Safeguard
Tag

kubernetes

Safeguard articles tagged "kubernetes" — guides, analysis, and best practices for software supply chain and application security.

125 articles

Container Security

Image Signing with Cosign and Sigstore

A container image tag proves nothing about who built the image or whether it was tampered with. Cosign and Sigstore fix that with cryptographic signatures and a public transparency log — here is how to sign, verify, and enforce.

Jul 6, 20265 min read
Container Security

Container Escape Vulnerabilities: How They Work and How to Stop Them

A container is a process with boundaries, not a virtual machine. When those boundaries fail, an attacker lands on the host. Here is the anatomy of real container escapes — runc, Leaky Vessels, Dirty Pipe — and how to defend against them.

Jul 5, 20265 min read
Container Security

Securing the Kubernetes API Server

The API server is the front door to your cluster — every kubectl command, controller, and kubelet talks to it. If it is misconfigured, nothing else you harden matters. Here is how to lock it down.

Jul 4, 20265 min read
Container Security

Kubernetes RBAC Security: Least Privilege That Actually Holds

Wildcard verbs, cluster-admin bindings, and forgotten service account tokens turn RBAC into a rubber stamp. Here is how to design roles that contain a breach instead of amplifying it.

Jul 3, 20266 min read
Container Security

Pod Security Standards: The Complete Guide

PodSecurityPolicy is gone. Pod Security Admission and the three Pod Security Standards are how you enforce baseline and restricted profiles in modern Kubernetes — here is how to adopt them without breaking workloads.

Jul 3, 20265 min read
Container Security

Kubernetes Secrets Management Done Right

A Kubernetes Secret is base64, not encryption — and by default it sits in etcd in plaintext. Here is how to actually protect credentials with encryption at rest, external secret stores, and tight RBAC.

Jul 2, 20265 min read
Container Security

Helm Chart Security Best Practices

Helm charts template every RBAC binding, image reference, and secret your cluster runs. Here is how to harden charts, verify provenance, and stop a templating tool from quietly shipping cluster-admin.

Jul 1, 20266 min read
Container Security

Kubernetes Network Policies: A Practical Guide

By default every pod in a Kubernetes cluster can talk to every other pod. NetworkPolicies are how you replace that flat network with least-privilege segmentation — here is how to design and roll them out without breaking traffic.

Jul 1, 20265 min read
Container Security

Kubernetes Security Best Practices for 2026

A default Kubernetes cluster trusts too much: root pods, flat networking, and readable secrets. Here are the hardening practices that actually move the needle in 2026.

Jul 1, 20265 min read
Container Security

Kubernetes network policies for zero trust

Kubernetes network policies default to allow-all. Here is how default-deny rules, CNI enforcement, and policy testing build real zero-trust segmentation.

Jun 26, 20267 min read
Container Security

CVE-2026-42945: A Buffer Overflow in NGINX's Rewrite Module Reaches Into Your Kubernetes Clusters (May 2026)

Disclosed May 17, 2026 with public PoC and in-the-wild activity, CVE-2026-42945 is a buffer overflow in NGINX's ngx_http_rewrite_module. It affects core NGINX and the ingress controllers that wrap it, putting cluster ingress in scope.

May 18, 202612 min read
Cloud Security

When Configuration Is the Vulnerability: Microsoft's May 2026 Look at Exposed AI Apps on Kubernetes

Microsoft's May 14, 2026 research found AI frameworks shipping Helm charts that expose web UIs on internet-facing LoadBalancers with no authentication and cluster-admin service accounts. Mage AI on port 6789 was the headline, but it was far from alone.

May 15, 202613 min read
kubernetes (Page 2) — Safeguard Blog