It Is Always DNS… Even at the Edge: Taming Proxy-Only Lookups Wi... Hector Monsalve & Thomas Gosteli
The session details Rush’s internal platform team tackling edge‑centric Kubernetes deployments, focusing on a stubborn DNS problem that emerged when customer firewalls restrict egress and provide DNS servers that cannot resolve public domains. By leveraging Selium’s service‑mesh capabilities, the team routes all outbound traffic through a controlled HTTP proxy, ensuring compliance with strict firewall rules while keeping applications oblivious to the underlying network complexities. Key insights include the use of Selium network policies to capture traffic, redirect it to Envoy configurations, and tunnel DNS queries over HTTPS (DoH) when CoreDNS returns NXDOMAIN responses. Because CoreDNS cannot forward DoH natively, a custom DNS‑over‑HTTPS proxy forwards queries to Cloudflare, then the response is sent back through the same proxy chain, preserving a single 443‑port allowance. During the live demo, the team showed a three‑container lab: a Kind cluster with CoreDNS pointing to a non‑resolving upstream, an HTTP proxy, and a DoH proxy. When a pod queried rush.com, the initial NXDOMAIN triggered the fallback to the DoH proxy, which resolved the name via Cloudflare and returned it to the application, illustrating the end‑to‑end flow. The approach eliminates per‑customer network tweaks, maintains security postures, and demonstrates how service‑mesh‑driven traffic redirection can solve edge DNS challenges. Caching at the proxy layer mitigates added latency, making the solution viable for regulated healthcare environments.
Connecting the World: Your Hands-On Guide To Cilium Cl... Arthur Outhenin-Chalandre & Quentin Swiech
The presentation introduced Cilium Cluster Mesh, a multicluster networking solution that extends Cilium’s single‑cluster capabilities—such as pod‑to‑pod encryption and network policies—to dozens or hundreds of clusters. By creating a flat IP space and a shared control plane, the mesh eliminates...
Backstage: From Spreadsheet to Standard | A CNCF Documentary
The video chronicles how Spotify’s famed squad model, while driving explosive engineering growth, eventually created a fragmented ecosystem of tools, services, and undocumented processes. New hires faced dozens of disparate dashboards and unclear ownership, leading to duplicated effort and slow...
CNCF On-Demand: K0rdent — CelebratingOne Year ofOrchestrating Multi-Cluster KubernetesPlatforms
The CNCF on‑demand webinar marked the one‑year anniversary of Cordant, an open‑source platform that orchestrates multi‑cluster Kubernetes environments. Hosted by CNCF ambassador Priti Raj and a core team of developers, the session highlighted Cordant’s evolution from a prototype to a...
Cloud Native Live: Kyverno — Battle-Tested Policy to Safeguard Production
Kyverno has matured into a battle‑tested policy engine for Kubernetes, with a year of enhancements and a broader umbrella of related projects on GitHub. The session showcases real‑world production adoption across diverse industries, highlighting new mutation, validation, and webhook capabilities....
CNCF On-Demand: Ingress-Nginx Is Retiring, NGINX Is Not
During a recent CNCF On‑Demand session, the community clarified that the ingress‑nginx project is being retired, not the broader NGINX ecosystem. While the open‑source ingress‑nginx controller will be archived, commercial and CNCF‑backed offerings such as the NGINX Ingress Controller and...
CNL: Crossplane 2.0 - AI-Driven Control Loops for Platform Engineering
Crossplane 2.0 introduces new primitives, notably the Operations resource, enabling AI‑driven control loops on Kubernetes. The platform demonstrates how large language models can power zero‑code, plain‑English controllers and an AI‑guided database control plane that makes conservative, auditable scaling actions based...