Safeguard
Tag

kubernetes-security

Safeguard articles tagged "kubernetes-security" — guides, analysis, and best practices for software supply chain and application security.

125 articles

Container Security

Container escape techniques and defense in depth

CVE-2024-21626 let a leaked file descriptor turn runc exec into host root. Here's how container escapes actually work — and the layers that stop them.

Jul 15, 20266 min read
Kubernetes Security

Default-deny NetworkPolicy: closing the pod-to-pod gap in Kubernetes

Kubernetes pods allow all traffic by default, and many clusters' NetworkPolicy YAML silently does nothing because the CNI plugin never enforces it.

Jul 15, 20266 min read
Kubernetes Security

Native Secrets, Sealed Secrets, or Vault: Picking a Kubernetes Secrets Strategy

Kubernetes Secrets are base64-encoded, not encrypted — etcd stores them near-plaintext unless you configure encryption at rest yourself.

Jul 15, 20266 min read
Kubernetes Security

TLS termination and cert-manager: a hardening guide for Kubernetes Ingress

IngressNightmare's CVSS 9.8 RCE showed that ingress-nginx's own admission webhook can be turned against cluster Secrets — here's how to configure TLS safely.

Jul 15, 20267 min read
Kubernetes Security

Broken object-level authorization in Kubernetes integrations: CVE-2023-1065

One leaked Integration ID was enough to pollute a Snyk customer's findings — CVE-2023-1065 shows why possession of an identifier is not authorization.

Jul 14, 20266 min read
Kubernetes Security

A practical guide to least privilege in Kubernetes RBAC

One RBAC flaw, CVE-2018-1002105 (CVSS 9.8), let any authenticated user escalate to cluster-admin — here's how to actually scope roles so that never happens again.

Jul 13, 20266 min read
Kubernetes Security

Securing the Argo CD to Kubernetes GitOps Pipeline

One symlinked Helm values file (CVE-2022-24348, CVSS 7.7) let attackers read secrets across Argo CD tenants — GitOps trust needs hardening, not just adoption.

Jul 12, 20266 min read
Kubernetes Security

Falco vs. Tetragon vs. Tracee: choosing a Kubernetes runtime security tool

Falco graduated CNCF in February 2024, Tetragon enforces in-kernel, and Tracee ships 330+ prebuilt eBPF detections — here's when each one actually wins.

Jul 11, 20267 min read
Kubernetes Security

Running Multiple Custom Controllers Without RBAC or CRD Collisions

Kubernetes CRDs are singletons by group and kind, and RBAC has no tenant concept — two facts that quietly break most multi-controller clusters.

Jul 11, 20268 min read
DevSecOps

Writing Rego policies for Kubernetes admission control and CI gates

Open Policy Agent graduated CNCF on Jan 29, 2021 — yet most teams still ship Rego with no default-deny, turning a policy gate into a rubber stamp.

Jul 11, 20268 min read
Kubernetes Security

Container and Kubernetes scanning in agent-driven DevOps, without new trust boundaries

Autonomous agents that rebuild and redeploy containers can patch a CVE in under an hour — or become a new privileged path to production if scanning isn't gated.

Jul 10, 20267 min read
Container Security

Container Runtime Security Monitoring: Catching the Breach in Progress

Scanning tells you what could go wrong before deploy. Runtime monitoring tells you what is going wrong right now. Here is how to detect container attacks as they happen.

Jul 8, 20265 min read
kubernetes-security — Safeguard Blog