Kubernetes Security
In-depth guides and analysis on kubernetes security from the Safeguard engineering team.
22 articles
Default-deny NetworkPolicy: closing the pod-to-pod gap in Kubernetes
Kubernetes pods allow all traffic by default, and many clusters' NetworkPolicy YAML silently does nothing because the CNI plugin never enforces it.
Native Secrets, Sealed Secrets, or Vault: Picking a Kubernetes Secrets Strategy
Kubernetes Secrets are base64-encoded, not encrypted — etcd stores them near-plaintext unless you configure encryption at rest yourself.
TLS termination and cert-manager: a hardening guide for Kubernetes Ingress
IngressNightmare's CVSS 9.8 RCE showed that ingress-nginx's own admission webhook can be turned against cluster Secrets — here's how to configure TLS safely.
Broken object-level authorization in Kubernetes integrations: CVE-2023-1065
One leaked Integration ID was enough to pollute a Snyk customer's findings — CVE-2023-1065 shows why possession of an identifier is not authorization.
A practical guide to least privilege in Kubernetes RBAC
One RBAC flaw, CVE-2018-1002105 (CVSS 9.8), let any authenticated user escalate to cluster-admin — here's how to actually scope roles so that never happens again.
Best practices for securing Kubernetes ConfigMaps
ConfigMaps store plaintext in etcd with no size guardrail beyond 1 MiB — teams that drop credentials in them expose secrets to a far bigger RBAC audience.
Securing the Argo CD to Kubernetes GitOps Pipeline
One symlinked Helm values file (CVE-2022-24348, CVSS 7.7) let attackers read secrets across Argo CD tenants — GitOps trust needs hardening, not just adoption.
Falco vs. Tetragon vs. Tracee: choosing a Kubernetes runtime security tool
Falco graduated CNCF in February 2024, Tetragon enforces in-kernel, and Tracee ships 330+ prebuilt eBPF detections — here's when each one actually wins.
Running Multiple Custom Controllers Without RBAC or CRD Collisions
Kubernetes CRDs are singletons by group and kind, and RBAC has no tenant concept — two facts that quietly break most multi-controller clusters.
Container and Kubernetes scanning in agent-driven DevOps, without new trust boundaries
Autonomous agents that rebuild and redeploy containers can patch a CVE in under an hour — or become a new privileged path to production if scanning isn't gated.
Implementing mTLS in Kubernetes clusters: a hands-on guide
Kubernetes ships zero built-in encryption for pod-to-pod traffic — here's how cert-manager and service meshes fix that, and the five misconfigurations that quietly undo it.
Designing Least-Privilege Kubernetes RBAC: A Practical Guide
CVE-2018-1002105 (CVSS 9.8) let an unauthenticated request reach cluster-admin through pod exec endpoints — most RBAC breaches since trace back to the same handful of over-broad bindings.