kubernetes
Safeguard articles tagged "kubernetes" — guides, analysis, and best practices for software supply chain and application security.
125 articles
Image Signing with Cosign and Sigstore
A container image tag proves nothing about who built the image or whether it was tampered with. Cosign and Sigstore fix that with cryptographic signatures and a public transparency log — here is how to sign, verify, and enforce.
Container Escape Vulnerabilities: How They Work and How to Stop Them
A container is a process with boundaries, not a virtual machine. When those boundaries fail, an attacker lands on the host. Here is the anatomy of real container escapes — runc, Leaky Vessels, Dirty Pipe — and how to defend against them.
Securing the Kubernetes API Server
The API server is the front door to your cluster — every kubectl command, controller, and kubelet talks to it. If it is misconfigured, nothing else you harden matters. Here is how to lock it down.
Kubernetes RBAC Security: Least Privilege That Actually Holds
Wildcard verbs, cluster-admin bindings, and forgotten service account tokens turn RBAC into a rubber stamp. Here is how to design roles that contain a breach instead of amplifying it.
Pod Security Standards: The Complete Guide
PodSecurityPolicy is gone. Pod Security Admission and the three Pod Security Standards are how you enforce baseline and restricted profiles in modern Kubernetes — here is how to adopt them without breaking workloads.
Kubernetes Secrets Management Done Right
A Kubernetes Secret is base64, not encryption — and by default it sits in etcd in plaintext. Here is how to actually protect credentials with encryption at rest, external secret stores, and tight RBAC.
Helm Chart Security Best Practices
Helm charts template every RBAC binding, image reference, and secret your cluster runs. Here is how to harden charts, verify provenance, and stop a templating tool from quietly shipping cluster-admin.
Kubernetes Network Policies: A Practical Guide
By default every pod in a Kubernetes cluster can talk to every other pod. NetworkPolicies are how you replace that flat network with least-privilege segmentation — here is how to design and roll them out without breaking traffic.
Kubernetes Security Best Practices for 2026
A default Kubernetes cluster trusts too much: root pods, flat networking, and readable secrets. Here are the hardening practices that actually move the needle in 2026.
Kubernetes network policies for zero trust
Kubernetes network policies default to allow-all. Here is how default-deny rules, CNI enforcement, and policy testing build real zero-trust segmentation.
CVE-2026-42945: A Buffer Overflow in NGINX's Rewrite Module Reaches Into Your Kubernetes Clusters (May 2026)
Disclosed May 17, 2026 with public PoC and in-the-wild activity, CVE-2026-42945 is a buffer overflow in NGINX's ngx_http_rewrite_module. It affects core NGINX and the ingress controllers that wrap it, putting cluster ingress in scope.
When Configuration Is the Vulnerability: Microsoft's May 2026 Look at Exposed AI Apps on Kubernetes
Microsoft's May 14, 2026 research found AI frameworks shipping Helm charts that expose web UIs on internet-facing LoadBalancers with no authentication and cluster-admin service accounts. Mage AI on port 6789 was the headline, but it was far from alone.