kubernetes-security
Safeguard articles tagged "kubernetes-security" — guides, analysis, and best practices for software supply chain and application security.
125 articles
CRI-O 'cr8escape' Sysctl Injection Container Escape (CVE-...
CVE-2022-0811 (cr8escape) is a CRI-O flaw where an unvalidated sysctl injection let attackers escape containers and gain root on Kubernetes hosts.
Kubernetes and Go supply chain risk report
Kubernetes leans on thousands of Go modules. New analysis shows how typosquats and vendored code turn that dependency into real supply chain risk.
Cloud-native Go services vulnerability landscape
A runc escape trilogy, a gRPC-Go bypass, and a lingering SSH auth flaw reveal how concentrated risk in Go now shapes the cloud native vulnerability landscape.
Best Kubernetes security scanning tools
A practical, no-fluff comparison of Kubernetes security scanning tools — CIS benchmark coverage, runtime detection, and where each real vendor falls short.
Outdated container images still running in production
New industry data shows most production containers still run on stale, vulnerable base images months after fixes ship -- here's why, and how to close the gap.
Kubernetes Helm chart vulnerability trends
New Safeguard research finds most public Helm charts ship risky defaults and stale image pins—here's what the data shows and how to fix it.
Best Kubernetes admission control tools
A practical comparison of Kubernetes admission control tools — OPA/Gatekeeper, Kyverno, Kubewarden, Styra, jsPolicy, and Polaris — with real strengths, limits, and evaluation criteria.
Best runtime container security tools
A practical comparison of runtime container security tools, from eBPF-based monitoring to commercial threat detection platforms, and what to weigh before buying.
Writing a Container Security Policy That Actually Holds
Most container security policies get written once, ignored during the next sprint, and rediscovered during an audit — here's how to write one that engineers actually follow.
Kubernetes secrets management vulnerability guide
Kubernetes Secrets are base64, not encrypted. Real CVEs and the Tesla breach show how attackers exploit that gap — and how to close it.
Container runtime security (containerd/CRI-O) vulnerability roundup
Container runtime CVEs like the runc Leaky Vessels flaw and CRI-O's cr8escape show how containerd and CRI-O bugs turn into full host takeovers.
Containers Not Dropping Default Linux Capabilities
Docker grants every container 14 Linux capabilities by default. Here's why NET_RAW, SYS_CHROOT, and friends turn contained compromises into breakouts—and how to drop them safely.