Hello, dear server dweller!

Ivan's here with a double portion of good news 🚀

I'm finally done with the feature work I've planned for 2025 (yep, we're well into 2026 already, I know), and I'm eager to present you with the most recent change that has been 6 months in planning and two full weeks in the work - the new playground & content access plans. This is actually a positive development, so don't throw the email into the bin just yet.

The second piece of good news is all the new learning materials published on iximiuz Labs in January by independent and community authors. The dominating topic is Kubernetes, and the formats range from a fully featured course to bite-sized practical exercises to prepare for CKA/CKAD-style certification. Intrigued? Then read on!

New Plans & Pricing

After way more hacking than I expected, I finally managed to replace the historical all-inclusive Premium plan with two finer-grained plans that are:

• Cheaper and more flexible
• Better reflect the platform's direction

Now you can choose between playground-only, official content-only, and the bundle plans, each at a lower price - something many people have asked about.

The pricing page has also become much more informative - it now outlines a bunch of playground use cases, explains the main formats of the learning materials, has the new "For Authors" and "For Instructors" sections, and more.

The new plans have been available for a few days already, and I tried my best to answer the frequently asked questions.

How are the new Tinkerer and Official Content Pack plans different from the old Premium plan?

The old Premium plan was a special, all-inclusive offer for early adopters of the platform. It unlocked both full playground access and all Official content.

The new Tinkerer + Official Content Pack bundle is the closest equivalent to that historical Premium plan. However, pricing the old Premium plan sustainably proved difficult: every major playground capability (such as persistence) or a major content addition (such as the hands-on Docker roadmap) would have required a price increase.

Over time, many people asked for playground-only and content-only options at a lower price. The new plans solve exactly that problem by offering finer-grained access at a more affordable price, while still allowing you to combine them if you want the full experience via the Bundle product.

Is the Tinkerer plan useful without the Content Pack?

Yes.

A large number of users asked for playground-only access at a lower price. Since the introduction of persistent playgrounds, Tinkerer has become especially helpful for:

• Day-to-day programming and sysadmin practice
• Experimentation and research in safe remote playgrounds
• Running autonomous coding agents in isolated environments

If you primarily need powerful, flexible playgrounds, the Tinkerer plan stands well on its own.

Is the Official Content Pack useful without the Tinkerer plan?

Yes.

Another large group of iximiuz Labs users mainly wanted access to the Official learning materials, either to:

• Practice on their own hardware without paying for playground time
• Stay within the limits of the free playground tier
• Study concepts without needing extended playground capabilities (larger VMs, persistent storage, etc.)

The Content Pack is designed to work independently of the Tinkerer plan.

The Content Pack price seems low. Will it go up?

Yes, eventually.

The current price reflects the Official content collection's current size and maturity. While it's already substantial, it's still far from "complete."

As more Official Challenges, Tutorials, and Roadmaps are added, the price of the Content Pack will increase accordingly - and likely fairly quickly.

Will my subscription price stay the same if I subscribe now?

Yes.

If you subscribe to either the Tinkerer plan or the Official Content Pack, your subscription price is locked in. Your monthly or yearly payments will remain at the price you originally signed up for, including any discount that was active at the time of subscription, even if the regular price goes up later.

This means early subscribers are rewarded for their support, while future price changes apply only to new subscriptions.

Can I switch between the Tinkerer and Official Content Pack plans?

Absolutely.

The two plans are independent and fully complementary. You can:

• Start with one plan
• Add the other later if your needs change

If you end up having both, the total price will always match the best available bundle price.

A typical example: Subscribe to Tinkerer for a year because you use playgrounds daily, then add the Official Content Pack for a month to prepare for an interview.

Will the Official Content Pack give me access to content by independent authors?

The short answer is: maybe.

Independent authors who publish on iximiuz Labs are not paid by the platform. Because of that, access to their content is always the author's decision.

I'll do my best to arrange access for existing Premium members and Official Content Pack holders, but the final call will always rest with the author.

Until iximiuz Labs grows large enough to directly purchase and redistribute third-party content, the platform will continue to scale by attracting independent authors and giving them a direct way to monetize their work.

Best Learning Materials by iximiuz Labs Authors

​My previous email was almost fully dedicated to the UX adjustments I've made to the site to better reflect its new multi-author nature. The rework took me quite a bit of effort, so I couldn't be happier to see all the great publications that followed.

Kubernetes the (Very) Hard Way

A long-awaited course by Márk Sági-Kazár - Kubernetes the (Very) Hard Way - is finally being released on iximiuz Labs. Márk will be dropping a lesson every week until the next KubeCon EU, and the first 3 lessons have already been opened to the public.

The course is a hands-on, step-by-step guide to assembling a Kubernetes cluster from the ground up (without automation), while deeply exploring each component's role and functionality. Think of it as Kelsey Hightower's famous Kubernetes The Hard Way guide, but much deeper and very well-illustrated.

Márk is an independent author who has chosen iximiuz Labs to publish his learning materials, so this course is not a part of the Official content collection. However, Márk generously offers free early access to the course - don't miss it out!

Kubernetes CKA/CKAD-styled Challenges

A hot-off-the-press batch of challenges by Omkar Shelke, a Kubernetes enthusiast and certified CKA & CKAD expert. Most of these challenges have been published literally today, but I've already solved all of them myself, and they are dope - go check them out!

• ​Set ConfigMap Environment Variables in a Pod​
• ​Perform In-Place Updates on a Kubernetes Deployment​
• ​Inspecting and Extracting Kubernetes Kubeconfig Data​
• ​Diagnosing and Fixing DaemonSet Placement Across All Nodes​
• ​Set and Use Secrets in a Kubernetes Deployment​
• ​Bootstrapping Pod Networking with Calico​
• ​Hardening Docker Containers Using gVisor Runtime​
• ​Place One Pod per Node Without Using a DaemonSet​
• ​Launching the Headlamp Kubernetes Dashboard with Helm​
• ​Multi-Container Pod Security Design​
• ​Extracting and Decoding ServiceAccount Token from Kubernetes Secret

And since these are Kubernetes challenges, solving them the visual way via kexp is double fun:

​

Networking / eBPF Programming Series

Last time, Teodor Podobnik showed how to build a NAT-based eBPF load balancer in just 200 lines of C. The problem with NAT-based LBs is that all replies go back through the LB, too. And while requests are often short, replies can be x10-100 times heavier. That means more bandwidth on the LB, and the biggest traffic flowing through the one component you'd least like to bottleneck.

The Direct Server Return (DSR) trick fixes exactly this: requests go through the LB, responses don't.

Building an eBPF-based DSR load balancer is a great way to actually understand both eBPF and how DSR really works at L2, and Teodor's follow-up tutorials cover exactly that:

• ​Building an eBPF/XDP L2 Direct Server Return Load Balancer from Scratch​
• ​Building an eBPF/XDP IP-in-IP Direct Server Return Load Balancer from Scratch​

Kubernetes RCE Vulnerability That Won't Be Patched

​Graham Helton, a red team engineer and security researcher, recently published a disclosure of a Kubernetes vulnerability that allows running arbitrary commands in any pod in a cluster using a common "read-only" RBAC permission (Nodes/Proxy GET). Funnily enough, according to the Kubernetes development team, this behavior is rather by design and would be too hard to change, so a CVE won't be assigned and a fix won't follow.

Draw your own conclusions, but for me, it's yet another reminder that Kubernetes comes at a high ops price, and smaller teams (and especially indie devs) should think twice before spinning up a cluster (even if it's a VPS-scoped K3s).

However, the main reason I'm sharing this is that Graham prepared a shorter version of his disclosure post that focuses specifically on the exploit reproduction, and it's shaped as an iximiuz Labs tutorial - Kubernetes RCE: Exploiting nodes/proxy GET. Now anyone can check for themselves how easy it is to reproduce the reported behavior.

We definitely need more security researchers publishing exploit reproductions as code labs that anyone can run and verify.

In related news...

Building optimal container images has been a recurring theme on the labs, so I couldn't miss the opportunity to highlight an intriguing new project by a long-time community member, Ritvik Arya.

​github.com/rtvkiz/minimal is a free collection of hardened container images built using Chainguard's open-source tooling (Wolfi, apko, and melange). The approach Ritvik follows looks solid and, most importantly, gives a good example of how to use the available open-source tools to produce Chainguard-like hardened container images for free. The project even made it to the Hacker News front page - definitely worth checking if you're into building optimal and secure containers.

Wrapping up

That's it for January. The release of the new plans means I'm finally done with coding (at least for a while), and my focus will shift back to the content work. Brace for the new hands-on Linux and Docker challenges and deep dives! 🚀

Ah, and here is the promised blog post on my agentic coding experience, which I personally consider a grounded take.

Happy hacking!

Cheers

Ivan