Container Security
In-depth guides and analysis on container security from the Safeguard engineering team.
283 articles
CRI-O vs containerd: Security Comparison
Both are CNCF graduated runtimes. Both run production clusters. Their security properties diverge in ways that matter for hardened environments.
Rancher Cluster Security Hardening
Rancher is the distribution that runs when your Kubernetes is neither EKS nor OpenShift. Hardening it well is specific work.
Azure Container Registry Trust Model
What Azure Container Registry actually guarantees about the images you pull — signing, attestation, content trust, and where the trust chain breaks in practice.
AWS ECR Image Signing in Production
Image signing in ECR has moved from nice-to-have to table stakes. Here is what it actually takes to run cosign and AWS Signer in production without breaking every deploy.
External Secrets Operator: A Kubernetes Guide
A senior engineer's walkthrough of External Secrets Operator, covering architecture, SecretStore design, rotation, and the patterns that hold up in production.
Firecracker micro-VM Security Model
AWS built Firecracker to run Lambda. The security model is the entire value proposition, and it holds up under scrutiny.
How to Sign Container Images With Cosign: A Complete Guide
A practical walkthrough for signing container images with Cosign using keyless OIDC, verifying signatures, and enforcing policy in your Kubernetes cluster.
containerd Security Configuration Guide
containerd runs most of Kubernetes today. Its defaults are reasonable, but reasonable is not hardened. Here is how to close the gaps.
BuildKit Cache Security Considerations for Container Builds
BuildKit's caching is what makes container builds fast. It is also a potential vector for cache poisoning attacks if not properly secured.
Kubernetes Network Policies: The Supply Chain Angle
Network policies are usually framed as a zero-trust tool. They are also one of the best defenses against a compromised dependency.
GCP Cloud Run Supply Chain Security
A practical playbook for protecting the supply chain of services running on Cloud Run: image provenance, Binary Authorization, runtime identity, and the gaps the default configuration leaves wide open.
Wolfi OS: The Linux Distribution Built for Secure Containers
Wolfi is not a general-purpose Linux distro. It exists to solve one problem: provide secure, minimal, up-to-date packages for container images. Here is why that matters and how to use it.