APT41 hits cloud creds, K8s 1.36 drops gitRepo

Now I have everything I need. Let me write the newsletter.

CiliumCon 2026: BigTCP for UDP Tunnels, Tetragon Memory Fixes, Hubble 1.19 Aggregation

• BigTCP is being extended to UDP tunnels — the dominant Cilium deployment mode (Geneve/VXLAN) — via a new kernel patch from Isovalent. The same superpacket aggregation up to 512 KB that already applies to TCP will cover encapsulated pod-to-pod traffic. Expected in the next Linux kernel release with Cilium integration to follow; measured 30–50% throughput improvement.
• A Cilium Data Path Plugins proposal (Jordan, Google) would allow injecting custom eBPF programs before or after Cilium's own host data path programs — enabling custom transport proxies and observability extensions without forking Cilium. Still proposal stage, not yet merged.
• SUSE engineers fixed a Tetragon BPF map memory regression: every kprobe policy was allocating a sock_trap map of 32,000 entries (~3 MB) even when socket tracking was never used. The fix defaults sock_trap to max_entries=1 in BPF, sized up only when track_sock actions are present in the policy. At 200 workloads per node, this recovers ~600 MB of kernel memory. Already merged.
• Cilium 1.19 ships Hubble flow aggregation: repeated flows with identical identity, port, protocol, and verdict are collapsed into a single entry over a configurable window. Production clusters measure ~45% log volume reduction (synthetic workloads: 62–73%). aggregate config takes precedence over field_mask when both are set; avoid high-cardinality fields (source IPs, source ports) as aggregation keys or gains disappear.
• For Cilium 1.19+, MCS API is now the recommended approach over global service annotations for Cluster Mesh load balancing — ServiceImport auto-creates in all connected clusters including those with no local pods, eliminating the need for dummy service objects. Migrate by creating ServiceExport resources and switching to the cluster-set.local FQDN.
• A new alpha feature allows the Cilium data plane to notify operators when a zero-replica service receives traffic — triggering scale-back without polling — described at the CiliumCon lightning talk. Complements KEDA and the HPA Scale-to-Zero promotion landing in Kubernetes v1.36.
• eTraveli Group (hundreds of millions of flight searches/day) replaced proprietary ASIC-based LB appliances with Cilium BGP + Gateway API across three OpenStack DCs — deploying active-active ECMP by advertising the same LB CIDR from all nodes to DC routers, with the Cilium operator managing Gateway and Envoy config. The architecture bottleneck was always the appliance model, not packet processing throughput.

---

Terraform v1.15.0-rc1: Variables in Module Sources, New deprecated and convert()

• Terraform v1.15.0-rc1 released April 9. Variables and locals in module source and version attributes are now supported (source = var.module_path) — eliminating separate module copies per environment and enabling dynamic module composition. Most CLI commands now accept variable values as part of this change.
• A new deprecated attribute on variable and output blocks emits warnings at plan/apply time when deprecated inputs are passed or deprecated outputs referenced — enabling gradual module API evolution without silent breakage.
• New convert() function allows inline type conversions (convert(var.value, string)); output blocks now accept explicit type constraints — adding compile-time type safety to module interfaces.
• terraform validate now validates the backend block: verifies backend type exists, all required attributes are present, and the backend's own validation passes. Previously, validate skipped backend configuration entirely.
• S3 backend gains aws login auth support for credential-less configuration via AWS Identity Center flows. Breaking change: AWS_USE_FIPS_ENDPOINT and AWS_USE_DUALSTACK_ENDPOINT now accept only true/false, not any non-empty string — aligns with the AWS SDK for Go.

---

Kubernetes v1.36 Stable: April 22 Target, HPA Scale-to-Zero, gitRepo Deleted

• Kubernetes v1.36 stable is targeted for April 22, 2026. Items beyond the rc.0 coverage in Issue #4: HPA Scale-to-Zero is promoted — idle becomes a valid HPA-managed state for event-driven workloads; UserNamespacesSupport reaches GA, mapping root-in-container to an unprivileged host UID (significant for multi-tenant cluster security); Suspended Jobs can now have node selectors and resource requests modified in-place without recreation.
• gitRepo volume type is permanently removed in v1.36 — pods referencing it will fail at scheduling with unknown volume type: gitRepo. Migration: move to init containers with git clone or bake repository content into images at CI time. FlexVolume support is also removed from kubeadm.

---

LF/CNCF Slack Phishing Campaign; APT41 ELF Backdoor Targets Cloud Credentials

• An attacker impersonating a Linux Foundation official in Slack targeted CNCF and TODO project developers — sending DMs with a link to a Google Sites page mimicking Google Workspace sign-in that installs a fake root certificate. On macOS it executes a gapi binary from IP 2.26.97.61; on Windows it prompts a browser certificate install dialog. Installing the cert enables MITM on all encrypted traffic. OpenSSF CTO Christopher Robinson issued a security advisory April 7 and confirmed multiple LF projects have faced similar campaigns in recent months. Remediation: disconnect from network, remove newly installed certificates, revoke all active sessions and tokens, rotate all credentials.
• APT41 (Winnti/Brass Typhoon) deployed a new ELF backdoor with zero VirusTotal detections targeting Linux cloud workloads — probing the IMDS endpoint (169.254.169.254) to exfiltrate temporary AWS/GCP/Azure/Alibaba credentials. C2 uses SMTP port 25, which is under-monitored in most cloud egress rules. Mitigations: block outbound port 25 from non-mail workloads, enforce IMDSv2 on AWS (token-based requests block simple SSRF-style IMDS probing), enable CloudTrail/Audit Log alerts for credential usage from unexpected source IPs.