kubernetes
Safeguard articles tagged "kubernetes" — guides, analysis, and best practices for software supply chain and application security.
125 articles
Deploying Cilium Tetragon for eBPF Runtime Security in 2026
A practical guide to rolling out Tetragon for kernel-level runtime visibility, covering policy authoring, performance overhead, and integration with existing detection pipelines.
Container Runtime Security in 2026: What's Changed and What Hasn't
Container security has matured significantly, but runtime protection remains a weak spot. Here's a practical guide to what works.
Helm Chart Supply Chain Defence Blueprint
Helm charts are the most common Kubernetes deployment artifact and the least scrutinised. This blueprint covers chart provenance, signing, value validation, and the runtime correspondence checks that close the loop.
EKS Pod Identity vs IRSA: A 2026 Migration Playbook
How to migrate from IRSA to EKS Pod Identity in 2026, including the trade-offs, the operational gotchas, and the cases where IRSA still makes sense.
Tetragon vs Falco: 2026 Runtime Security Field Test
Both Tetragon and Falco run on eBPF and both ship as CNCF projects. We benched them side by side on a 400-node cluster — coverage, overhead, and enforcement behavior.
AWS EKS Pod Identity vs. IRSA for Supply Chain
Pod Identity and IRSA both give EKS workloads AWS identities. The supply chain implications diverge once you look past the docs.
Aqua vs Sysdig Buyer Comparison 2026
Two specialist platforms that converged into CNAPP from different starting points. Container provenance, runtime forensics, eBPF coverage, and the cases where each tool earns its keep.
Getting Started: Safeguard Kubernetes Admission
Deploy the Safeguard admission controller to block images with unresolved critical vulnerabilities before they run in your cluster.
How to set up Kubernetes RBAC
A step-by-step kubernetes RBAC setup guide covering Roles, RoleBindings, service accounts, least-privilege patterns, and how to verify and troubleshoot access.
K8s RBAC Blast Radius in Supply Chain Attacks
How Kubernetes RBAC determines what a supply chain attack can actually do once a compromised workload runs, and the RBAC patterns that meaningfully reduce blast radius.
How to configure Falco for runtime security monitoring
A practical walkthrough to configure Falco runtime security in Kubernetes: install, customize rules, route alerts, tune noise, and verify detection end-to-end.
Kyverno ImageValidatingPolicy 2026: A Production Walkthrough
Kyverno 1.18 ships ImageValidatingPolicy as the new policy type for cosign signature, attestation, and SBOM verification. We migrated a 60-cluster fleet and graded the new model.