kubernetes-security
Safeguard articles tagged "kubernetes-security" — guides, analysis, and best practices for software supply chain and application security.
125 articles
Containers Running in Privileged Mode: Risks and Fixes
Docker's --privileged flag strips seccomp, AppArmor, and capability limits in one line. Here's how attackers exploit it, real CVEs, and how to lock it down.
CVE-2024-21626: runc process.cwd Container Breakout Deep ...
A technical breakdown of CVE-2024-21626, the runc process.cwd() flaw enabling container breakout to host access, with detection and remediation guidance.
How Snyk Container integrates with Kubernetes workloads f...
How Snyk Container's Kubernetes integration uses a read-only controller to continuously re-check running workload images as new CVEs are disclosed.
How image digest pinning strengthens container supply cha...
How SHA-256 image digests, unlike mutable tags, anchor Snyk container scans to the exact artifact that ships—and why that distinction matters for supply chain integrity.
How Snyk IaC scans Kubernetes manifests and Helm charts f...
A technical walkthrough of how Snyk IaC parses Kubernetes manifests, renders Helm charts, and checks them against CIS benchmarks before deployment.
How Snyk IaC's admission-time Kubernetes scanning differs...
How Snyk IaC's static manifest scanning, the Snyk Controller's in-cluster monitoring, and true Kubernetes admission control mechanically differ — and why the gap between them matters.
Container Security Testing Methods, Compared
Image scanning, runtime monitoring, and configuration auditing all count as container security testing, but they catch different things at different stages — here's how to combine them.
Why Cloud Security Ownership Keeps Falling Into the Gap B...
Misconfigurations sit unpatched for months because three teams each assume someone else owns them. Here's why the cloud security ownership gap keeps widening.
The Real Trade-Off Between Deployment Speed and Cloud Sec...
Deployment speed and cloud security maturity aren't opposites. Real breaches trace to blind spots, not velocity — here's what the data actually shows engineering leaders.
Kubernetes RBAC Sprawl and Why It's Rarely Audited
Kubernetes RBAC grows faster than anyone tracks it, and there's no built-in tool to audit it. Here's why sprawl happens and what a real audit checks.
Why Ephemeral Infrastructure Makes Traditional Vulnerabil...
Containers now live for minutes, not months. Here's why periodic vulnerability scanning can't see ephemeral infrastructure — and what actually closes the gap.
Sidecar Proxies and the Expanding Attack Surface of Servi...
Sidecar proxies like Envoy quietly double your cluster's attack surface. Real CVEs from 2023–2024 show how mesh sidecars get exploited — and how to actually secure them.