kubernetes
Safeguard articles tagged "kubernetes" — guides, analysis, and best practices for software supply chain and application security.
125 articles
OCI Artifact Signing Rollout Program
A program plan for getting OCI artifact signing across an organisation: trust roots, key custody, build integrations, registry policy, and the inevitable cleanup of unsigned legacy content.
Runtime Container Drift: Supply Chain Implications
Runtime drift is the last honest witness in container supply chain defence. This post covers what drift signals tell you, how to instrument for them, and how to investigate without overwhelming on-call.
Falco 0.40: Modern eBPF Is Now Default
Falco's 0.40 release line makes modern eBPF (CO-RE) the default driver, deprecates the legacy probe and gVisor engine, and changes how operators ship Falco. Here's what changed and what to test.
Cloud-Native Security Practices That Actually Scale
Containers, Kubernetes, and ephemeral infrastructure broke the perimeter security model. These are the cloud-native security practices that hold up past your first hundred services.
Container Runtime Comparison: A 2026 Buyer's Guide
A practical container runtime comparison for 2026 buyers: containerd, CRI-O, gVisor, Kata, and Youki measured against real production workloads.
Chiseled / Distroless Image Rollout Program
What it takes to standardise on chiseled and distroless container images across an engineering organisation: which workloads benefit, which do not, and how to handle the operational quirks of imageless containers.
State of Container Security 2026: Survey Summary
A survey-style summary of container security in 2026: what production teams actually ship, where image security stands, and which runtime controls moved the needle.
How to Sign Container Images with Cosign in Production
Keyless Cosign signing with Fulcio and Rekor is the 2026 default. Here is the production workflow, policy configuration, and the failure modes nobody warns you about.
Service Mesh Supply Chain Policy 2026
Service meshes are a control plane and a data plane and a supply chain risk surface all at once. This post covers the policy controls that matter in 2026 for sidecars, control planes, and mesh-issued certificates.
CVE-2025-1974 Ingress NGINX Controller RCE
IngressNightmare - CVE-2025-1974 in Kubernetes ingress-nginx - gave unauthenticated attackers cluster-wide RCE. Here is how it worked and what to harden now.
Kubernetes Operator Supply Chain Controls
Operators are powerful, privileged, and often under-governed. This post covers the supply chain controls that keep operator installations from becoming the largest attack surface in your cluster.
Kyverno vs OPA Gatekeeper: A Buyer Comparison for 2026
A practical comparison of Kyverno 1.13 and OPA Gatekeeper 3.18 for Kubernetes policy enforcement, covering language, performance, ecosystem, and operational fit.