DevOps Daily with Fexingo: CI/CD, Kubernetes, and Modern Software Operations

In this episode of DevOps Daily with Fexingo, Lucas and Luna dig into a costly Kubernetes misconfiguration that flies under the radar: the PersistentVolume reclaim policy. Most teams set it to 'Delete' and forget it, but that means every time a PersistentVolumeClaim is deleted, the underlying volume (like an EBS or GCE PD) gets wiped out too—along with any data. Lucas walks through a real example: a development environment where accidentally deleting a PVC nuked a week's worth of test data. The fix? Switching the reclaim policy to 'Retain' for critical volumes. They also discuss how to safely reuse volumes with manual reclamation, and why 'Recycle' is effectively deprecated. If your team is burning money on orphaned volumes or losing data from PVC deletions, this episode is for you. #Kubernetes #DevOps #PersistentVolume #StorageManagement #CloudCost #DataLoss #K8sConfig #VolumeReclaim #RetainPolicy #DeletePolicy #RecyclePolicy #EBS #GCEPersistentDisk #PVC #Technology #FexingoBusiness #BusinessPodcast #DevOpsDaily Keep every episode free: buymeacoffee.com/fexingo

In this episode of DevOps Daily with Fexingo, Lucas and Luna dig into a subtle but dangerous gap in Kubernetes Pod Security Standards (PSS) — the admission controller that replaced PSPs. They walk through a real-world example: a team running a sidecar container with a privileged profile, bypassing the baseline policy because PSS applies to pods but not to init containers and ephemeral containers at the same granularity. Lucas explains how the 'restricted' profile doesn't block volume mounts that allow host-path writes from a non-root user, and how a compromised workload can pivot to the node without ever triggering a violation. Luna adds the operations perspective — how teams audit for this using Kyverno, and why the default PSS warnings don't fail closed. They close on the broader lesson: policy-as-code needs to cover the full pod lifecycle, not just admission time. #Kubernetes #PodSecurityStandards #DevOps #CloudNative #ContainerSecurity #KubernetesSecurity #Kyverno #AdmissionController #Sidecar #InitContainer #EphemeralContainer #SecurityPolicy #PSS #RBACGap #Technology #FexingoBusiness #BusinessPodcast #DevOpsDaily Keep every episode free: buymeacoffee.com/fexingo

This episode of DevOps Daily with Fexingo dives into a common but overlooked security gap: how Kubernetes image pull secrets can be accidentally exposed through base image inheritance and registry mirror configurations. Lucas walks through a real-world case where a team at a mid-sized fintech left their private registry credentials embedded in a public Docker layer, allowing anyone who pulled the image to extract them via a simple `docker history` command. Luna challenges whether the default Kubernetes workflow encourages this carelessness, and they discuss practical mitigations like using image pull secrets only via kubelet node-level configuration, rotating credentials on a schedule, and scanning for secret leakage during CI/CD. The conversation also touches on how OPA Gatekeeper policies can catch these misconfigurations at admission time. No fear-mongering, just concrete steps to tighten one of the easiest-to-exploit gaps in your cluster. #KubernetesSecurity #ImagePullSecrets #SecretLeakage #DockerLayers #CI/CD #OPAGatekeeper #DevOps #CloudSecurity #ContainerSecurity #K8sBestPractices #RegistryCredentials #AdmissionControl #Technology #InfrastructureAsCode #FintechCase #SecretsManagement #FexingoBusiness #BusinessPodcast Keep every episode free: buymeacoffee.com/fexingo

Lucas and Luna dig into a specific problem that catches many DevOps teams off guard: how Kubernetes clusters quietly inflate cloud bills through shared resource allocation. They examine a real example from a mid-sized fintech startup that saw its monthly AWS spend jump 40 percent after moving to a multi-tenant cluster without proper cost tagging. Lucas explains the difference between resource requests, limits, and actual usage, and why standard Kubernetes tooling like kubectl top isn't enough. They discuss open-source solutions like KubeCost and how one team implemented namespace-level cost allocation to reduce waste by 30 percent. The episode ends with a practical checklist for setting up chargeback reporting before the next cloud bill arrives. #Kubernetes #CostAllocation #CloudBills #DevOps #FinOps #KubeCost #AWS #ResourceUsage #MultiTenantCluster #Namespace #Chargeback #CloudCostManagement #Technology #FexingoBusiness #BusinessPodcast #DevOpsDaily #Podcast #TechOperations Keep every episode free: buymeacoffee.com/fexingo

In this episode of DevOps Daily, Lucas and Luna dig into a persistent Kubernetes pitfall: mismatched resource requests and limits. Using a real-world example from a mid-sized fintech company that saw 40% higher cloud bills and intermittent OOM kills, they explain why setting CPU and memory requests too high or too low creates a double penalty — wasteful reservation and unpredictable performance. They walk through the math of overprovisioning versus underprovisioning, share how to use the Vertical Pod Autoscaler in recommendation mode, and discuss why teams should treat resource requests as a budget, not a safety net. If you've ever blamed a noisy neighbor for latency or been surprised by a monthly AWS bill, this episode gives you one concrete diagnostic to run tomorrow. #Kubernetes #DevOps #PodResourceRequests #CPULimits #MemoryRequests #CloudCostOptimization #VerticalPodAutoscaler #FintechCaseStudy #NoisyNeighbor #OOMKills #ResourceOverprovisioning #SlackCluster #K8sBestPractices #Technology #FexingoBusiness #BusinessPodcast #DevOpsDaily #PodPerformance Keep every episode free: buymeacoffee.com/fexingo

In this episode of DevOps Daily with Fexingo, Lucas and Luna explore a common but overlooked security risk in Kubernetes: overly permissive Role-Based Access Control (RBAC) configurations. They start with a real-world example from a mid-size fintech that suffered a breach because a service account had cluster-admin privileges. They break down why default roles like 'cluster-admin' and 'edit' are often too broad, how horizontal privilege escalation works in practice, and why many teams treat RBAC as a checkbox exercise. The hosts walk through the principle of least privilege, contrast Role vs ClusterRole, and explain what a proper RBAC audit looks like. They also discuss how to use tools like kubectl auth can-i and third-party scanners to identify overprivileged accounts. By the end, listeners understand why RBAC misconfigurations are a top attack vector and how to fix them before an audit or incident. #Kubernetes #RBAC #CloudSecurity #DevOps #K8sSecurity #PrivilegeEscalation #LeastPrivilege #ServiceAccount #ClusterAdmin #Kubectl #TechPodcast #Technology #FexingoBusiness #BusinessPodcast #SoftwareOperations #CICD #PodSecurity #AccessControl Keep every episode free: buymeacoffee.com/fexingo

Episode 32 of DevOps Daily with Fexingo. Lucas and Luna dive into the hidden gap between Kubernetes audit logs and actual attacker behavior. Using the real-world example of the 2024 Latacora breach — where a stolen kubeconfig allowed lateral movement for 47 minutes before any log entry fired — they explain why most audit policies are tuned to the wrong signals. Lucas breaks down the difference between Kubernetes audit stages (RequestReceived, ResponseComplete) and why the default logging level misses critical 'in-flight' actions. Luna shares a fix: staging audit policies to capture 'RequestReceived' for sensitive verbs like exec and port-forward. They also discuss how tools like Falco and Tetragon complement native audit logs, and why a simple 'audit log review' checklist can prevent the next supply-chain incident. A practical deep-dive for anyone running production clusters. #Kubernetes #AuditLogs #DevOps #Security #K8s #LatacoraBreach #Falco #Tetragon #SupplyChain #PodSecurity #CloudNative #Infrastructure #Technology #FexingoBusiness #BusinessPodcast #CI/CD #Containers #Logging Keep every episode free: buymeacoffee.com/fexingo

Lucas and Luna dive into a silent threat in Kubernetes security: network policies that are incomplete, misconfigured, or poorly maintained. They walk through a real incident where a supposedly secure cluster had a default-deny policy that was accidentally bypassed by an allow-all rule on a single namespace, exposing a database to the internet. They explain why network policies give a false sense of security, how to audit them effectively, and the one practice that prevents policy drift. No clickbait, just a sharp, specific conversation about a gap most teams overlook until it's too late. #Kubernetes #NetworkPolicy #CloudSecurity #DevOps #Technology #PodSecurity #ZeroTrust #K8sNetworking #SecurityAudit #PolicyAsCode #Cilium #Calico #CNI #InfrastructureAsCode #FexingoBusiness #BusinessPodcast #TechPodcast #DevOpsDaily Keep every episode free: buymeacoffee.com/fexingo

Episode 30 of DevOps Daily with Fexingo: Lucas and Luna dig into why standard Kubernetes liveness and readiness probes often give teams a false sense of security. They walk through a real-world case where a service passed health checks but crashed under load because probes only tested a single endpoint. They break down the difference between basic TCP probes, HTTP probes, and deep dependency-aware probes, and explain why teams need to instrument startup probes and custom readiness gates. They also cover how Inc's 2025 postmortem on a multi-hour payment outage traced back to a stale readiness probe. By the end, listeners understand why a health check is only as good as the dependencies it actually tests. #Kubernetes #HealthChecks #LivenessProbes #ReadinessProbes #SiteReliabilityEngineering #CloudNative #DevOps #IncidentResponse #PodLifecycle #StartupProbes #DependencyManagement #ContainerOrchestration #TechOps #Observability #ProductionDebugging #ReliabilityEngineering #FexingoBusiness #BusinessPodcast Keep every episode free: buymeacoffee.com/fexingo

Lucas and Luna dive into the hidden performance cost of running a service mesh in Kubernetes. Using Istio and Linkerd as examples, they unpack how sidecar proxies add 2-5 milliseconds of latency per hop, and how mesh overhead compounds in deep call chains. They walk through a real-world scenario where a 12-microservice transaction saw tail latency spike from 50ms to 210ms after enabling mutual TLS and traffic policies. The hosts discuss tuning strategies: reducing proxy CPU limits, disabling unused features, and choosing between Istio's Envoy and Linkerd's Rust-based proxy. They also cover when a service mesh is premature — and when it's worth the cost. This episode assumes you already know what a service mesh does; it's about the tradeoffs you rarely see in vendor docs. #Kubernetes #ServiceMesh #Istio #Linkerd #EnvoyProxy #Latency #Microservices #SidecarProxy #MutualTLS #Performance #DevOps #CloudNative #CNCF #K8sNetworking #Technology #FexingoBusiness #DevOpsDaily #BusinessPodcast Keep every episode free: buymeacoffee.com/fexingo

Episode 28 of DevOps Daily with Fexingo dives deep into a common but often overlooked performance pitfall: Kubernetes Persistent Volume Claims (PVCs). Lucas and Luna unpack a real-world case where a fintech company's database workloads suffered 40% latency spikes due to misconfigured PVC storage classes and access modes. They explain how volume binding modes, reclaim policies, and CSI driver settings can silently tank application performance, and share concrete tuning strategies like using WaitForFirstConsumer binding, ReadWriteOncePod access mode, and monitoring volume attach times. A must-listen for any DevOps engineer running stateful workloads on Kubernetes. #Kubernetes #PersistentVolumeClaims #StoragePerformance #DevOps #StatefulWorkloads #K8sStorage #VolumeBindingMode #ReadWriteOncePod #CSI #Latency #Fintech #DatabasePerformance #KubernetesPerformance #CloudNative #CI/CD #Technology #FexingoBusiness #BusinessPodcast Keep every episode free: buymeacoffee.com/fexingo

Episode 27 of DevOps Daily with Fexingo: Lucas and Luna dive into a silent performance killer in Kubernetes clusters—how Persistent Volume Claims with default storage classes can cause latency spikes and throughput bottlenecks. Using a real-world case from a fintech startup running Cassandra on AWS EBS gp2 volumes, Lucas explains why their 99th percentile read latency jumped from 5ms to 120ms under moderate load. The episode covers storage class tuning, volume binding modes, and why your CSI driver configuration matters more than you think. No fluff—just actionable insights for DevOps engineers managing stateful workloads in production. #Kubernetes #PersistentVolumeClaims #StorageClass #Performance #DevOps #StatefulWorkloads #Cassandra #AWSEBS #CSI #Latency #Throughput #Fintech #Infrastructure #Technology #CloudNative #FexingoBusiness #BusinessPodcast #DevOpsDaily Keep every episode free: buymeacoffee.com/fexingo

Episode 26 of DevOps Daily with Fexingo. Lucas and Luna dive into why Kubernetes rollbacks are riskier than most teams realize. They examine a case where a simple image tag rollback silently reverted a critical security fix, breaking compliance for days. They discuss why declarative state doesn't protect you from bad rollouts, how Helm and Argo CD handle (or fail to handle) rollback semantics, and what a safer rollback strategy looks like — including version pinning and canary analysis gates. Specific examples from a real-world incident involving a fintech startup's production outage in April 2026. #Kubernetes #DevOps #Rollbacks #Helm #ArgoCD #CI/CD #IncidentResponse #ReleaseManagement #DeclarativeState #VersionPinning #CanaryDeployments #SiteReliabilityEngineering #Compliance #Technology #CloudNative #FexingoBusiness #DevOpsDaily #BusinessPodcast Keep every episode free: buymeacoffee.com/fexingo

Episode 25 of DevOps Daily with Fexingo dives into a specific Kubernetes failure mode: Pod Disruption Budgets (PDBs) that prevent node drains during planned maintenance. Lucas and Luna break down a real incident where a cluster's PDBs blocked critical node updates, causing a multi-hour outage. They explain how PDBs work, why common configurations like minAvailable: 100% can lock you into a deadlock, and the practical fix: using percentage-based budgets with a small tolerance. The episode includes a concrete simulation using a three-replica deployment and two-node cluster. No fluff, just the one angle that will save your next maintenance window. #Kubernetes #PodDisruptionBudget #NodeDrain #DevOps #SiteReliabilityEngineering #CloudNative #ContainerOrchestration #HighAvailability #MaintenanceWindow #ClusterOperations #K8sFailureMode #ProductionIncident #Technology #FexingoBusiness #BusinessPodcast #DevOpsDaily #ResilienceEngineering #RollingUpdate Keep every episode free: buymeacoffee.com/fexingo

Episode 24 of DevOps Daily with Fexingo digs into a subtle but painful Kubernetes performance trap: the relationship between pod resource limits (CPU throttling) and application latency. Lucas and Luna examine a real-world case from a fintech company where setting CPU limits too low caused tail-latency spikes during normal traffic. They explain the difference between compressible and incompressible resources, how the Completely Fair Scheduler enforces CPU limits, and why setting requests without limits — or using the 'burst' capability wisely — often delivers better performance. The hosts also cover monitoring for throttling, the role of cgroup v2, and the trade-offs of over-provisioning. This episode is essential for any team running latency-sensitive workloads on Kubernetes. #Kubernetes #DevOps #Performance #CPULimits #Latency #Throttling #CFS #CgroupV2 #PodResources #Fintech #SiteReliabilityEngineering #ContainerOrchestration #CloudNative #Infrastructure #Monitoring #FexingoBusiness #BusinessPodcast #Technology Keep every episode free: buymeacoffee.com/fexingo

Lucas and Luna dive into Kubernetes pod priority classes and preemption—a feature designed to ensure critical pods get resources, but one that can cause cascading failures and starvation for lower-priority workloads. They walk through a real scenario at a mid-size fintech that saw critical database pods preempting batch jobs, only to have those batch jobs reschedule and overwhelm the cluster. Lucas breaks down how priority classes work under the hood, the risks of misconfigured preemption policies, and the operational discipline needed—like setting PriorityClass namespaces and avoiding the default zero-priority trap. Luna challenges whether the feature is safe for multi-tenant clusters and shares a story about a team that accidentally set a pod priority higher than the cluster autoscaler's headroom. They close on the trade-off between reliability and fairness, and why priority classes should be a last resort, not a first instinct. #Kubernetes #PodPriority #PodPreemption #ClusterOperations #Scheduling #K8sBestPractices #DevOps #CloudNative #FintechCaseStudy #PriorityClass #ResourceManagement #MultiTenancy #ClusterAutoscaler #KubernetesStarvation #BatchJobs #CriticalWorkloads #FexingoBusiness #BusinessPodcast Keep every episode free: buymeacoffee.com/fexingo

In this episode of DevOps Daily, Lucas and Luna break down why graceful shutdown is failing in Kubernetes clusters. They examine the lifecycle of a pod being terminated, explaining the sequence of SIGTERM, terminationGracePeriodSeconds, and preStop hooks. Using a real-world example of a Node.js web service that was dropping thousands of in-flight requests during rollouts, they reveal the hidden defaults that cause timeouts and busted connections. They walk through how to set proper terminationGracePeriodSeconds, configure readiness probes to align with shutdown, and test SIGTERM handling in your app. If you're managing microservices on Kubernetes, this episode will save you from silent data loss on your next deploy. Tagged with Kubernetes, graceful shutdown, SIGTERM, pod lifecycle, DevOps, microservices, terminationGracePeriodSeconds. #Kubernetes #GracefulShutdown #SIGTERM #PodLifecycle #DevOps #Microservices #TerminationGracePeriodSeconds #PreStopHook #CloudNative #SiteReliabilityEngineering #ContainerOrchestration #RollingUpdate #ReadinessProbe #NodeJS #KubernetesPods #TechPodcast #FexingoBusiness #BusinessPodcast Keep every episode free: buymeacoffee.com/fexingo

In this episode, Lucas and Luna dig into the mechanics of Kubernetes Horizontal Pod Autoscaler — specifically why it often fails to keep up with sudden traffic spikes. They walk through a real-world scenario from a retail platform that saw request latency spike from under 100ms to over 2 seconds during a flash sale. The root cause wasn't resource limits or cluster size — it was the default HPA scaling metrics and cooldown windows. Lucas explains how target CPU utilization, stabilization windows, and custom metrics interact, and why relying solely on CPU-based HPA leaves you vulnerable. They discuss the alternative: using Kubernetes Event-driven Autoscaling (KEDA) with request-based metrics. If you're running Kubernetes in production and haven't stress-tested your HPA configuration, this episode will save you from a late-night incident. #Kubernetes #PodAutoscaling #HPA #KEDA #SiteReliabilityEngineering #CloudNative #DevOps #IncidentResponse #Scalability #Microservices #Containers #ProductionEngineering #TrafficSpikes #Metrics #Technology #FexingoBusiness #BusinessPodcast #DevOpsDaily Keep every episode free: buymeacoffee.com/fexingo

Lucas and Luna dive into why rate limiting at the Kubernetes ingress layer is a critical, often overlooked practice for modern DevOps teams. They break down a real-world scenario: a startup whose API gateway collapsed under a traffic spike from a single misconfigured client, causing a cascading outage across microservices. Lucas explains the difference between application-level and ingress-level rate limiting, citing specific tools like NGINX Ingress Controller with annotations for requests per second and per-IP limits. He also covers the pitfalls of default configurations that allow unlimited traffic. Luna challenges the assumption that cloud load balancers handle this automatically, and they discuss how to set appropriate limits using Kubernetes annotations without breaking legitimate traffic patterns. The episode ends with a forward-looking question about traffic shaping and cost governance. #Kubernetes #Ingress #RateLimiting #DevOps #NGINX #Microservices #CloudNative #SiteReliability #APIGateway #TrafficManagement #Observability #Startup #TechOperations #Infrastructure #ContainerOrchestration #DevOpsDaily #FexingoBusiness #BusinessPodcast Keep every episode free: buymeacoffee.com/fexingo

In this episode of DevOps Daily, Lucas and Luna dig into a quietly catastrophic antipattern: stuffing multiple containers into a single Kubernetes pod. They break down a real-world case where a monitoring stack with five containers per pod caused a production meltdown—crashing the main application container because a sidecar container leaked memory. They explain why the pod is not a lightweight VM, how resource isolation really works in Kubernetes, and why the industry is moving toward sidecar-less architectures. Lucas cites data from a 2025 CNCF survey showing that 42% of teams with multi-container pods reported at least one priority-1 incident caused by container resource fights. They also offer practical heuristics: one container per pod for stateless microservices, strict sidecar patterns for logging and proxies, and what to do when you genuinely need an init container. Plus, a small note on why this conversation made them think about how listener support keeps the show going. #Kubernetes #Pods #Containers #SidecarPattern #Microservices #DevOps #CNCF #ProductionIncident #ResourceIsolation #ContainerOrchestration #CloudNative #Infrastructure #SiteReliability #Technology #FexingoBusiness #BusinessPodcast #DevOpsDaily #K8sBestPractices Keep every episode free: buymeacoffee.com/fexingo

Lucas and Luna dive into the anti-pattern of stuffing multiple containers into a single Kubernetes pod. They trace the problem to early Docker Compose habits, explain why sidecar containers for logging and metrics are often the wrong choice, and walk through a real-world example where a team at a fintech startup saw pod startup times jump from 8 seconds to 47 seconds after adding a third container. They discuss the Kubernetes community's shift toward daemonsets and admission controllers to enforce pod container limits, and why the one-container-per-pod rule still holds in production. Along the way, they touch on resource requests vs limits, pod lifecycle hooks, and the surprising cost of init containers. The episode closes with a practical question every DevOps engineer should ask before adding that next container. #Kubernetes #PodDesign #ContainerAntiPatterns #SidecarPattern #DevOps #CI/CD #PodLifecycle #InitContainers #ResourceRequests #ResourceLimits #AdmissionControllers #DaemonSet #Fintech #Startup #FexingoBusiness #BusinessPodcast #Technology #DevOpsDaily Keep every episode free: buymeacoffee.com/fexingo

In this episode of DevOps Daily, Lucas and Luna dig into Kubernetes audit logs — the overlooked data source that can save your organization from a compliance disaster. They walk through a real case of a fintech startup that caught an insider data exfiltration attempt only because they had enabled audit logging on their clusters. Lucas explains the three tiers of audit policies (Metadata, Request, and RequestResponse) and why most teams never get past the default Metadata level. Luna pushes back on the cost argument, pointing out that storing audit logs is cheap compared to the legal fees of a breach investigation. They also cover how to ship logs to an external SIEM, why you should never rely on Kubernetes etcd as a long-term log store, and a practical rule of thumb: turn on RequestResponse for any namespace handling PII or payment data. If you're running Kubernetes in production and haven't looked at your audit log configuration this quarter, this episode is for you. #Kubernetes #AuditLogging #DevOps #Compliance #Security #Fintech #SIEM #etcd #PII #LogManagement #CloudNative #RBAC #ThreatDetection #InfrastructureAsCode #K8s #Business #FexingoBusiness #BusinessPodcast Keep every episode free: buymeacoffee.com/fexingo

In this episode of DevOps Daily with Fexingo, Lucas and Luna dive into a critical but often overlooked failure point in container workflows: the moment an image hits your private registry. They unpack why scanners alone aren't enough, how a single unvetted pull can cascade into a cluster-wide CVE, and the concrete architecture change — a pre-pull vulnerability scan gate — that can catch supply-chain attacks before they deploy. Drawing on real-world examples from the recent PyTorch dependency confusion incident and a misconfigured JFrog Artifactory at a fintech unicorn, they explain how to wire Amazon ECR, Harbor, or GitLab container registry into your admission controller, and why blocking a build in CI doesn't protect you from a cached base image. If you've ever assumed your container registry was just a storage bucket, this episode will change how you think about your software supply chain. #ContainerRegistry #VulnerabilityScanning #KubernetesSecurity #SoftwareSupplyChain #ImageAdmission #DevSecOps #DockerImageSecurity #AmazonECR #Harbor #GitLabContainerRegistry #CI/CDPipeline #CloudNative #KubernetesAdmissionController #PodSecurity #Technology #DevOpsDailyWithFexingo #FexingoBusiness #BusinessPodcast Keep every episode free: buymeacoffee.com/fexingo

In this episode, Lucas and Luna dive into Kubernetes Pod Security Admission — the successor to PodSecurityPolicies (PSPs) that's now mandatory in Kubernetes 1.25 and later. They break down the three built-in security levels (privileged, baseline, restricted), walk through a real-world migration from PSPs to PSA for a fintech company, and explain why most teams have misconfigured their admission webhooks. Lucas shares concrete examples of how a single mislabeled namespace can expose your cluster to container escape attacks, and Luna pushes back on the complexity of adopting restricted profiles for legacy workloads. They also discuss the operational impact: how PSA affects CI/CD pipelines, why you should test admission policies with dry-run mode, and the common gotcha around ephemeral containers. If you're running Kubernetes without validating your Pod Security Admission settings, your cluster is likely less secure than you think. #Kubernetes #PodSecurityAdmission #PSA #PodSecurityPolicy #PSP #CloudNative #DevOps #ClusterSecurity #ContainerSecurity #K8sSecurity #SecurityPolicy #AdmissionController #Technology #BusinessPodcast #FexingoBusiness #TechOps #Compliance #KubernetesMigration Keep every episode free: buymeacoffee.com/fexingo

Lucas and Luna drill into a specific, overlooked compliance risk in modern software operations: unpatched base images in Docker registries. They walk through a real scenario from a fintech startup that failed a SOC 2 audit because a six-month-old Node.js base image contained known vulnerabilities. The hosts explain why most image scanning pipelines miss what matters, how distroless images change the risk profile, and why your Kubernetes cluster's image pull policy might be your biggest liability. They also share the one concrete change teams can make this week to reduce exposure. No theory — just a focused breakdown of a problem that's quietly costing companies time, money, and customer trust. #Docker #Compliance #SOC2 #ImageScanning #Distroless #Kubernetes #DevOps #Security #VulnerabilityManagement #CI/CD #ContainerSecurity #Fintech #NodeJS #BaseImages #CloudNative #SoftwareOperations #FexingoBusiness #TechnologyPodcast Keep every episode free: buymeacoffee.com/fexingo

Episode 12 of DevOps Daily digs into Kubernetes RBAC misconfigurations — the single biggest compliance blind spot in most cloud-native environments. Lucas and Luna walk through a real incident at a mid-sized fintech where a single over-permissive ClusterRole let an attacker pivot to production data. They break down the principle of least privilege, how to audit your existing RBAC bindings with open-source tooling like kubectl-who-can and rbac-lookup, and why 'it worked in staging' is a dangerous justification for overly broad permissions. The conversation closes on whether policy-as-code tools like OPA/Gatekeeper are the right next step or just another abstraction layer. No clickbait, no fluff — just actionable DevOps ops intel. #Kubernetes #RBAC #DevOps #CloudSecurity #Compliance #LeastPrivilege #FintechIncident #kubectlWhoCan #PolicyAsCode #OPAGatekeeper #ClusterRole #ProductionSecurity #PodIdentity #Tech #DevOpsDaily #FexingoBusiness #BusinessPodcast #CloudNative Keep every episode free: buymeacoffee.com/fexingo

Lucas and Luna dive into the most critical and overlooked artifact in modern infrastructure: the Terraform state file. They explain why losing or corrupting state.json means losing control of your entire cloud estate. Using the real-world example of a 2024 incident where a major SaaS provider accidentally deleted its production state file during a migration, they walk through the anatomy of the failure, the three-hour outage that followed, and the operational changes that prevent it. They cover remote state backends, state locking with DynamoDB, partial configuration patterns, and the controversial practice of state file versioning. Listeners walk away knowing exactly how to audit their own state setup and what single command to run tonight to check if they're exposed. #Terraform #InfrastructureAsCode #StateFile #SinglePointOfFailure #DevOps #CloudInfrastructure #IaC #HashiCorp #S3Backend #DynamoDB #StateLocking #BackupStrategy #IncidentResponse #DisasterRecovery #Technology #FexingoBusiness #BusinessPodcast #DevOpsDaily Keep every episode free: buymeacoffee.com/fexingo

Episode 10 of DevOps Daily. Lucas and Luna dig into a problem every engineering team is facing in mid-2026: cloud CI costs spiralling out of control. They walk through a real example of a mid-stage startup whose GitHub Actions bill hit $14,000 in a single month because of one misconfigured matrix build. They discuss why cost caps are the missing control plane, how tools like Buildkite and self-hosted runners change the calculus, and why treating CI as an infinite resource is a cultural failure, not just a technical one. Practical, specific, and timely for any team running pipelines at scale. #CI #CICD #CostOptimization #CloudCosts #GitHubActions #Buildkite #DevOps #SoftwareEngineering #PipelineOptimization #FinOps #InfrastructureAsCode #RunnerScaling #MatrixBuilds #TechOps #Technology #FexingoBusiness #BusinessPodcast #DevOpsDaily Keep every episode free: buymeacoffee.com/fexingo

Lucas and Luna dive into Kubernetes network policies — a critical but often overlooked security layer. They explain why default 'allow all' traffic is risky, how a single misconfigured policy can expose your cluster, and walk through a real-world example from a fintech startup that locked down its microservices. Listeners will learn the three essential network policy rules every DevOps team should implement, plus how to test policies without breaking production. No fluff, just actionable insights for anyone running containers in production. #Kubernetes #NetworkPolicies #DevOps #ContainerSecurity #CloudNative #Microservices #Fintech #Security #Calico #Cilium #PodSecurity #TrafficControl #Tech #FexingoBusiness #BusinessPodcast #DevOpsDaily #ZeroTrust #K8sBestPractices Keep every episode free: buymeacoffee.com/fexingo

Lucas and Luna dive into why Kubernetes Pod Security Policies are being deprecated and what Pod Security Admission replaces them with. They break down the practical impact on DevOps teams, how to migrate without breaking production, and why the old approach created more work than security. If you're still using PSPs or have avoided updating, this episode gives you the migration playbook. #Kubernetes #PodSecurityAdmission #DevOps #CloudNative #ContainerSecurity #PodSecurityPolicies #K8sSecurity #InfrastructureAsCode #Technology #BusinessPodcast #FexingoBusiness #DevOpsDaily #SecurityShift #K8sMigration #PSP #AdmissionController #ClusterSecurity #DevSecOps Keep every episode free: buymeacoffee.com/fexingo

In this episode of DevOps Daily, Lucas and Luna dig into a surprisingly common blind spot in Kubernetes deployments: misconfigured Helm charts that leak secrets, expose ports, or grant overly broad RBAC permissions. They walk through a real incident from a fintech startup that lost $12,000 in crypto mining costs because a Helm chart default exposed their cluster's metadata API. Lucas explains why the 'helm template' command should be part of every CI pipeline, and Luna shares how her team caught similar issues by scanning chart output before apply. If you deploy with Helm, this episode will change how you review your charts. No ads, just practical DevOps. #Helm #Kubernetes #DevOps #Security #SecretManagement #RBAC #CICD #InfrastructureAsCode #CloudNative #KubernetesSecurity #HelmCharts #DevSecOps #Technology #FexingoBusiness #BusinessPodcast #DevOpsDaily #Podcast #TechOps Keep every episode free: buymeacoffee.com/fexingo

Episode 6 of DevOps Daily with Fexingo tackles a common but dangerous assumption in modern CI/CD: that security scanning should happen after tests pass. Lucas and Luna walk through a real September 2025 incident at a fintech startup where a leaked AWS key in a public repo wasn't caught until 47 minutes after merge. They explain why shifting secret scanning to pre-commit hooks and pre-CI gates — with tools like Gitleaks, TruffleHog, and custom regex — prevents blast radius damage. The hosts debate trade-offs: developer friction versus runtime detection, false positive fatigue, and how to track scan coverage with a simple Service Level Objective. They also cite a 2025 GitGuardian report showing a 62 percent year-over-year increase in exposed credentials. The episode ends with a concrete three-step implementation checklist any team can adopt this week. No jargon for jargon's sake — just a focused case and a clear, actionable argument for changing when you scan. #SecretScanning #CI/CD #DevSecOps #Gitleaks #TruffleHog #GitGuardian #PreCommitHooks #SecurityPipeline #FintechSecurity #CloudSecurity #InfrastructureAsCode #ShiftLeft #ServiceLevelObjective #FalsePositive #DeveloperExperience #Technology #FexingoBusiness #BusinessPodcast Keep every episode free: buymeacoffee.com/fexingo

Lucas and Luna dive into infrastructure-as-code linting—why most DevOps teams skip it and why that's a costly mistake. Lucas walks through a specific case: how HashiCorp's Sentinel policy-as-code framework caught a misconfigured Terraform module that would have exposed an entire production database. They discuss static analysis tools like Checkov and tfsec, the difference between linting and policy enforcement, and why integrating these checks into CI/CD pipelines can cut incident response time by half. Luna pushes back on the overhead argument, and Lucas counters with data showing that teams using IaC linters resolve misconfigurations 60% faster. The episode closes with a practical tip: start with your top five security rules before scaling up. #InfrastructureAsCode #Terraform #Linting #DevOps #CI/CD #PolicyAsCode #Security #Checkov #Tfsec #Sentinel #HashiCorp #Automation #CloudEngineering #ConfigurationManagement #DevSecOps #Technology #FexingoBusiness #BusinessPodcast Keep every episode free: buymeacoffee.com/fexingo

Lucas and Luna discuss how service level objectives (SLOs) are transforming DevOps observability. Using a case study from a mid-size e-commerce platform that cut incident response time by 40% after adopting SLO-based alerting, they explain the difference between SLIs, SLOs, and SLAs, and why measuring what matters beats monitoring everything. They also touch on the 'error budget' concept and how it changes the conversation between developers and operations. A practical episode for anyone drowning in dashboards. #DevOps #Observability #ServiceLevelObjectives #SLO #SLI #ErrorBudget #SiteReliabilityEngineering #SRE #IncidentResponse #DevOpsDaily #FexingoBusiness #BusinessPodcast #Technology #Monitoring #Alerting #Ecommerce #Reliability #LucasAndLuna Keep every episode free: buymeacoffee.com/fexingo

Lucas and Luna dig into a failure mode that haunts every DevOps team: the deployment rollback that doesn't actually work when you need it. They break down the classic 'rollback is just redeploying the last good image' myth, using a real incident from a mid-size fintech company that lost 15 minutes of transaction data because their rollback restored code but not database state. Lucas explains the difference between stateless and stateful rollbacks, why Kubernetes Helm hooks can fool you, and how a team at a payments startup fixed their process by adding pre-rollback smoke tests. By the end, you'll know why you should test your rollback script on the first of every month, not just after an outage. No vague best practices, just a concrete mistake and a fix you can steal. #DevOpsDaily #CI/CD #Kubernetes #Rollback #Deployment #IncidentResponse #DatabaseMigrations #Helm #Fintech #StatefulRollback #SmokeTests #Pipeline #ProductionIncident #SoftwareOperations #Technology #FexingoBusiness #BusinessPodcast #DevOpsPodcast Keep every episode free: buymeacoffee.com/fexingo

Lucas and Luna dig into the hidden cost of Kubernetes. Most teams track CPU and memory but miss data egress, control plane charges, and orphaned volumes. Lucas cites a real example: a mid-stage SaaS startup was spending $12,000 a month on cross-zone traffic they didn't know they were generating. They walk through three specific ways to audit your cluster costs — namespace-level tagging, rightsizing requests and limits, and using Kubecost or OpenCost for allocation visibility. Luna pushes back on the trade-offs: if you optimize too hard for cost, do you sacrifice reliability? They land on the idea that cost awareness is a team discipline, not a tool install. #Kubernetes #CloudCosts #DevOps #KubernetesCostOptimization #FinOps #CloudComputing #Kubecost #OpenCost #ContainerOrchestration #K8s #CostManagement #Infrastructure #TechPodcast #SoftwareEngineering #CloudNative #FexingoBusiness #BusinessPodcast #DevOpsDaily Keep every episode free: buymeacoffee.com/fexingo

In the premiere episode of DevOps Daily, Lucas and Luna open with a story every engineer knows: a deploy at 2 AM breaks production because a database migration ran before the schema change was applied. That human error, repeated in companies big and small, is exactly what modern CI/CD pipelines are designed to prevent — and why a well-built pipeline is more than just automation. Lucas walks through the anatomy of a deploy pipeline, how Kubernetes changed the game for rollbacks, and why the real bottleneck isn't the tooling — it's the testing strategy. Luna pushes back on the idea that 'just add more stages' fixes everything, pointing to a 2024 incident where a 47-stage pipeline still shipped a null pointer exception into production. Together they lay out what this show is about: not theory, but the specific decisions — branching models, test parallelization, canary releases, observability hooks — that separate a smooth Monday morning from a weekend on-call. #DevOps #CI/CD #Kubernetes #SoftwareEngineering #Deployment #Pipeline #ProductionIncident #Automation #Testing #CanaryRelease #Rollback #Observability #Technology #FexingoBusiness #BusinessPodcast #DevOpsDaily #LucasAndLuna #ModernOperations Keep every episode free: buymeacoffee.com/fexingo