Latest Cloud Native Updates: K8s External Secrets, Performance Gains, and Best Practices

Industry News

GoDaddy announced its open‑source project Kubernetes External Secrets (KES) , which introduces an ExternalSecrets API allowing developers to consume external secret stores in Kubernetes as easily as native secrets, reducing attack surface and integration effort. The Kubernetes KMS plugin also adopts envelope encryption for secret storage.

CNCF launched free cloud‑native technology courses for Chinese developers, focusing on deep technical exploration and hands‑on labs covering the cloud‑native stack, reflecting the high popularity of Linux, Docker, and Kubernetes among developers.

Upstream Project Highlights

Kubernetes

Performance improvement: A two‑fold speedup for required and preferred PodAffinity scheduling (pull #76243) addresses a major scheduler bottleneck.

Security enhancement: Introduction of Node‑Scoped DaemonSet, granting daemonsets only the permissions of the node’s kubelet and following the same authentication flow, mitigating privilege‑escalation risks.

Feature patch: Proposal to add default support for lxcfs in kubelet, improving visibility of CPU and memory metrics inside containers, though it requires an additional installation.

Knative

The Serving API is moving to v1beta1 , adopting a standard PodSpec and simplifying migration from Kubernetes Deployments. Changes include default runLatest , traffic‑based releases, removal of Manual mode, and revised revision naming.

Eventing no longer relies on Istio VirtualService for trigger routing; URLs are used instead, decoupling from Istio.

Further Istio decoupling: Eventing Channel and Bus bindings now write the bus hostname directly to channel status, eliminating the need for Istio proxies.

Istio

Two critical CVEs (2019‑9900, 2019‑9901) in Envoy were patched in version 1.9.1 and back‑ported to Istio 1.1.2 and 1.0.7; users should upgrade immediately.

Performance improvements in Istio 1.1 reduce Pilot CPU usage by 90 % and memory usage by 50 %, enabling more efficient traffic management and gray‑release scenarios.

containerd

Support for a v2 shim with cgroup configuration is slated for the 1.3 release, allowing multiple containers to share a single shim and enabling pod‑level resource control.

Plugin ID management is being revisited to handle duplicate IDs safely, also targeted for the 1.3 release.

Cloud‑Native Best Practices

Transforming traditional rich‑container operations to cloud‑native:

Replace proprietary runtimes (e.g., PouchContainer) with a CRI‑compatible runtime such as containerd.

Decompose monolithic rich containers into separate pods: a business container for the main process, a sidecar for logging/debugging, and an auxiliary container for Service Mesh agents.

Open‑Source Project Recommendation

SPIFFE is highlighted for its identity‑centric approach to certificate distribution, enabling pod‑level identities across multi‑cloud environments without vendor lock‑in. SPIRE, the reference implementation, integrates with Service Meshes and supports zero‑trust security.

Reading Recommendations

Knative deep‑dive article by Brian McClain (translated by Sun Haizhou) that explains Knative concepts with progressive examples.

"Spark in Action on Kubernetes – Storage" by Alibaba’s Mo Yuan, discussing storage challenges and solutions for big‑data workloads in cloud‑native environments.

For full articles and additional resources, refer to the URLs provided in the original newsletter.