kubernetes-security
Safeguard articles tagged "kubernetes-security" — guides, analysis, and best practices for software supply chain and application security.
125 articles
Container escape techniques and defense in depth
CVE-2024-21626 let a leaked file descriptor turn runc exec into host root. Here's how container escapes actually work — and the layers that stop them.
Default-deny NetworkPolicy: closing the pod-to-pod gap in Kubernetes
Kubernetes pods allow all traffic by default, and many clusters' NetworkPolicy YAML silently does nothing because the CNI plugin never enforces it.
Native Secrets, Sealed Secrets, or Vault: Picking a Kubernetes Secrets Strategy
Kubernetes Secrets are base64-encoded, not encrypted — etcd stores them near-plaintext unless you configure encryption at rest yourself.
TLS termination and cert-manager: a hardening guide for Kubernetes Ingress
IngressNightmare's CVSS 9.8 RCE showed that ingress-nginx's own admission webhook can be turned against cluster Secrets — here's how to configure TLS safely.
Broken object-level authorization in Kubernetes integrations: CVE-2023-1065
One leaked Integration ID was enough to pollute a Snyk customer's findings — CVE-2023-1065 shows why possession of an identifier is not authorization.
A practical guide to least privilege in Kubernetes RBAC
One RBAC flaw, CVE-2018-1002105 (CVSS 9.8), let any authenticated user escalate to cluster-admin — here's how to actually scope roles so that never happens again.
Securing the Argo CD to Kubernetes GitOps Pipeline
One symlinked Helm values file (CVE-2022-24348, CVSS 7.7) let attackers read secrets across Argo CD tenants — GitOps trust needs hardening, not just adoption.
Falco vs. Tetragon vs. Tracee: choosing a Kubernetes runtime security tool
Falco graduated CNCF in February 2024, Tetragon enforces in-kernel, and Tracee ships 330+ prebuilt eBPF detections — here's when each one actually wins.
Running Multiple Custom Controllers Without RBAC or CRD Collisions
Kubernetes CRDs are singletons by group and kind, and RBAC has no tenant concept — two facts that quietly break most multi-controller clusters.
Writing Rego policies for Kubernetes admission control and CI gates
Open Policy Agent graduated CNCF on Jan 29, 2021 — yet most teams still ship Rego with no default-deny, turning a policy gate into a rubber stamp.
Container and Kubernetes scanning in agent-driven DevOps, without new trust boundaries
Autonomous agents that rebuild and redeploy containers can patch a CVE in under an hour — or become a new privileged path to production if scanning isn't gated.
Container Runtime Security Monitoring: Catching the Breach in Progress
Scanning tells you what could go wrong before deploy. Runtime monitoring tells you what is going wrong right now. Here is how to detect container attacks as they happen.