I hope you find this 🧵 helpful, writing, enabling, & executing policy as code, not only a prerequisite, but it's a demand for battle-tested and resilient infra. Share your thoughts on CEDAR's new approach to writing policies & defending clusters ✍️ 👇
bsky.app/profile/clou...

(7/7) An exciting aspect to me is the ability to enforce label-based access control decisions in a cluster. This enables you to partition a K8s cluster not by namespaces, but by k/v label presence. See the launch blog for an example of how this can work. cedarpolicy.com/blog/cedar-f...

(6/6) Cedar for Kubernetes supports features not available in Kubernetes RBAC today like denials, conditions, and attribute and label-based access controls.

(5/5) For a walkthrough of Cedar, you can get a crash course in the project’s GitHub documentation or the language docs. Cedar is powered by formally verified automated reasoning, enabling you to verify that policies are valid and cannot error on enforcement.

4/4) Cedar access control for K8 aims to help solve this set of problems. By using the same language for both authorization and admission policies, administrators can quickly reason about what permissions are granted and what restrictions are applied in the same policy file.

(3/3) This introduces high cognitive overhead when authoring policy, and the risk of an unintended effect increases when making and reviewing code changes to existing policies, as a reviewer might not be aware of all permissions or restrictions if only one is being modified.

(2/2) One of the main motivations for this work is that defenders who secure K8s clusters have to learn and use multiple policy languages to get their job done, often defining permitted actions in one file and restrictions in separate policy files, languages, & frameworks

Cedar Joins CNCF as a Sandbox Project | Amazon Web Services Cedar, an open source authorization policy language and SDK, has joined the Cloud Native Computing Foundation (CNCF) as a Sandbox project. CNCF provides a neutral home for early stage and developing o...

🧵 (1/1) A new Kid in the Policy Town Cedar by AWS access controls for K8s and is now a CNCF Sandbox Project!

Cedar is an open-source policy language created by AWS. This project enables writing expressive Kubernetes permissions.
aws.amazon.com/blogs/openso...

Season 4 opener — Episode 144: Agentic DevOps: Automation, Autonomy, & the Risk of Vendor Lock-In
🎧 I talk with MahirVora from @CDFoundation Ambassador about safe agent workflows, trust budgets, RBAC for remediation, and pricing & lock-in risks.

Watch the full episode: youtu.be/bQdRpfmSXnI

GitHub - kubernetes-sigs/ingress2gateway: Convert Ingress resources to Gateway API resources Convert Ingress resources to Gateway API resources - kubernetes-sigs/ingress2gateway

In case you didn't notice:

ingress2gateway is a CLI that reads Kubernetes Ingress resources and outputs equivalent Gateway API manifests

It maps hosts, paths, and routing rules directly, allowing you to adopt Gateway API resources instead of legacy Ingress
github.com/kubernetes-s...

If you’re designing an IDP in 2026: start with CRD-driven services (Crossplane), enforce policies (Kyverno), sync cluster state via GitOps (Argo CD), and surface developer UX in Backstage.

If you have built one and have a story to share

Comment below, I will feature it in #cloudnativefm (12/12)

Real benefits: full control, no vendor lock-in, consistent patterns (like public clouds), easier extension via CRDs, and the ability to enforce policies at the platform level (Kyverno) while exposing a clean developer UX (Backstage). (11/11)

What’s missing? CI/workflows, but that’s fine.
GitHub Actions, GitLab CI, Tekton, Jenkins, choose your CI. Foundation matters more than which CI runner you pick. (10/10)

Why BACK Stack?

Open source, CNCF-aligned, mature adopters:
- Argo & Crossplane are graduated;
- Backstage & Kyverno are rapidly maturing.

Strong ecosystem + Crossplane providers for cloud, DBs, SaaS. (9/9)

Meet the BACK Stack — my pick for 2026 IDPs:

Backstage (portal) + Argo CD (GitOps/CD) + Crossplane (platform controllers/CRDs) + Kyverno (policy).

Each leads its domain, and they work together harmoniously. (8/8)

Build on CNCF + Kubernetes-native components. Services as controllers, APIs as CRDs, policy via Kubernetes policy engines, that’s modern platform design, not a shortcut. (7/7)

Beware partial/proprietary solutions: portals-only (Roadie, Port, Cortex) or closed all-in-one vendors (Harness, Qovery) can lock you into outdated patterns or vendor lock-in. (6/6)

Interact with those APIs however you want: kubectl, Helm, GitOps (Argo CD/Flux), Backstage, custom UIs. The portal becomes a client, not the center of the universe. (5/5)

Where do you run platform services? Kubernetes controllers. Why? They reconcile the desired state → actual state, exactly what platform services must do. CRDs give you declarative APIs for free.(4/4)

Starting with a portal = building a house from the roof. Backwards. Start with services and APIs first, then add UIs (portal, CLI, GitOps) as clients. (3/3)

Real platforms follow the public-cloud pattern: services that do things, APIs that expose those services, and UIs/CLIs/SDKs that consume the APIs.

Design like a public cloud: services → APIs → UIs. (2/2)

Internal Developer Platform (IDP) is widely misunderstood. a fancy web UI where developers click buttons. That’s not a platform.

Design like a public cloud: services/APIs/UIs

My choice for building IDP in 2026 -> Backstack (Backstage, Argo CD, Crossplane, Kyverno) 🧵 / (1/1)

Back at university, doing what I love, teaching and learning. Thank you @CUSTislamabad for hosting my Cloud Native DevOps Roadmap 2026 talk. The students who stayed after, asked great questions, and showed real hunger for DevOps & GenAI reminded me why I do this. 🙏 #GenAI #DevOps

Richard walks through what reskilling looks like in 2026 for people in cloud, DevOps, and infrastructure roles: from prompt/context engineering to MLOps, agentic AI roadmaps, and vendor learning paths that you can actually start today.

Watch -> youtu.be/lI5m5ILq8yY #CloudNativeFM

Add your 🤔 ✍️👇

Will 2026 be a year of new protocols? Will you care about it?

Google just opensourced Universal Commerce Protocol.

AI Agents can now discover products, fill carts, and complete purchases autonomously.

Works with Agent2Agent (A2A), Agents Payment Protocol (AP2) and MCP.

100% Opensource.

MIT says ~95% of GenAI pilots show no measurable P&L impact. Wharton finds ~75% of firms report positive ROI. Different questions = different headlines.

Short clip w/ RichardSimon unpacks why
#CloudNativeWisdom18: youtu.be/fTE_tSW1NzA

YouTube video by Cloud Native Podcast #CloudNativeWisdom17 Resilience ≠ HA: What the US-East-1 Outage Taught Us

Resilience vs High Availability, following the AWS US-East-1 outage,

Richard Simon and I explain why AZ-level resilience wasn’t enough and how true HA needs cross-region failover and practice

Watch our quick explainer 👇
youtu.be/WMx3kV-qwXE

@hrexed.bsky.social Happy birthday and best wishes for 2026.

#CloudNativeWisdom16 How AI and generative agents are reshaping cloud migration from automated discovery & dependency mapping to vendor tools, including those from AWS, Microsoft Azure, Google, and newcomers like Fluid Cloud.

Watch on #CloudNativeFM -> youtu.be/13eEAOCA6SQ

With the release of K8s 1.35, In-Place Pod Vertical Scaling has officially hit GA.

We no longer have to restart pods (and risk minor disruptions) just to adjust CPU or memory limits.

Check out the details here: kubernetes.io/blog/2025/12...