposed. Specific numbers, trade-offs, and one actionable recommendation per tuning strategy. #Kubernetes #HorizontalPodAutoscaler #HPA #CloudNative #DevOps #Scaling #Autoscaling #Latency #MetricsServer #CustomMetrics #KEDA #ClusterAutoscaler #BurstTraffic #Performance #Technology #FexingoBusiness #BusinessPodcast #DevOpsDaily Keep every episode free: buymeacoffee.com/fexingo

  20. 28

    How Kubernetes Ingress Controllers Create a Security Surface

    Episode 41 of DevOps Daily with Fexingo dives into the overlooked security risks of Kubernetes Ingress controllers. Lucas and Luna break down a real-world case where a misconfigured NGINX Ingress exposed internal APIs to the internet, leading to a data breach. They explain how default rules, lack of request validation, and forgotten annotation changes can turn a routing layer into an attack vector. The hosts also discuss practical mitigations: strict allowlists, Web Application Firewall integration, and annotating Ingresses for least-privilege access. If you're running Kubernetes in production, this episode shows why your Ingress controller might be your biggest blind spot. #Kubernetes #IngressController #NGINXIngress #SecuritySurface #DevOps #CloudNative #K8sSecurity #NetworkSecurity #APISecurity #WebApplicationFirewall #AccessControl #TechPodcast #FexingoBusiness #BusinessPodcast #DevOpsDaily #SoftwareOperations #CI/CD #Microservices Keep every episode free: buymeacoffee.com/fexingo

  21. 27

    How Kubernetes ConfigMaps Become a Security Liability

    In this episode of DevOps Daily with Fexingo, Lucas and Luna dive into a commonly overlooked vulnerability in Kubernetes clusters: ConfigMaps. While ConfigMaps are widely used to decouple configuration from container images, they often end up storing sensitive data like database passwords, API keys, and service tokens in plain text. This practice creates a security liability that can be exposed through simple misconfigurations, RBAC gaps, or even accidental commits to version control. The hosts walk through a real-world scenario from a mid-sized fintech that learned this the hard way when a developer's CI/CD pipeline accidentally pushed a ConfigMap containing production database credentials to a public GitHub repo. They explain how to audit your ConfigMaps for secrets, why you should never use them for sensitive data, and how tools like Sealed Secrets and external secret stores (like HashiCorp Vault or AWS Secrets Manager) can replace ConfigMaps for secret management. The episode closes with a practical checklist to secure your configuration data today. #Kubernetes #ConfigMap #Security #DevOps #SecretsManagement #K8sSecurity #CI/CD #Technology #Podcast #FexingoBusiness #BusinessPodcast #TechPodcast #CloudNative #DevSecOps #Vault #SealedSecrets #KubernetesSecurity #ConfigurationManagement Keep every episode free: buymeacoffee.com/fexingo

  22. 26

    Why Kubernetes Pod Security Standards Still Leak

    In this episode of DevOps Daily, Lucas and Luna tackle a persistent security blind spot in Kubernetes: Pod Security Standards (PSS) and why they still leak sensitive data. They walk through a real-world case where a team using PSS with the 'baseline' profile left a sidecar container unmonitored, exposing database credentials. Lucas breaks down how PSS policies only check admission time, not runtime behavior, and how attackers exploit gaps like init containers and ephemeral containers. Luna shares a story from a fintech startup that discovered their PSS implementation failed because they forgot to apply it to custom namespaces. Together, they explain why you need to layer runtime security tools like Falco or OPA Gatekeeper, and how to audit your PSS policies using kubectl to catch hidden leaks. This episode is for DevOps engineers who think PSS means their cluster is secure—but want to verify it actually is. #Kubernetes #PodSecurityStandards #CloudSecurity #DevOps #DevOpsDaily #CyberSecurity #ContainerSecurity #K8s #OPAGatekeeper #Falco #RuntimeSecurity #SidecarContainers #InitContainers #EphemeralContainers #AdmissionController #CloudNative #FexingoBusiness #BusinessPodcast Keep every episode free: buymeacoffee.com/fexingo

  23. 25

    Why Your Kubernetes PersistentVolume Reclaim Policy Costs You Money

    In this episode of DevOps Daily with Fexingo, Lucas and Luna dig into a costly Kubernetes misconfiguration that flies under the radar: the PersistentVolume reclaim policy. Most teams set it to 'Delete' and forget it, but that means every time a PersistentVolumeClaim is deleted, the underlying volume (like an EBS or GCE PD) gets wiped out too—along with any data. Lucas walks through a real example: a development environment where accidentally deleting a PVC nuked a week's worth of test data. The fix? Switching the reclaim policy to 'Retain' for critical volumes. They also discuss how to safely reuse volumes with manual reclamation, and why 'Recycle' is effectively deprecated. If your team is burning money on orphaned volumes or losing data from PVC deletions, this episode is for you. #Kubernetes #DevOps #PersistentVolume #StorageManagement #CloudCost #DataLoss #K8sConfig #VolumeReclaim #RetainPolicy #DeletePolicy #RecyclePolicy #EBS #GCEPersistentDisk #PVC #Technology #FexingoBusiness #BusinessPodcast #DevOpsDaily Keep every episode free: buymeacoffee.com/fexingo

  24. 24

    Why Kubernetes Pod Security Standards Still Leak

    In this episode of DevOps Daily with Fexingo, Lucas and Luna dig into a subtle but dangerous gap in Kubernetes Pod Security Standards (PSS) — the admission controller that replaced PSPs. They walk through a real-world example: a team running a sidecar container with a privileged profile, bypassing the baseline policy because PSS applies to pods but not to init containers and ephemeral containers at the same granularity. Lucas explains how the 'restricted' profile doesn't block volume mounts that allow host-path writes from a non-root user, and how a compromised workload can pivot to the node without ever triggering a violation. Luna adds the operations perspective — how teams audit for this using Kyverno, and why the default PSS warnings don't fail closed. They close on the broader lesson: policy-as-code needs to cover the full pod lifecycle, not just admission time. #Kubernetes #PodSecurityStandards #DevOps #CloudNative #ContainerSecurity #KubernetesSecurity #Kyverno #AdmissionController #Sidecar #InitContainer #EphemeralContainer #SecurityPolicy #PSS #RBACGap #Technology #FexingoBusiness #BusinessPodcast #DevOpsDaily Keep every episode free: buymeacoffee.com/fexingo

  25. 23

    Why Kubernetes Image Pull Secrets Leak In Plain Sight

    This episode of DevOps Daily with Fexingo dives into a common but overlooked security gap: how Kubernetes image pull secrets can be accidentally exposed through base image inheritance and registry mirror configurations. Lucas walks through a real-world case where a team at a mid-sized fintech left their private registry credentials embedded in a public Docker layer, allowing anyone who pulled the image to extract them via a simple `docker history` command. Luna challenges whether the default Kubernetes workflow encourages this carelessness, and they discuss practical mitigations like using image pull secrets only via kubelet node-level configuration, rotating credentials on a schedule, and scanning for secret leakage during CI/CD. The conversation also touches on how OPA Gatekeeper policies can catch these misconfigurations at admission time. No fear-mongering, just concrete steps to tighten one of the easiest-to-exploit gaps in your cluster. #KubernetesSecurity #ImagePullSecrets #SecretLeakage #DockerLayers #CI/CD #OPAGatekeeper #DevOps #CloudSecurity #ContainerSecurity #K8sBestPractices #RegistryCredentials #AdmissionControl #Technology #InfrastructureAsCode #FintechCase #SecretsManagement #FexingoBusiness #BusinessPodcast Keep every episode free: buymeacoffee.com/fexingo

  26. 22

    Why Kubernetes Cost Allocation Is a Cloud Bill Surprise

    Lucas and Luna dig into a specific problem that catches many DevOps teams off guard: how Kubernetes clusters quietly inflate cloud bills through shared resource allocation. They examine a real example from a mid-sized fintech startup that saw its monthly AWS spend jump 40 percent after moving to a multi-tenant cluster without proper cost tagging. Lucas explains the difference between resource requests, limits, and actual usage, and why standard Kubernetes tooling like kubectl top isn't enough. They discuss open-source solutions like KubeCost and how one team implemented namespace-level cost allocation to reduce waste by 30 percent. The episode ends with a practical checklist for setting up chargeback reporting before the next cloud bill arrives. #Kubernetes #CostAllocation #CloudBills #DevOps #FinOps #KubeCost #AWS #ResourceUsage #MultiTenantCluster #Namespace #Chargeback #CloudCostManagement #Technology #FexingoBusiness #BusinessPodcast #DevOpsDaily #Podcast #TechOperations Keep every episode free: buymeacoffee.com/fexingo

  27. 21

    Kubernetes Pod Resource Requests Are Costing You Twice

    In this episode of DevOps Daily, Lucas and Luna dig into a persistent Kubernetes pitfall: mismatched resource requests and limits. Using a real-world example from a mid-sized fintech company that saw 40% higher cloud bills and intermittent OOM kills, they explain why setting CPU and memory requests too high or too low creates a double penalty — wasteful reservation and unpredictable performance. They walk through the math of overprovisioning versus underprovisioning, share how to use the Vertical Pod Autoscaler in recommendation mode, and discuss why teams should treat resource requests as a budget, not a safety net. If you've ever blamed a noisy neighbor for latency or been surprised by a monthly AWS bill, this episode gives you one concrete diagnostic to run tomorrow. #Kubernetes #DevOps #PodResourceRequests #CPULimits #MemoryRequests #CloudCostOptimization #VerticalPodAutoscaler #FintechCaseStudy #NoisyNeighbor #OOMKills #ResourceOverprovisioning #SlackCluster #K8sBestPractices #Technology #FexingoBusiness #BusinessPodcast #DevOpsDaily #PodPerformance Keep every episode free: buymeacoffee.com/fexingo

  28. 20

    How Kubernetes RBAC Configurations Create Security Gaps

    In this episode of DevOps Daily with Fexingo, Lucas and Luna explore a common but overlooked security risk in Kubernetes: overly permissive Role-Based Access Control (RBAC) configurations. They start with a real-world example from a mid-size fintech that suffered a breach because a service account had cluster-admin privileges. They break down why default roles like 'cluster-admin' and 'edit' are often too broad, how horizontal privilege escalation works in practice, and why many teams treat RBAC as a checkbox exercise. The hosts walk through the principle of least privilege, contrast Role vs ClusterRole, and explain what a proper RBAC audit looks like. They also discuss how to use tools like kubectl auth can-i and third-party scanners to identify overprivileged accounts. By the end, listeners understand why RBAC misconfigurations are a top attack vector and how to fix them before an audit or incident. #Kubernetes #RBAC #CloudSecurity #DevOps #K8sSecurity #PrivilegeEscalation #LeastPrivilege #ServiceAccount #ClusterAdmin #Kubectl #TechPodcast #Technology #FexingoBusiness #BusinessPodcast #SoftwareOperations #CICD #PodSecurity #AccessControl Keep every episode free: buymeacoffee.com/fexingo

  29. 19

    Why Kubernetes Audit Logs Miss the Critical Second

    Episode 32 of DevOps Daily with Fexingo. Lucas and Luna dive into the hidden gap between Kubernetes audit logs and actual attacker behavior. Using the real-world example of the 2024 Latacora breach — where a stolen kubeconfig allowed lateral movement for 47 minutes before any log entry fired — they explain why most audit policies are tuned to the wrong signals. Lucas breaks down the difference between Kubernetes audit stages (RequestReceived, ResponseComplete) and why the default logging level misses critical 'in-flight' actions. Luna shares a fix: staging audit policies to capture 'RequestReceived' for sensitive verbs like exec and port-forward. They also discuss how tools like Falco and Tetragon complement native audit logs, and why a simple 'audit log review' checklist can prevent the next supply-chain incident. A practical deep-dive for anyone running production clusters. #Kubernetes #AuditLogs #DevOps #Security #K8s #LatacoraBreach #Falco #Tetragon #SupplyChain #PodSecurity #CloudNative #Infrastructure #Technology #FexingoBusiness #BusinessPodcast #CI/CD #Containers #Logging Keep every episode free: buymeacoffee.com/fexingo

  30. 18

    Why Kubernetes Network Policies Are Often Worse Than Nothing

    Lucas and Luna dive into a silent threat in Kubernetes security: network policies that are incomplete, misconfigured, or poorly maintained. They walk through a real incident where a supposedly secure cluster had a default-deny policy that was accidentally bypassed by an allow-all rule on a single namespace, exposing a database to the internet. They explain why network policies give a false sense of security, how to audit them effectively, and the one practice that prevents policy drift. No clickbait, just a sharp, specific conversation about a gap most teams overlook until it's too late. #Kubernetes #NetworkPolicy #CloudSecurity #DevOps #Technology #PodSecurity #ZeroTrust #K8sNetworking #SecurityAudit #PolicyAsCode #Cilium #Calico #CNI #InfrastructureAsCode #FexingoBusiness #BusinessPodcast #TechPodcast #DevOpsDaily Keep every episode free: buymeacoffee.com/fexingo

  31. 17

    Why Kubernetes Health Checks Are a False Sense of Security

    Episode 30 of DevOps Daily with Fexingo: Lucas and Luna dig into why standard Kubernetes liveness and readiness probes often give teams a false sense of security. They walk through a real-world case where a service passed health checks but crashed under load because probes only tested a single endpoint. They break down the difference between basic TCP probes, HTTP probes, and deep dependency-aware probes, and explain why teams need to instrument startup probes and custom readiness gates. They also cover how Inc's 2025 postmortem on a multi-hour payment outage traced back to a stale readiness probe. By the end, listeners understand why a health check is only as good as the dependencies it actually tests. #Kubernetes #HealthChecks #LivenessProbes #ReadinessProbes #SiteReliabilityEngineering #CloudNative #DevOps #IncidentResponse #PodLifecycle #StartupProbes #DependencyManagement #ContainerOrchestration #TechOps #Observability #ProductionDebugging #ReliabilityEngineering #FexingoBusiness #BusinessPodcast Keep every episode free: buymeacoffee.com/fexingo

  32. 16

    How Kubernetes Service Meshes Add Latency You Cant Ignore

    Lucas and Luna dive into the hidden performance cost of running a service mesh in Kubernetes. Using Istio and Linkerd as examples, they unpack how sidecar proxies add 2-5 milliseconds of latency per hop, and how mesh overhead compounds in deep call chains. They walk through a real-world scenario where a 12-microservice transaction saw tail latency spike from 50ms to 210ms after enabling mutual TLS and traffic policies. The hosts discuss tuning strategies: reducing proxy CPU limits, disabling unused features, and choosing between Istio's Envoy and Linkerd's Rust-based proxy. They also cover when a service mesh is premature — and when it's worth the cost. This episode assumes you already know what a service mesh does; it's about the tradeoffs you rarely see in vendor docs. #Kubernetes #ServiceMesh #Istio #Linkerd #EnvoyProxy #Latency #Microservices #SidecarProxy #MutualTLS #Performance #DevOps #CloudNative #CNCF #K8sNetworking #Technology #FexingoBusiness #DevOpsDaily #BusinessPodcast Keep every episode free: buymeacoffee.com/fexingo

  33. 15

    Kubernetes PVC Performance Traps You Need to Avoid

    Episode 28 of DevOps Daily with Fexingo dives deep into a common but often overlooked performance pitfall: Kubernetes Persistent Volume Claims (PVCs). Lucas and Luna unpack a real-world case where a fintech company's database workloads suffered 40% latency spikes due to misconfigured PVC storage classes and access modes. They explain how volume binding modes, reclaim policies, and CSI driver settings can silently tank application performance, and share concrete tuning strategies like using WaitForFirstConsumer binding, ReadWriteOncePod access mode, and monitoring volume attach times. A must-listen for any DevOps engineer running stateful workloads on Kubernetes. #Kubernetes #PersistentVolumeClaims #StoragePerformance #DevOps #StatefulWorkloads #K8sStorage #VolumeBindingMode #ReadWriteOncePod #CSI #Latency #Fintech #DatabasePerformance #KubernetesPerformance #CloudNative #CI/CD #Technology #FexingoBusiness #BusinessPodcast Keep every episode free: buymeacoffee.com/fexingo

  34. 14

    Why Kubernetes Persistent Volume Claims Are a Performance Trap

    Episode 27 of DevOps Daily with Fexingo: Lucas and Luna dive into a silent performance killer in Kubernetes clusters—how Persistent Volume Claims with default storage classes can cause latency spikes and throughput bottlenecks. Using a real-world case from a fintech startup running Cassandra on AWS EBS gp2 volumes, Lucas explains why their 99th percentile read latency jumped from 5ms to 120ms under moderate load. The episode covers storage class tuning, volume binding modes, and why your CSI driver configuration matters more than you think. No fluff—just actionable insights for DevOps engineers managing stateful workloads in production. #Kubernetes #PersistentVolumeClaims #StorageClass #Performance #DevOps #StatefulWorkloads #Cassandra #AWSEBS #CSI #Latency #Throughput #Fintech #Infrastructure #Technology #CloudNative #FexingoBusiness #BusinessPodcast #DevOpsDaily Keep every episode free: buymeacoffee.com/fexingo

  35. 13

    Why Your Kubernetes Rollbacks Are a Roll of the Dice

    Episode 26 of DevOps Daily with Fexingo. Lucas and Luna dive into why Kubernetes rollbacks are riskier than most teams realize. They examine a case where a simple image tag rollback silently reverted a critical security fix, breaking compliance for days. They discuss why declarative state doesn't protect you from bad rollouts, how Helm and Argo CD handle (or fail to handle) rollback semantics, and what a safer rollback strategy looks like — including version pinning and canary analysis gates. Specific examples from a real-world incident involving a fintech startup's production outage in April 2026. #Kubernetes #DevOps #Rollbacks #Helm #ArgoCD #CI/CD #IncidentResponse #ReleaseManagement #DeclarativeState #VersionPinning #CanaryDeployments #SiteReliabilityEngineering #Compliance #Technology #CloudNative #FexingoBusiness #DevOpsDaily #BusinessPodcast Keep every episode free: buymeacoffee.com/fexingo

  36. 12

    Why Kubernetes Pod Disruption Budgets Fail Under Node Drains

    Episode 25 of DevOps Daily with Fexingo dives into a specific Kubernetes failure mode: Pod Disruption Budgets (PDBs) that prevent node drains during planned maintenance. Lucas and Luna break down a real incident where a cluster's PDBs blocked critical node updates, causing a multi-hour outage. They explain how PDBs work, why common configurations like minAvailable: 100% can lock you into a deadlock, and the practical fix: using percentage-based budgets with a small tolerance. The episode includes a concrete simulation using a three-replica deployment and two-node cluster. No fluff, just the one angle that will save your next maintenance window. #Kubernetes #PodDisruptionBudget #NodeDrain #DevOps #SiteReliabilityEngineering #CloudNative #ContainerOrchestration #HighAvailability #MaintenanceWindow #ClusterOperations #K8sFailureMode #ProductionIncident #Technology #FexingoBusiness #BusinessPodcast #DevOpsDaily #ResilienceEngineering #RollingUpdate Keep every episode free: buymeacoffee.com/fexingo

  37. 11

    Why Kubernetes Pod Resource Limits Cause Latency Spikes

    Episode 24 of DevOps Daily with Fexingo digs into a subtle but painful Kubernetes performance trap: the relationship between pod resource limits (CPU throttling) and application latency. Lucas and Luna examine a real-world case from a fintech company where setting CPU limits too low caused tail-latency spikes during normal traffic. They explain the difference between compressible and incompressible resources, how the Completely Fair Scheduler enforces CPU limits, and why setting requests without limits — or using the 'burst' capability wisely — often delivers better performance. The hosts also cover monitoring for throttling, the role of cgroup v2, and the trade-offs of over-provisioning. This episode is essential for any team running latency-sensitive workloads on Kubernetes. #Kubernetes #DevOps #Performance #CPULimits #Latency #Throttling #CFS #CgroupV2 #PodResources #Fintech #SiteReliabilityEngineering #ContainerOrchestration #CloudNative #Infrastructure #Monitoring #FexingoBusiness #BusinessPodcast #Technology Keep every episode free: buymeacoffee.com/fexingo

  38. 10

    Why Kubernetes Pod Priority Classes Cause Starvation

    Lucas and Luna dive into Kubernetes pod priority classes and preemption—a feature designed to ensure critical pods get resources, but one that can cause cascading failures and starvation for lower-priority workloads. They walk through a real scenario at a mid-size fintech that saw critical database pods preempting batch jobs, only to have those batch jobs reschedule and overwhelm the cluster. Lucas breaks down how priority classes work under the hood, the risks of misconfigured preemption policies, and the operational discipline needed—like setting PriorityClass namespaces and avoiding the default zero-priority trap. Luna challenges whether the feature is safe for multi-tenant clusters and shares a story about a team that accidentally set a pod priority higher than the cluster autoscaler's headroom. They close on the trade-off between reliability and fairness, and why priority classes should be a last resort, not a first instinct. #Kubernetes #PodPriority #PodPreemption #ClusterOperations #Scheduling #K8sBestPractices #DevOps #CloudNative #FintechCaseStudy #PriorityClass #ResourceManagement #MultiTenancy #ClusterAutoscaler #KubernetesStarvation #BatchJobs #CriticalWorkloads #FexingoBusiness #BusinessPodcast Keep every episode free: buymeacoffee.com/fexingo

  39. 9

    Why Your Kubernetes Pods Are Failing Graceful Shutdown

    In this episode of DevOps Daily, Lucas and Luna break down why graceful shutdown is failing in Kubernetes clusters. They examine the lifecycle of a pod being terminated, explaining the sequence of SIGTERM, terminationGracePeriodSeconds, and preStop hooks. Using a real-world example of a Node.js web service that was dropping thousands of in-flight requests during rollouts, they reveal the hidden defaults that cause timeouts and busted connections. They walk through how to set proper terminationGracePeriodSeconds, configure readiness probes to align with shutdown, and test SIGTERM handling in your app. If you're managing microservices on Kubernetes, this episode will save you from silent data loss on your next deploy. Tagged with Kubernetes, graceful shutdown, SIGTERM, pod lifecycle, DevOps, microservices, terminationGracePeriodSeconds. #Kubernetes #GracefulShutdown #SIGTERM #PodLifecycle #DevOps #Microservices #TerminationGracePeriodSeconds #PreStopHook #CloudNative #SiteReliabilityEngineering #ContainerOrchestration #RollingUpdate #ReadinessProbe #NodeJS #KubernetesPods #TechPodcast #FexingoBusiness #BusinessPodcast Keep every episode free: buymeacoffee.com/fexingo

  40. 8

    Why Your Kubernetes Pods Are Failing Graceful Shutdown

    A 45-second container shutdown sounds harmless until it costs you a production database connection pool. Lucas and Luna explore why most Kubernetes pods ignore SIGTERM, how a missing preStop hook turned a routine deployment into a 15-minute outage for a European payments platform, and the three-line fix that cuts pod termination from 30 seconds to under one second. They drill into the mechanics of the Linux process lifecycle inside containers, show why sleep 30 in a preStop hook is a common anti-pattern, and walk through a concrete health-check-aware shutdown sequence using Kubernetes 1.27's new pod status conditions. Listeners walk away with a specific checklist they can apply to any deployment tomorrow morning. #Kubernetes #PodLifecycle #GracefulShutdown #SIGTERM #preStopHook #ContainerOrchestration #DevOps #SiteReliability #ProductionIncident #LinuxProcesses #PodTermination #CloudNative #Technology #FexingoBusiness #BusinessPodcast #SoftwareEngineering #Infrastructure #Observability Keep every episode free: buymeacoffee.com/fexingo

  41. 7

    How Kubernetes Pod Autoscaling Fails Under Traffic Spikes

    In this episode, Lucas and Luna dig into the mechanics of Kubernetes Horizontal Pod Autoscaler — specifically why it often fails to keep up with sudden traffic spikes. They walk through a real-world scenario from a retail platform that saw request latency spike from under 100ms to over 2 seconds during a flash sale. The root cause wasn't resource limits or cluster size — it was the default HPA scaling metrics and cooldown windows. Lucas explains how target CPU utilization, stabilization windows, and custom metrics interact, and why relying solely on CPU-based HPA leaves you vulnerable. They discuss the alternative: using Kubernetes Event-driven Autoscaling (KEDA) with request-based metrics. If you're running Kubernetes in production and haven't stress-tested your HPA configuration, this episode will save you from a late-night incident. #Kubernetes #PodAutoscaling #HPA #KEDA #SiteReliabilityEngineering #CloudNative #DevOps #IncidentResponse #Scalability #Microservices #Containers #ProductionEngineering #TrafficSpikes #Metrics #Technology #FexingoBusiness #BusinessPodcast #DevOpsDaily Keep every episode free: buymeacoffee.com/fexingo

  42. 6

    Why Your Kubernetes Ingress Needs Rate Limiting

    Lucas and Luna dive into why rate limiting at the Kubernetes ingress layer is a critical, often overlooked practice for modern DevOps teams. They break down a real-world scenario: a startup whose API gateway collapsed under a traffic spike from a single misconfigured client, causing a cascading outage across microservices. Lucas explains the difference between application-level and ingress-level rate limiting, citing specific tools like NGINX Ingress Controller with annotations for requests per second and per-IP limits. He also covers the pitfalls of default configurations that allow unlimited traffic. Luna challenges the assumption that cloud load balancers handle this automatically, and they discuss how to set appropriate limits using Kubernetes annotations without breaking legitimate traffic patterns. The episode ends with a forward-looking question about traffic shaping and cost governance. #Kubernetes #Ingress #RateLimiting #DevOps #NGINX #Microservices #CloudNative #SiteReliability #APIGateway #TrafficManagement #Observability #Startup #TechOperations #Infrastructure #ContainerOrchestration #DevOpsDaily #FexingoBusiness #BusinessPodcast Keep every episode free: buymeacoffee.com/fexingo

  43. 5

    Why Your Kubernetes Pod Has Too Many Containers

    In this episode of DevOps Daily, Lucas and Luna dig into a quietly catastrophic antipattern: stuffing multiple containers into a single Kubernetes pod. They break down a real-world case where a monitoring stack with five containers per pod caused a production meltdown—crashing the main application container because a sidecar container leaked memory. They explain why the pod is not a lightweight VM, how resource isolation really works in Kubernetes, and why the industry is moving toward sidecar-less architectures. Lucas cites data from a 2025 CNCF survey showing that 42% of teams with multi-container pods reported at least one priority-1 incident caused by container resource fights. They also offer practical heuristics: one container per pod for stateless microservices, strict sidecar patterns for logging and proxies, and what to do when you genuinely need an init container. Plus, a small note on why this conversation made them think about how listener support keeps the show going. #Kubernetes #Pods #Containers #SidecarPattern #Microservices #DevOps #CNCF #ProductionIncident #ResourceIsolation #ContainerOrchestration #CloudNative #Infrastructure #SiteReliability #Technology #FexingoBusiness #BusinessPodcast #DevOpsDaily #K8sBestPractices Keep every episode free: buymeacoffee.com/fexingo

  44. 4

    Why Your Kubernetes Pod Has Too Many Containers

    Lucas and Luna dive into the anti-pattern of stuffing multiple containers into a single Kubernetes pod. They trace the problem to early Docker Compose habits, explain why sidecar containers for logging and metrics are often the wrong choice, and walk through a real-world example where a team at a fintech startup saw pod startup times jump from 8 seconds to 47 seconds after adding a third container. They discuss the Kubernetes community's shift toward daemonsets and admission controllers to enforce pod container limits, and why the one-container-per-pod rule still holds in production. Along the way, they touch on resource requests vs limits, pod lifecycle hooks, and the surprising cost of init containers. The episode closes with a practical question every DevOps engineer should ask before adding that next container. #Kubernetes #PodDesign #ContainerAntiPatterns #SidecarPattern #DevOps #CI/CD #PodLifecycle #InitContainers #ResourceRequests #ResourceLimits #AdmissionControllers #DaemonSet #Fintech #Startup #FexingoBusiness #BusinessPodcast #Technology #DevOpsDaily Keep every episode free: buymeacoffee.com/fexingo

  45. 3

    Why Your Kubernetes Audit Logs Are a Compliance Goldmine

    In this episode of DevOps Daily, Lucas and Luna dig into Kubernetes audit logs — the overlooked data source that can save your organization from a compliance disaster. They walk through a real case of a fintech startup that caught an insider data exfiltration attempt only because they had enabled audit logging on their clusters. Lucas explains the three tiers of audit policies (Metadata, Request, and RequestResponse) and why most teams never get past the default Metadata level. Luna pushes back on the cost argument, pointing out that storing audit logs is cheap compared to the legal fees of a breach investigation. They also cover how to ship logs to an external SIEM, why you should never rely on Kubernetes etcd as a long-term log store, and a practical rule of thumb: turn on RequestResponse for any namespace handling PII or payment data. If you're running Kubernetes in production and haven't looked at your audit log configuration this quarter, this episode is for you. #Kubernetes #AuditLogging #DevOps #Compliance #Security #Fintech #SIEM #etcd #PII #LogManagement #CloudNative #RBAC #ThreatDetection #InfrastructureAsCode #K8s #Business #FexingoBusiness #BusinessPodcast Keep every episode free: buymeacoffee.com/fexingo

  46. 2

    Why Your Kubernetes Image Registry Needs a Vulnerability Scan Gate

    In this episode of DevOps Daily with Fexingo, Lucas and Luna dive into a critical but often overlooked failure point in container workflows: the moment an image hits your private registry. They unpack why scanners alone aren't enough, how a single unvetted pull can cascade into a cluster-wide CVE, and the concrete architecture change — a pre-pull vulnerability scan gate — that can catch supply-chain attacks before they deploy. Drawing on real-world examples from the recent PyTorch dependency confusion incident and a misconfigured JFrog Artifactory at a fintech unicorn, they explain how to wire Amazon ECR, Harbor, or GitLab container registry into your admission controller, and why blocking a build in CI doesn't protect you from a cached base image. If you've ever assumed your container registry was just a storage bucket, this episode will change how you think about your software supply chain. #ContainerRegistry #VulnerabilityScanning #KubernetesSecurity #SoftwareSupplyChain #ImageAdmission #DevSecOps #DockerImageSecurity #AmazonECR #Harbor #GitLabContainerRegistry #CI/CDPipeline #CloudNative #KubernetesAdmissionController #PodSecurity #Technology #DevOpsDailyWithFexingo #FexingoBusiness #BusinessPodcast Keep every episode free: buymeacoffee.com/fexingo

  47. 1

    Why Your Kubernetes Cluster Needs a Pod Security Admission

    In this episode, Lucas and Luna dive into Kubernetes Pod Security Admission — the successor to PodSecurityPolicies (PSPs) that's now mandatory in Kubernetes 1.25 and later. They break down the three built-in security levels (privileged, baseline, restricted), walk through a real-world migration from PSPs to PSA for a fintech company, and explain why most teams have misconfigured their admission webhooks. Lucas shares concrete examples of how a single mislabeled namespace can expose your cluster to container escape attacks, and Luna pushes back on the complexity of adopting restricted profiles for legacy workloads. They also discuss the operational impact: how PSA affects CI/CD pipelines, why you should test admission policies with dry-run mode, and the common gotcha around ephemeral containers. If you're running Kubernetes without validating your Pod Security Admission settings, your cluster is likely less secure than you think. #Kubernetes #PodSecurityAdmission #PSA #PodSecurityPolicy #PSP #CloudNative #DevOps #ClusterSecurity #ContainerSecurity #K8sSecurity #SecurityPolicy #AdmissionController #Technology #BusinessPodcast #FexingoBusiness #TechOps #Compliance #KubernetesMigration Keep every episode free: buymeacoffee.com/fexingo

  48. 0

    Why Your Docker Images Are a Compliance Time Bomb

    Lucas and Luna drill into a specific, overlooked compliance risk in modern software operations: unpatched base images in Docker registries. They walk through a real scenario from a fintech startup that failed a SOC 2 audit because a six-month-old Node.js base image contained known vulnerabilities. The hosts explain why most image scanning pipelines miss what matters, how distroless images change the risk profile, and why your Kubernetes cluster's image pull policy might be your biggest liability. They also share the one concrete change teams can make this week to reduce exposure. No theory — just a focused breakdown of a problem that's quietly costing companies time, money, and customer trust. #Docker #Compliance #SOC2 #ImageScanning #Distroless #Kubernetes #DevOps #Security #VulnerabilityManagement #CI/CD #ContainerSecurity #Fintech #NodeJS #BaseImages #CloudNative #SoftwareOperations #FexingoBusiness #TechnologyPodcast Keep every episode free: buymeacoffee.com/fexingo

  49. -1

    Why Your Kubernetes RBAC Is a Compliance Nightmare

    Episode 12 of DevOps Daily digs into Kubernetes RBAC misconfigurations — the single biggest compliance blind spot in most cloud-native environments. Lucas and Luna walk through a real incident at a mid-sized fintech where a single over-permissive ClusterRole let an attacker pivot to production data. They break down the principle of least privilege, how to audit your existing RBAC bindings with open-source tooling like kubectl-who-can and rbac-lookup, and why 'it worked in staging' is a dangerous justification for overly broad permissions. The conversation closes on whether policy-as-code tools like OPA/Gatekeeper are the right next step or just another abstraction layer. No clickbait, no fluff — just actionable DevOps ops intel. #Kubernetes #RBAC #DevOps #CloudSecurity #Compliance #LeastPrivilege #FintechIncident #kubectlWhoCan #PolicyAsCode #OPAGatekeeper #ClusterRole #ProductionSecurity #PodIdentity #Tech #DevOpsDaily #FexingoBusiness #BusinessPodcast #CloudNative Keep every episode free: buymeacoffee.com/fexingo

  50. -2

    Why Your Terraform State File Is a Single Point of Failure

    Lucas and Luna dive into the most critical and overlooked artifact in modern infrastructure: the Terraform state file. They explain why losing or corrupting state.json means losing control of your entire cloud estate. Using the real-world example of a 2024 incident where a major SaaS provider accidentally deleted its production state file during a migration, they walk through the anatomy of the failure, the three-hour outage that followed, and the operational changes that prevent it. They cover remote state backends, state locking with DynamoDB, partial configuration patterns, and the controversial practice of state file versioning. Listeners walk away knowing exactly how to audit their own state setup and what single command to run tonight to check if they're exposed. #Terraform #InfrastructureAsCode #StateFile #SinglePointOfFailure #DevOps #CloudInfrastructure #IaC #HashiCorp #S3Backend #DynamoDB #StateLocking #BackupStrategy #IncidentResponse #DisasterRecovery #Technology #FexingoBusiness #BusinessPodcast #DevOpsDaily Keep every episode free: buymeacoffee.com/fexingo

Type above to search every episode's transcript for a word or phrase. Matches are scoped to this podcast.

Searching…

We're indexing this podcast's transcripts for the first time — this can take a minute or two. We'll show results as soon as they're ready.

No matches for "" in this podcast's transcripts.

Showing of matches

No topics indexed yet for this podcast.

Loading reviews...

ABOUT THIS SHOW

Lucas and Luna dissect the daily realities of DevOps, from CI/CD pipeline design to Kubernetes cluster management and the human systems that keep software running. Each episode grounds abstract principles in real incidents—a failed deployment at a major retailer, a postmortem from a cloud outage, a configuration drift disaster—and traces the operational decisions that turned them around. Lucas brings the technical precision of a working engineer, while Luna pushes on the team dynamics, cost trade-offs, and organizational bottlenecks that separate resilient operations from fragile ones. They discuss monitoring strategies, incident response playbooks, infrastructure-as-code trade-offs, and the cultural friction between development velocity and operational stability—always with concrete examples, never with buzzwords. This is the show for engineers, SREs, and platform leads who want to hear two seasoned practitioners argue through the hard choices: when to rewrite vs. patch, how much obse

HOSTED BY

Fexingo

CATEGORIES

Frequently Asked Questions

How many episodes does DevOps Daily with Fexingo: CI/CD, Kubernetes, and Modern Software Operations have?

DevOps Daily with Fexingo: CI/CD, Kubernetes, and Modern Software Operations currently has 50 episodes available on PodParley. New episodes are automatically indexed when they're published to the podcast feed.

What is DevOps Daily with Fexingo: CI/CD, Kubernetes, and Modern Software Operations about?

Lucas and Luna dissect the daily realities of DevOps, from CI/CD pipeline design to Kubernetes cluster management and the human systems that keep software running. Each episode grounds abstract principles in real incidents—a failed deployment at a major retailer, a postmortem from a cloud outage, a...

How often does DevOps Daily with Fexingo: CI/CD, Kubernetes, and Modern Software Operations release new episodes?

DevOps Daily with Fexingo: CI/CD, Kubernetes, and Modern Software Operations has 50 episodes. Check the episode list to see recent publication dates and frequency.

Where can I listen to DevOps Daily with Fexingo: CI/CD, Kubernetes, and Modern Software Operations?

You can listen to DevOps Daily with Fexingo: CI/CD, Kubernetes, and Modern Software Operations on PodParley by clicking any episode. We provide an embedded audio player for direct listening, and you can also subscribe via your preferred podcast app using the RSS feed.

Who hosts DevOps Daily with Fexingo: CI/CD, Kubernetes, and Modern Software Operations?

DevOps Daily with Fexingo: CI/CD, Kubernetes, and Modern Software Operations is created and hosted by Fexingo.
URL copied to clipboard!