Securing AI Workloads in Kubernetes: Why Traditional Network Security Isn’t Enough
The AI revolution is here, and it’s running on Kubernetes. From fraud detection systems to generative AI platforms, AI-powered applications are no longer experimental projects; they’re mission-critical infrastructure. But with great power comes great responsibility, and for Kubernetes platform teams, that means rethinking security.
But this rapid adoption comes with a challenge: 13% of organizations have already reported breaches of AI models or applications, while another 8% don’t even know if they’ve been compromised. Even more concerning, 97% of breached organizations reported that they lacked proper AI access controls. To address this, we must recognize that AI architectures introduce entirely new attack vectors that traditional security models aren’t equipped to handle.
AI Architectures Introduce New Attack Vectors
AI workloads running in Kubernetes environments introduce a new set of security challenges. Traditional security models often fall short in addressing the unique complexities of AI pipelines, specifically related to The Multi-Cluster Problem, The East-West Traffic Dilemma, and Egress Control Complexity. Let’s explore each of these critical attack vectors in detail.
The Multi-Cluster Problem
Most enterprise AI deployments don’t run in a single cluster. Instead, they typically follow this pattern:
Training Infrastructure (GPU-Heavy)
- Dedicated clusters with high-memory GPU nodes
- Batch job Continue reading
Nvidia Disaggregates Long-Context Inference To Drive Bang For The Buck
It is beginning to look like that the period spanning from the second half of 2026 through the first half of 2027 is going to be a local maximum in spending on XPU-accelerated systems for AI workloads. …
Nvidia Disaggregates Long-Context Inference To Drive Bang For The Buck was written by Timothy Prickett Morgan at The Next Platform.
The Curious Case of ‘ip host’ Configuration Command
Since time immemorial, I have used the ip host router configuration command to get host-to-IP mappings in networking labs without going through the hassle of setting up a DNS server. Some devices even accepted multiple IP addresses in the ip host command, allowing you to list all router interfaces in a single command and get reverse (IP-to-host) mapping working like a charm. Or so I thought 🤦♂️
It turns out I’m too old, and what I know is sometimes no longer true. It seems that the last implementation working as I expected is Cisco IOS Classic ☹️
Packet trimming
The latest version of the AI Metrics dashboard uses industry standard sFlow telemetry from network switches to monitor the number of trimmed packets to use as a congestion metric.
Ultra Ethernet Specification Update describes how the Ultra Ethernet Transport (UET) Protocol has the ability to leverage optional “packet trimming” in network switches, which allows packets to be truncated rather than dropped in the fabric during congestion events. As packet spraying causes reordering, it becomes more complicated to detect loss. Packet trimming gives the receiver and the sender an early explicit indication of congestion, allowing immediate loss recovery in spite of reordering, and is a critical feature in the low-RTT environments where UET is designed to operate.
cumulus@switch:~$ nv set system forwarding packet-trim profile packet-trim-default cumulus@switch:~$ nv config apply
NVIDIA Cumulus Linux release 5.14 for NVIDA Spectrum Ethernet Switches includes support for Packet Trimming. The above command enables packet trimming, sets the DSCP remark value to 11, sets the truncation size to 256 bytes, sets the switch priority to 4, and sets the eligibility to all ports on the switch with traffic class 1, 2, and 3. NVIDA BlueField host adapters respond to trimmed packets to ensure fast congestion recovery.
OpenAI Lays Out The Principles Of Global-Scale Computing
If AI is to become pervasive, as the model builders and datacenter builders who are investing enormous sums of money are clearly banking on it to be, then it really goes have to be a global phenomenon. …
OpenAI Lays Out The Principles Of Global-Scale Computing was written by Timothy Prickett Morgan at The Next Platform.
D2DO282: Simplifying Complex Kubernetes Deployments With kro
Kubernetes is flexible and customizable, but it can also be notoriously complex and difficult to deploy to. On today’s Day Two DevOps we learn about kro (Kube Resource Operator), an open-source tool that helps simplify complex application deployments. Our guest is Islam Mahgoub, a Solutions Architect at AWS focused on building kro. We talk about... Read more »Labbing Network Technology Details with netlab
It’s been over four years since I published the last Software Gone Wild episode. In the meantime, I spent most of my time developing an open-source labbing tool, so it should be no surprise that the first post-hiatus episode focused on a netlab use case: how Ethan Banks (of the PacketPushers fame) is using the tool to quickly check the technology details for his N is for Networking podcast.
As expected, our discussion took us all over the place, including (according to Riverside AI):
Why IT-Site1 Can’t Ping OT_Site1R – Show and Tell Time #1
In my earlier blog post, Troubleshooting OT Security: Why IT-Site1 Can’t Ping OT_Site1R, we discovered the reason for this issue. Our “who done it” is simple. For security reasons, we are using Cisco TrustSec to keep them from communicating. Which... Read More ›
The post Why IT-Site1 Can’t Ping OT_Site1R – Show and Tell Time #1 appeared first on Networking with FISH.
Navigating DORA with Calico: Strengthening Kubernetes Operational Resilience in Financial Services
A single cyberattack or system outage can threaten not just one financial institution, but the stability of a vast portion of the entire financial sector. For today’s financial enterprises, securing dynamic infrastructure like Kubernetes is a core operational and regulatory challenge. The solution lies in achieving DORA compliance for Kubernetes, which transforms your cloud-native infrastructure into a resilient, compliant, and secure backbone for critical financial services.
The Challenge DORA Seeks to Solve
Before DORA (Digital Operational Resilience Act), rules for financial companies primarily focused on making sure they had enough financial capital to cover losses. But what if a cyberattack or tech failure brought a large part of the financial system down? Even with plenty of financial capital, a major outage could stop most operations and cause big problems for the whole financial market. DORA steps in to fix this. It’s all about making sure financial firms can withstand, respond to, and recover quickly from cyberattacks and other digital disruptions.
What is DORA?
The Digital Operational Resilience Act (DORA) is a European Union (EU) regulation that came into effect on January 17, 2025 and is designed to strengthen the security of financial entities. It establishes uniform requirements across the financial Continue reading
HW060: CNAE – A New Wired Networking Certification From the CWNP
The CWNP offers vendor-neutral certifications for wireless networking professionals. This summer, the organization rolled out a wired certification, the Certified Network Administrator and Engineer (CNAE). This cert is aimed at wired and wireless network engineers to ensure they have a solid grounding in switching, routing, cabling, and wired protocols. The CWNP says the cert isn’t... Read more »PP077: News Roundup–Drift Breach Has Long Reach; FCC Investigates Its Own IoT Security Program
Is any publicity good publicity? On today’s News Roundup we talk about how Salesloft, which makes the Drift chat agent that’s been used as a jumping-off point for credential harvesting and data breach attacks against a bunch of big-name companies, is testing that proposition. We also discuss bugs affecting industrial refrigeration controllers, and Microsoft making... Read more »SwiNOG 40: Reliability of High-Speed Transceivers
Whenever you see Gerhard Stein and Thomas Weible from Flexoptix in a list of presenters, three things immediately become obvious:
- It will be about transceivers
- It will be fun
- It will include some crazy stuff
Their SwiNOG 40 presentation (video) met all three expectation. We learned how well transceivers cope with high temperatures and what happens when you try to melt them with a heat gun.
NB542: Hollow Core Fiber Outshines Glass; Broadcom Bags Big AI Bucks
Take a Network Break! We shine a red light on an AnyShare Service Agent API vulnerability and an active exploit against FreePBX. SASE vendor Cato Networks makes first-ever acquisition with purchase of AI security startup AIM, Microsoft researchers tout hollow core fiber tests that out-perform glass core fiber optics, and Wi-Fi 7 helps drive up... Read more »Creating a Talos Linux Cluster on AWS with Pulumi, 2025 Edition
A little over two years ago, I wrote a post on creating a Talos Linux cluster on AWS using Pulumi. At the time of that post, the Pulumi provider for Talos was still a prerelease version. Since then, the Talos provider has undergone some notable changes necessitating an update to the example code I have on GitHub. For your reading pleasure, therefore, I present you with the 2025 edition of a tutorial for using Pulumi to create a Talos Linux cluster on AWS.
The updated Pulumi code can be found in this GitHub repository. Note that I’ve tagged the original version from the 2023 blog post with the “2023-post” tag, in the event you’d like to see the original code. While I chose to write my Pulumi code in Go, note that Pulumi supports a number of different languages (such as JavaScript/TypeScript, Python, one of the .NET languages, Java, or even YAML). I leave it as an exercise for the reader to re-implement this functionality in a different language. This Pulumi program is based on the Talos documentation for standing up a cluster on AWS.
The Pulumi program has four major sections:
- First, it creates the underlying base infrastructure Continue reading
IDC Makes Ebullient AI Spending Forecast Out To 2029
Ever since Nvidia reported its most recent financial results, where company co-founder and chief executive officer Jensen Huang said that there would be somewhere between $3 trillion and $4 trillion in spending on AI between now and the end of the decade, we have been on the prowl for any market research that backs up this claim or is its source. …
IDC Makes Ebullient AI Spending Forecast Out To 2029 was written by Timothy Prickett Morgan at The Next Platform.
Bringing Node.js HTTP servers to Cloudflare Workers
We’re making it easier to run your Node.js applications on Cloudflare Workers by adding support for the node:http client and server APIs. This significant addition brings familiar Node.js HTTP interfaces to the edge, enabling you to deploy existing Express.js, Koa, and other Node.js applications globally with zero cold starts, automatic scaling, and significantly lower latency for your users — all without rewriting your codebase. Whether you're looking to migrate legacy applications to a modern serverless platform or build new ones using the APIs you already know, you can now leverage Workers' global network while maintaining your existing development patterns and frameworks.
Cloudflare Workers operate in a unique serverless environment where direct tcp connection isn't available. Instead, all networking operations are fully managed by specialized services outside the Workers runtime itself — systems like our Open Egress Router (OER) and Pingora that handle connection pooling, keeping connections warm, managing egress IPs, and all the complex networking details. This means as a developer, you don't need to worry about TLS negotiation, connection management, or network optimization — it's all handled for you automatically.
This fully-managed approach is actually why Continue reading
Measuring Explicit Congestion Notification
I've always thought that the TCP protocol was the heart of the ingenuity that is the Internet. TCP is a flow control protocol that strives to produce both fair efficient outcomes, both for each TCP session, but for the networ4k as well. The essential feedback signal used by TCP is congestion-based packet loss, but this isn't the only approach. Another approach lies in enrolling the aassistance of the network's routers, and use packet marking instead of loss to signal to the TCP end hosts that network congestion is taking place. This form of signalling, Explicit Congestion Notification is explored in this article, as well as the outcomes of a measurement exercise to establish just how widely we used this alternativer form of congestion signalling.netlab 25.09: IPv6 RA, Link Impairments, and Performance Gains
netlab release 25.09 includes:
- Link impairment (implemented with Linux netem queuing discipline) defined in lab topology or configured/controlled with the netlab tc command
- Configurable IPv6 Router Advertisement parameters
- The files plugin to store the content of short files (including custom configuration templates) directly in the lab topology
- Support for Nokia SR-OS container (SR-SIM)
- Support for very large topologies (tested so far: approximately 3000 lab devices)
But wait, there’s more (as always):