Show HN: Amber – better Beeper, a modern all-in-one messenger (useamber.app)

3 points by DmitryDolgopolo 2m ago 0 comments

Astro: Production Ready middleware using ports and adapters (lorenstew.art)

1 points by lorenstewart 2m ago 0 comments

Call of Duty live-action film announced (cnbc.com)

1 points by leopoldj 3m ago 0 comments

The Kafka Replication Protocol with KIP-966 (github.com)

1 points by tanelpoder 3m ago 0 comments

Apertus 8B and 70B – a new open multilingual LLM from Switzerland (actu.epfl.ch)

1 points by mseri 3m ago 0 comments

OpenAI Acquires Statsig for $1.1B (bloomberg.com)

2 points by jshchnz 7m ago 0 comments

The Rise of the Traveling Third Space (thechow.net)

1 points by colinprince 8m ago 0 comments

Frontiersman Davy Crockett Became an Unlikely American Hero (smithsonianmag.com)

2 points by noleary 9m ago 0 comments

I Started Talking to My Computer Instead of Typing. It Changed How I Think (every.to)

1 points by colinprince 10m ago 0 comments

R&D behind hacking agents (medium.com)

1 points by danieltk76 10m ago 0 comments

Tipsto.me Modern Link in Bio with instant tips/donations (tipsto.me)

1 points by dougmnuel 10m ago 1 comments

A gentle introduction to CP/M (eerielinux.wordpress.com)

2 points by naves 11m ago 0 comments

Detail about Linkity Link (bradbarrish.com)

1 points by colinprince 12m ago 0 comments

How Fining Elon Musk's X Could Threaten the U.S.-E.U. Trade Deal (nytimes.com)

1 points by saubeidl 13m ago 0 comments

Epic Scale makes development teams faster (epicscale.ai)

1 points by collibhoy 13m ago 1 comments

PHP Is 30 (kieranpotts.com)

1 points by zdw 15m ago 0 comments

Therapists are using ChatGPT. Clients are triggered (technologyreview.com)

1 points by 01-_- 16m ago 1 comments

Beforeit.jl – Behavioural agent-based economic forecasting (github.com)

1 points by ofrzeta 17m ago 0 comments

The MCP Neuron (jontysinai.github.io)

1 points by benjacksondev 19m ago 0 comments

New comment UI experiment graduation (meta.stackoverflow.com)

1 points by croemer 19m ago 0 comments

The first reviews of the Nvidia Jetson AGX Thor developer kit (techradar.com)

1 points by 01-_- 19m ago 0 comments

The Less You Know About AI, the More You Are Likely to Use It (wsj.com)

1 points by voxadam 20m ago 1 comments

Transient Lunar Phenomenon (en.wikipedia.org)

1 points by IAmGraydon 21m ago 0 comments

No suffering, no death, no limits: the nanobots pipe dream (aeon.co)

2 points by FromTheArchives 22m ago 0 comments

Switzerland launches transparent ChatGPT alternative (swissinfo.ch)

3 points by sschueller 23m ago 0 comments

Statsig Is Joining OpenAI (statsig.com)

3 points by wxw 23m ago 0 comments

LA28 to break longstanding tradition with corporate venue names at Games (theguardian.com)

2 points by PaulHoule 28m ago 0 comments

Microsoft VLDB 2025 (harsha-simhadri.org)

1 points by fzliu 29m ago 0 comments

Mastodon is not decentralized · Victor Wynne (victorwynne.com)

1 points by janandonly 31m ago 0 comments

Dynamic Map: Major Trading Partner (rayh-1.github.io)

1 points by FromTheArchives 31m ago 0 comments

OpenAI: Vijaye Raji to Become CTO of Applications with Acquisition of Statsig (openai.com)

7 points by tosh 32m ago 0 comments

Ask HN: Is Gmail changing the wording on your left-menu choices?

1 points by MilnerRoute 35m ago 0 comments

Our love letter to Internet Relay Chat [video] (youtube.com)

1 points by zdw 35m ago 0 comments

Beef Heating Visualization (conradgodfrey.com)

1 points by gregsadetsky 35m ago 0 comments

Current Solar Images All-in-One Page (mw.rat.bz)

1 points by speckx 36m ago 0 comments

ICE obtains access to Israeli-made spyware that hack phones and encrypted apps (theguardian.com)

27 points by pera 38m ago 3 comments

Why everything has gotten harder (greyenlightenment.com)

2 points by paulpauper 39m ago 0 comments

OpenAI acquires Statsig (theverge.com)

12 points by gregdoesit 42m ago 0 comments

Physically based rendering from first principles (imadr.me)

4 points by imadr 43m ago 0 comments

In Protest, He Turned the Camera on China's Surveillance State (nytimes.com)

3 points by mikhael 45m ago 1 comments

Gen Z are dipping into their retirements, skipping meals and selling belongings (fortune.com)

4 points by paulpauper 45m ago 2 comments

Croissant - rss reader pwa (croissantrss.com)

1 points by ulrischa 46m ago 0 comments

Gen Zers are jobless–and unemployment is mainly affecting men (fortune.com)

3 points by paulpauper 46m ago 1 comments

Free Course: Learn to Build Data Apps with Streamlit (arilamstein.com)

2 points by arilamstein 46m ago 1 comments

Germany's far-right AfD suffers series of candidate deaths ahead of local vote (bbc.com)

4 points by xdfg13345 47m ago 0 comments

I sent my suicide letter to ChatGPT. It saved my life (freedium.cfd)

2 points by 1gn15 47m ago 0 comments

In Support of Shitty Types (lucumr.pocoo.org)

2 points by pykello 48m ago 0 comments

Qiddiya Acquires Evolution Championship Series Organizer RTS (esportsadvocate.net)

1 points by mikhael 48m ago 0 comments

Center for Digital Sovereignty: German Zentrum Digitale Souveränität (zendis.de)

1 points by ulrischa 48m ago 0 comments

Tesla's fourth 'Master Plan' reads like LLM-generated nonsense (techcrunch.com)

7 points by cavinquill 51m ago 0 comments

How do you handle JDK/JRE patch updates for Java apps on K8s?

6 bgalek 3 9/2/2025, 10:59:57 AM

I’m curious how people running Java workloads on Kubernetes handle JDK/JRE updates and security patches without rebuilding every app image.

Background: in Mesos (https://en.wikipedia.org/wiki/Apache_Mesos) times, we used to keep the JDK on the runner nodes. When a CVE or patch came out, we updated the host JDK, and all apps picked it up. That was convenient for fast security rollouts. On k8s, almost everyone I see bakes the JDK into the container image, which means: new JDK → rebuild base image → rebuild app images (or at least rebuild base) → push → roll out. That is reliable and reproducible, but it is impossible to update the JDK version for, for example, 2000 apps quickly.

Questions I have for people who run Java on k8s at scale:

Do you rebuild images for every JDK patch?

If so, how do you keep the pipeline fast/automated?

What approaches we talked about (still looking for something better):

- Rebuild images on every JDK patch (CI pipeline that automatically bumps base image + rebuilds): reproducible but heavy and slow.

- Host-provided JDK (like Mesos) via hostPath or a shared volume (every path version must be available): fast patches, but brittle (node drift, version chaos between k8s nodes, less reproducible, potential security/permission problems).

- Base, standard image for all java apps (alpine+java) that our platform updates and init container downloading user app on startup, so that we can update it in the background.

- Sidecar or init-container that places a JDK into a shared volume, and the app container uses that volume: mutable runtime without rebuilding images — how well does this work in practice?

Comments (3)

comprev · 3h ago

A patch is a change and for changes to be deployed they must go through the pipelines.

The new images are then rolled out in exactly the same controlled manner as any other new release.

SamInTheShell · 6h ago

Java is the worse language to deal with in Kubernetes. You might want to look into Quarkus. I’m of the opinion that ditching Java for Go is better if possible.

0x54MUR41 · 1h ago

Why did you say so? Do you mind to elaborate more?