kubernetes-security
Safeguard articles tagged "kubernetes-security" — guides, analysis, and best practices for software supply chain and application security.
125 articles
How to encrypt Kubernetes secrets at rest
A step-by-step guide to encrypting Kubernetes secrets at rest: choosing a KMS provider, configuring etcd encryption, re-encrypting existing secrets, and verifying it worked.
How to automate TLS certificates with Let's Encrypt
A step-by-step guide to automating TLS certificates with Let's Encrypt using certbot and cert-manager, plus verification steps so renewals never silently fail.
How to set up OPA Gatekeeper for Kubernetes admission con...
A step-by-step guide to OPA Gatekeeper Kubernetes admission control: install, write constraint templates, roll out safely, and verify enforcement.
What is Admission Control (Kubernetes)
Admission control is the last checkpoint in Kubernetes before an object is written to etcd — here's how webhooks, PSA, and policy engines enforce it.
What is Runtime Protection
Runtime protection catches what pre-deployment scanning can't — live attacks like the XZ Utils backdoor and Log4Shell exploitation, detected only in production.
What is Drift Detection
Drift detection catches unauthorized config changes in real time. See how it works, why it fails in most orgs, and real breaches it could have stopped.
Hardening Amazon EKS clusters against common attack paths
A step-by-step guide to EKS security best practices: lock down IAM, enforce pod security standards, segment networks, and verify every control.
How Microsoft Defender for Containers protects AKS and AC...
Defender for Containers scans ACR images and monitors AKS clusters in real time — but it can't see what happens before a build reaches the registry. Here's what it covers and what it misses.
Enforcing container compliance with Azure Policy
How Azure Policy enforces container compliance on AKS—registry restriction, regulatory mapping, and where admission-time policy alone falls short.
Enforcing signed and attested container images with Binar...
A step-by-step guide to enforcing signed, attested container images in GKE with Binary Authorization — from attestor setup to policy enforcement and troubleshooting.
Comparing security models of GKE Autopilot versus Standar...
GKE Autopilot security vs Standard clusters draw the shared-responsibility line very differently. Here's what changes for pod security and hardening.
runc container escape via file descriptor overwrite (CVE-2019-5736)
CVE-2019-5736 let malicious containers overwrite the host runc binary and gain root — here's the mechanism, affected versions, and how to remediate it.