kubernetes-security
Safeguard articles tagged "kubernetes-security" — guides, analysis, and best practices for software supply chain and application security.
125 articles
Defense-in-depth for a modern cloud-native application stack
Log4Shell and the XZ backdoor were caught two different ways — one by patching, one by a developer noticing 500ms of extra SSH latency. Neither alone is a strategy.
The GitOps security model: risks and controls
GitOps turns a Git repo into a deploy button — Argo CD's own CVE-2022-24348 path traversal proved what happens when that button isn't locked down.
Implementing mTLS in Kubernetes clusters: a hands-on guide
Kubernetes ships zero built-in encryption for pod-to-pod traffic — here's how cert-manager and service meshes fix that, and the five misconfigurations that quietly undo it.
Rego for security engineers: a beginner's guide to OPA policy
Rego graduated from Styra research project to a CNCF-graduated standard in under five years. Here's how to write your first real OPA/Conftest policy.
Hardening Amazon EKS With Native AWS Controls
AWS secures the EKS control plane and etcd — everything else, from IAM to security groups to node OS patching, is on you under the shared responsibility model.
Securing Managed Kubernetes: EKS, AKS, and GKE Compared
A cross-cloud guide to hardening managed Kubernetes — the shared responsibility line, cloud IAM-to-pod integration, network policy, Pod Security Standards, and node hardening across EKS, AKS, and GKE.
Kubernetes RBAC Security: Least Privilege That Actually Holds
Wildcard verbs, cluster-admin bindings, and forgotten service account tokens turn RBAC into a rubber stamp. Here is how to design roles that contain a breach instead of amplifying it.
Best Kubernetes Security Tools in 2026: A Buyer's Guide
A balanced buyer's guide to the best Kubernetes security tools in 2026 — Aqua, Sysdig, Falco, Kubescape, Trivy, and Wiz — covering image scanning, admission control, runtime detection, and KSPM, plus where Safeguard fits.
Docker Security Pro Tips: Hardening Beyond the Basics
You already use a non-root user and a slim base. These are the pro-level Docker hardening tips — read-only filesystems, dropped capabilities, and the docker.sock trap — that actually stop breakouts.
Kubernetes Security Best Practices for 2026
A default Kubernetes cluster trusts too much: root pods, flat networking, and readable secrets. Here are the hardening practices that actually move the needle in 2026.
Container isolation with namespaces, cgroups, and seccomp
Namespaces, cgroups, and seccomp each isolate a different layer of a container — and a single misconfigured one, like CVE-2024-21626 showed, breaks all three.
Kubernetes Pod Security Standards explained
A breakdown of Kubernetes' Privileged, Baseline, and Restricted Pod Security Standards, how they replaced PodSecurityPolicy, and where enforcement typically fails.