🚮 Kubernetes 1.35 is letting go of some old technology:

cgroup v1 in favor of cgroup v2
SPDY in favor of WebSockets
gogo protobuf in favor of standard libs

ℹ️ www.sysdig.com/blog/kuberne...

🔑 Token secrets for CSI drivers in Kubernetes 1.35:

🗂️ New field to provide secrets to CSI drivers.
🛡️ Keeping sensitive data separate from configuration.

ℹ️ www.sysdig.com/blog/kuberne...

🦹🏻 Constrained impersonation in Kubernetes 1.35:

💡 Impersonator: User acting as another user.
🚧 They are now limited to their original permissions.
🛡️ This prevents privilege escalations.

ℹ️ www.sysdig.com/blog/kuberne...

🌐 User namespaces when using the host network in Kubernetes 1.35:

🛡️ Pods using the host network no longer need to also use the host users.
🔐 They can run as privileged without being root.

ℹ️ www.sysdig.com/blog/kuberne...

🪪 Increased verifications when pulling images in Kubernetes 1.35:

🔎 Performs credentials check when accessing images, not only on pull.
👥 To keep images secure in multi-tenant clusters.

ℹ️ www.sysdig.com/blog/kuberne...

🔥 Codex can help with the basics. It correctly identifies the source of the alert and can create a GitHub issue.

💣 However, it doesn’t explain things correctly and can be manipulated to ignore some data. You must supervise it.

This article covers this use case by connecting Codex to several MCPs.

First, retrieves a list of alerts using the Sysdig MCP

Then investigates the issue with the GitHub MCP without downloading the code.

It ends by creating a GitHub issue with context for the relevant team to implement a fix.