Kubernetes News Feed

• March 26, 2026 · CNCF Blog

  Kubescape 4.0 ships runtime threat detection GA and AI agent security scanning

  Kubescape 4.0 marks runtime threat detection and dedicated security storage as stable and production-ready, and drops the intrusive host-sensor DaemonSet. It also ships a plugin for AI agents to scan cluster security posture, plus 15 controls for securing KAgent deployments.

  AI agents managing infrastructure need to be secured too. Kubescape 4.0 covers both sides of that problem.

  securitycncfopen-sourceai
• March 25, 2026 · Network World

  Meshery 1.0 ships a visual governance layer for Kubernetes infrastructure

  Meshery hits v1.0 after six years. Instead of raw YAML, your team works in Kanvas, a visual designer that shows infrastructure as a connected diagram, validates changes via OPA, and supports 300+ integrations. It sits on top of your existing IaC tooling.

  When AI generates infra config faster than teams can review it, a visual layer that catches conflicts before production is the guardrail that actually gets used.

  cncfopen-sourcetoolinggovernance
• March 24, 2026 · The New Stack

  Broadcom donates Velero to CNCF, reshaping Kubernetes backup and disaster recovery

  Broadcom is handing Velero to the CNCF, making the go-to Kubernetes backup tool community-owned. VKS 3.6 also ships bring-your-own-CNI and performance profiles for AI and database workloads.

  Kubernetes has no built-in backup. Velero under neutral governance is less vendor lock-in and more long-term confidence.

  cncfbackupopen-sourcevelero
• March 23, 2026 · The Hacker News

  Trivy supply chain attack spreads infostealer via Docker and deploys Kubernetes wiper

  Stolen Aqua Security credentials were used to push malicious Trivy versions (0.69.4-0.69.6) to Docker Hub. That kicked off a self-spreading worm on npm and a wiper that nuked Kubernetes clusters via privileged DaemonSets. CVE-2026-33634, CVSS 9.4.

  One compromised bot account bridging two GitHub orgs escalated from a scanner to live cluster destruction. Pin your Actions by commit SHA now.

  securitysupply-chaindockercve
• March 17, 2026 · CNCF Blog

  A production guide to when Kubernetes actually restarts your pod

  A CNCF maintainer breaks down exactly when Kubernetes restarts a container, recreates a pod, or does nothing. Covers ConfigMaps, image updates, in-place resize (GA in 1.35), Istio, and Stakater Reloader, each with lab-verified output.

  Most incident time is wasted because engineers mix up container restarts and pod recreations. This gives you a decision matrix you can use at 2am.

  kubernetespodsinternalscncf