kubernetes
Safeguard articles tagged "kubernetes" — guides, analysis, and best practices for software supply chain and application security.
125 articles
Best practices for securing Kubernetes ConfigMaps
ConfigMaps store plaintext in etcd with no size guardrail beyond 1 MiB — teams that drop credentials in them expose secrets to a far bigger RBAC audience.
Container-handling security fundamentals: immutability, signing, and privilege drops
Two runc CVEs, five years apart, both turned root-in-container into root-on-host — proof that container isolation needs backup, not blind trust.
Container security: five best practices for provenance, runtime, and network
A single runc bug (CVE-2024-21626) enabled full container escapes in early 2024 — proof that provenance and network defaults matter as much as image scanning.
Cloud-Native Application Security: Securing the Full Stack in 2026
Cloud-native apps spread risk across code, containers, and infrastructure-as-code. This guide maps the full attack surface and a layered strategy to secure all of it.
eBPF Runtime Security for Kubernetes
eBPF lets you observe and enforce security at the kernel level — every syscall, network connection, and process exec — without kernel modules or instrumenting your apps. Here is how tools like Falco, Tetragon, and Cilium use it to catch what image scanning cannot.
Service Mesh Security: mTLS, Authorization, and Zero Trust
A service mesh can give you mutual TLS between every service, identity-based authorization, and encrypted traffic without touching application code — or it can become an over-privileged proxy layer you never locked down. Here is how to do it right.
Securing Containerized AI Workloads: Base Images, GPU Drivers, and Runtime Policy
A CVSS 9.0 flaw in NVIDIA's Container Toolkit let any GPU container escape to the host — and its first patch didn't fully close it. Here's how to defend AI infrastructure.
Designing Least-Privilege Kubernetes RBAC: A Practical Guide
CVE-2018-1002105 (CVSS 9.8) let an unauthenticated request reach cluster-admin through pod exec endpoints — most RBAC breaches since trace back to the same handful of over-broad bindings.
A hands-on introduction to Rego for Kubernetes admission control
OPA graduated CNCF on January 29, 2021, and Rego v1 became the default syntax in OPA v1.0.0 (Dec 2024) — here's how to write your first admission-control policies.
Kubernetes Admission Controllers for Security
Admission controllers are the policy chokepoint between a validated API request and a running workload. Used well, they enforce your entire security posture. Here is how validating webhooks, Kyverno, OPA, and the new CEL-based policies fit together.
Kubernetes Supply Chain Security: Trusting What You Deploy
The path from a git commit to a running pod crosses a dozen systems, each a place to inject malicious code. Here is how to build a chain of custody Kubernetes will actually verify.
Why You Need a Kubernetes Admission Controller
RBAC decides who can call the Kubernetes API — it has no concept of what a pod spec contains, which is why privileged containers still slip through into clusters every day.