Safeguard
Topic

Container Security

In-depth guides and analysis on container security from the Safeguard engineering team.

283 articles

Container Security

Kubernetes securityContext settings guide

A field-by-field guide to Kubernetes securityContext: which settings stop container breakouts, how to enforce them cluster-wide, and how to audit gaps.

Jun 26, 20266 min read
Container Security

Kubernetes RBAC best practices

RBAC drift and over-broad bindings are the top cause of Kubernetes lateral movement. Six concrete, question-first practices to lock down access before it's exploited.

Jun 26, 20267 min read
Container Security

Kubernetes network policies for zero trust

Kubernetes network policies default to allow-all. Here is how default-deny rules, CNI enforcement, and policy testing build real zero-trust segmentation.

Jun 26, 20267 min read
Container Security

Securing Kubernetes Secrets management

Base64 isn't encryption. Here's how Kubernetes Secrets actually get exposed, and the encryption, RBAC, and rotation controls that fix it.

Jun 25, 20266 min read
Container Security

Kubernetes admission controllers for security

How Kubernetes admission controllers work, why defaults leave clusters exposed, and how Pod Security Admission, OPA Gatekeeper, and Kyverno close the gap.

Jun 25, 20266 min read
Container Security

Lessons from the CNCF Kubernetes security audit

The 2019 CNCF Kubernetes security audit found 37 issues rooted in insecure defaults. Here's what it uncovered and what still applies today.

Jun 25, 20267 min read
Container Security

Runtime security tools for Kubernetes clusters

A concrete look at Kubernetes runtime security tools — Falco, Tetragon, Tracee, eBPF, and recent CVEs — and what to check before you buy one.

Jun 25, 20267 min read
Container Security

Helm chart security scanning

Helm charts can render insecure RBAC, network policies, and default passwords even when the container image itself passes every vulnerability scan cleanly.

Jun 24, 20267 min read
Container Security

Container configuration drift detection at runtime

Container images pass CI clean, but running containers drift within hours via exec sessions, sidecars, and webhooks. Here's how to detect it at runtime.

Jun 24, 20267 min read
Container Security

Detecting vulnerabilities in multi-stage Docker builds

Multi-stage Docker builds hide vulnerabilities, leaked secrets, and untracked dependencies in discarded layers. Here's what final-image scans miss and how to catch it.

Jun 24, 20266 min read
Container Security

Keeping Docker secrets secure without Kubernetes

Docker ships with tmpfs-backed Swarm secrets, BuildKit secret mounts, and Compose file secrets — here's how to use them without Kubernetes.

Jun 24, 20268 min read
Container Security

Container security throughout the SDLC

A clean build-time scan doesn't mean a secure container. Here's why container security has to span code, build, deploy, and runtime — with real CVE examples.

Jun 23, 20267 min read
Container Security (Page 6) — Supply Chain Security Blog | Safeguard