Safeguard
Tag

kubernetes

Safeguard articles tagged "kubernetes" — guides, analysis, and best practices for software supply chain and application security.

125 articles

Container Security

OCI Artifact Signing Rollout Program

A program plan for getting OCI artifact signing across an organisation: trust roots, key custody, build integrations, registry policy, and the inevitable cleanup of unsigned legacy content.

Mar 24, 20267 min read
Container Security

Runtime Container Drift: Supply Chain Implications

Runtime drift is the last honest witness in container supply chain defence. This post covers what drift signals tell you, how to instrument for them, and how to investigate without overwhelming on-call.

Mar 19, 20267 min read
Tools

Falco 0.40: Modern eBPF Is Now Default

Falco's 0.40 release line makes modern eBPF (CO-RE) the default driver, deprecates the legacy probe and gVisor engine, and changes how operators ship Falco. Here's what changed and what to test.

Mar 19, 20266 min read
Cloud Security

Cloud-Native Security Practices That Actually Scale

Containers, Kubernetes, and ephemeral infrastructure broke the perimeter security model. These are the cloud-native security practices that hold up past your first hundred services.

Mar 19, 20264 min read
Container Security

Container Runtime Comparison: A 2026 Buyer's Guide

A practical container runtime comparison for 2026 buyers: containerd, CRI-O, gVisor, Kata, and Youki measured against real production workloads.

Mar 18, 20265 min read
Container Security

Chiseled / Distroless Image Rollout Program

What it takes to standardise on chiseled and distroless container images across an engineering organisation: which workloads benefit, which do not, and how to handle the operational quirks of imageless containers.

Mar 14, 20267 min read
Industry Analysis

State of Container Security 2026: Survey Summary

A survey-style summary of container security in 2026: what production teams actually ship, where image security stands, and which runtime controls moved the needle.

Mar 14, 20269 min read
Best Practices

How to Sign Container Images with Cosign in Production

Keyless Cosign signing with Fulcio and Rekor is the 2026 default. Here is the production workflow, policy configuration, and the failure modes nobody warns you about.

Mar 10, 20267 min read
Container Security

Service Mesh Supply Chain Policy 2026

Service meshes are a control plane and a data plane and a supply chain risk surface all at once. This post covers the policy controls that matter in 2026 for sidecars, control planes, and mesh-issued certificates.

Mar 9, 20267 min read
Vulnerability Analysis

CVE-2025-1974 Ingress NGINX Controller RCE

IngressNightmare - CVE-2025-1974 in Kubernetes ingress-nginx - gave unauthenticated attackers cluster-wide RCE. Here is how it worked and what to harden now.

Mar 7, 20268 min read
Container Security

Kubernetes Operator Supply Chain Controls

Operators are powerful, privileged, and often under-governed. This post covers the supply chain controls that keep operator installations from becoming the largest attack surface in your cluster.

Mar 4, 20267 min read
Tools

Kyverno vs OPA Gatekeeper: A Buyer Comparison for 2026

A practical comparison of Kyverno 1.13 and OPA Gatekeeper 3.18 for Kubernetes policy enforcement, covering language, performance, ecosystem, and operational fit.

Mar 4, 20266 min read
kubernetes (Page 4) — Safeguard Blog