DevOps

I’ve run both Arch and NixOS as my daily driver workstation. Not in VMs, not as a weekend experiment — as my actual work machine where I do professional DevOps/platform engineering work, and as my personal machine where I do everything else. Both are excellent. Both have serious trade-offs. And the “best” choice depends heavily on your life situation and how much time you have for system maintenance. Here’s the thing: I have kids now. The days of spending a Saturday afternoon debugging a broken Xorg config are gone. My system needs to work, reliably, every time I open the laptop. But I’ve also learned that Arch’s “instability” is largely a skill issue — with the right practices, Arch can be just as reliable as NixOS. ...

I spend my evenings doing Hack The Box challenges and CTF competitions. Not because I want to become a pentester — I’m happy in platform engineering. But because the skills I learn there make me significantly better at my day job. This isn’t obvious at first. What does pwning a vulnerable web app have to do with running Kubernetes clusters? More than you’d think. Forensics and offensive security train you to think about systems differently. You learn to investigate, to trace, to understand what’s actually happening rather than what should be happening. And that mindset — plus the tooling — is exactly what you need when debugging production issues at 3 AM. ...

“We want to migrate to Kubernetes by November.” It was September. The client was an e-commerce company. Their biggest sales event of the year — Black Friday — was in late November. I said no. They asked if I knew someone who might take it on anyway. I did. A fellow platform engineer — someone I respect, highly capable. I made the introduction, but warned him about the timeline. He took the engagement, documented the same concerns I had, got them signed off. The client proceeded anyway. ...

When everything has cluster-admin, nothing is secure. Kubernetes RBAC (Role-Based Access Control) exists to answer one question: who can do what to which resources? Most clusters answer incorrectly: “everyone can do everything.” This isn’t just a security problem — it’s a resilience problem. When a service account gets compromised, how much damage can it do? When someone runs the wrong command, what’s the blast radius? Least privilege limits that radius. ...

Rules that exist only in documentation don’t get followed. Rules enforced by computers do. Kubernetes gives you incredible flexibility. Every team can deploy whatever they want, configured however they like. This freedom becomes chaos without guardrails. Kyverno is a policy engine for Kubernetes. It validates, mutates, and generates resources based on policies you define — as Kubernetes-native YAML. Why Kyverno? There are multiple policy engines: Open Policy Agent (OPA) with Gatekeeper, Kyverno, Kubewarden. I chose Kyverno because: ...