Kubernetes on Danilo Falcão da Silva

The Kubernetes Operator's Batman Utility Belt: Day-2 Tools That Actually Earn Their Keep

Mon, 25 May 2026 14:35:00 -0300

kubectl is the Swiss Army knife. Nobody disputes this. But Swiss Army knives are terrible at most of the individual jobs they claim to do, and kubectl is no different: it can tail logs, but only one pod at a time. It can switch contexts, but with zero guardrails. It can describe resources, but in a wall of YAML that buries the thing you actually care about.

Day-2 operations — the part where the cluster is live, traffic is flowing, and someone pages you at 2 a.m. — need sharper instruments. What follows is the utility belt I’d recommend to any Kubernetes operator building their toolkit in 2026. Not everything here is new. Some of these tools have been around since 2018. The point is that they’re still maintained, still solve real problems, and still faster than the kubectl incantation you’d otherwise be typing.

Terraform, OpenTofu and Pulumi: Why I Still Run Terraform in 2026

Thu, 21 May 2026 23:00:00 -0300

Infrastructure as Code stopped being a single-answer question a couple of years ago. Terraform went BSL in August 2023, OpenTofu forked under MPL, Pulumi kept arguing that infrastructure should be real code in real languages, and IBM closed the $6.4B HashiCorp acquisition in February 2025. Three legitimate tools, three different bets on who owns the abstraction.

I still run Terraform. For everything.

This post is the honest version of why. I’ve read the OpenTofu release notes, watched Pulumi talks, played with both on weekend projects, and read more migration write-ups than I can remember. I have never put OpenTofu or Pulumi in front of production traffic. Most of what follows about those two is research, not muscle memory — and I’ll flag that as I go.

The Kubernetes Ingress Landscape in 2026: Nginx Isn't the Center Anymore

Thu, 21 May 2026 17:50:00 -0300

For about a decade, “Kubernetes ingress” effectively meant one thing: ingress-nginx, the community-maintained controller that wrapped the Nginx engine behind the Kubernetes Ingress resource. It was fine. It was the default everyone reached for. It was also, quietly, the wrong long-term shape for the problem.

That era ended in 2026. The community ingress-nginx project reached end-of-life in March 2026. The Kubernetes Gateway API, which graduated to GA on the v1.2 line, is now the forward-looking standard. Envoy Gateway is the CNCF reference implementation. Cilium does L7 routing in eBPF without a sidecar or an extra proxy. RKE2 flipped to Traefik by default in v1.36 and removes ingress-nginx entirely in v1.37.

Where to Hide Kubernetes Secrets: AWS, Azure, GCP, and On-Prem Compared

Wed, 20 May 2026 22:25:00 -0300

The Kubernetes Secret object is a YAML manifest with a base64-encoded value in it. That’s the entire encryption story. Anyone with get permission on the namespace can read every credential the workload holds. Base64 is not encryption. It is barely obfuscation.

Teams discover this the wrong way — usually during a security review, occasionally during an incident — and the next question is always the same: so where do the real secrets live?

Rancher vs Lens: A Platform and a Dashboard, Not the Same Thing

Wed, 20 May 2026 21:15:00 -0300

You’ll see this comparison on r/kubernetes every couple of months, phrased as if it’s a real choice: Rancher or Lens? The framing is wrong. They occupy different layers of the stack. Asking which one “wins” is like asking whether VS Code beats Kubernetes.

But the question keeps coming up — usually from someone who has Lens installed, has heard about Rancher, and is trying to figure out whether they should swap. So let me lay out what each one actually is, where they overlap, where they don’t, and which one earns a place in a serious on-prem setup.

eBPF Is Eating Kubernetes' iptables Plumbing

Wed, 20 May 2026 19:30:00 -0300

For most of Kubernetes’ life, the cluster data path has been a tower of iptables rules. Pod-to-service routing, NAT, network policy, even the way kube-proxy programs a Service IP — all of it expressed as netfilter chains evaluated linearly on every packet. It worked. It also aged badly.

In 2026, the answer the ecosystem has converged on is eBPF, and the project doing most of the convergence is Cilium. The shift is no longer aspirational: kube-proxy itself shipped an nftables mode that is expected to go GA in Kubernetes 1.33, the old IPVS backend is deprecated as of v1.35, and the major managed Kubernetes providers (EKS, GKE, AKS) all offer a Cilium-powered data plane as a first-class option. Azure CNI Powered by Cilium is GA on K8s 1.33.

Caddy, Nginx, Traefik: Picking a Reverse Proxy in 2026

Wed, 20 May 2026 17:35:00 -0300

There is a kind of infrastructure question that never really gets settled, just re-litigated every couple of years as the surrounding ecosystem moves. “Which reverse proxy?” is one of those questions.

The shortlist hasn’t changed much: Caddy, Nginx, Traefik. The context around them has changed a lot. The community ingress-nginx project reached end-of-life in March 2026. RKE2 v1.36 flipped to Traefik as the default ingress. Caddy quietly shipped 2.11 with better health-checking and ECH rotation. Nginx is on 1.31 mainline / 1.30.1 stable and treats HTTP/3 as a first-class but still-evolving feature.

GitOps with Argo CD: The Reconciliation Loop That Survives 3 a.m.

Tue, 19 May 2026 13:30:00 -0300

Here’s the test I use for any deployment tooling:

It is 3 a.m. on a Sunday. PagerDuty just woke you up. A production service is degraded. You roll out of bed, open your laptop, and have to figure out what the cluster thinks is true, what’s actually true, and what changed in the last twelve hours. The faster you can answer those three questions, the better the tooling.

The right GitOps stack collapses all three questions into one dashboard. The wrong one has you SSH-hopping between five servers running kubectl rollout history against unlabeled deployments. I’ve done both. I’m writing this post about the former.

Helm 4 Made Me Stop Looking for an Alternative

Tue, 19 May 2026 13:00:00 -0300

Helm has been the punchline of Kubernetes packaging for about as long as Kubernetes has been called Kubernetes. Helm 2 had Tiller, an in-cluster component running as cluster-admin that read every chart’s YAML and applied it from inside the cluster — a security horror show that drove half the community to invent its own deployment tooling just to avoid it. Helm 3 finally killed Tiller in 2019 and went client-side, which fixed the worst of it. And then Helm 3 sat there, relatively unchanged, for six years.

RKE2 Deserves Some Love: Why It's My On-Prem Kubernetes Pick

Tue, 19 May 2026 12:30:00 -0300

Most of the Kubernetes conversation in 2026 happens around managed services — EKS, GKE, AKS — and most of the rest happens around K3s for edge and homelab. Somewhere in the middle, on the hardware that lives in a rack in a datacenter you can drive to, there’s a Kubernetes story that nobody talks about loudly enough.

That story is RKE2 — the Rancher Kubernetes Engine 2, SUSE’s hardened, security-focused, single-binary distribution designed for on-premises production. I’ve been running it for two years across two different employers and one home lab, and it’s the rare piece of infrastructure that gets more impressive the longer you live with it.