🔄 Someone kubectl apply'd a Hotfix Directly. How Do You Detect and Prevent It?
Manual kubectl in production is the Kubernetes equivalent of SSH’ing into a server and editing files. It works until it doesn’t, and when it doesn’t, nobody knows why.
Posts
🛡️ How Do You Prevent a Compromised Pod From Calling Your Database?
Default Kubernetes is a flat network. Every pod can reach every other pod. In a cluster with ten services, that’s ten potential blast radiuses instead of one.
🔑 Deploy to Kubernetes Without Storing Any Cluster Credentials in CI
A common interview question in 2026. If your answer is ‘kubeconfig in a CI secret’, you’re not wrong — but you’re also not getting the job.
🤫 How Do You Handle Secrets in a GitOps Repository?
GitOps says Git is the source of truth. Secrets say don’t put them in Git. These two things appear to be in direct conflict. They’re not.
🔐 Same Hostname, Two Traffic Paths: Local HTTPS Without a VPN
No open ports. Real TLS at home. One IngressRoute per app. This is the networking setup I landed on after ruling out everything that required a compromise.
🏗️ My Homelab Runs on GitOps. Here's What That Actually Means.
I wanted to learn production-grade Kubernetes patterns without breaking production. One node, a full GitOps stack, and a hard rule: no manual kubectl after bootstrap.
📱 Building a QR Code Login for a Homelab (And Learning oauth2-proxy's Session Format the Hard Way)
My homelab uses oauth2-proxy for GitLab SSO. I wanted a QR code login for the TV dashboard. Two days and four complete rewrites later, I knew more about oauth2-proxy’s session format than I ever planned to.
I Inherited a System With No Map. So I Drew Two.
How I turned a tribal-knowledge handover into a two-track learning roadmap — one track for the technology, one for our system, designed to interleave.