kubernetes
Safeguard articles tagged "kubernetes" — guides, analysis, and best practices for software supply chain and application security.
125 articles
Best Container Security Tools in 2026
Image scanners, runtime sensors, and Kubernetes posture tools each catch different failures. Here is how the leading options compare in 2026 — and how to pick a stack without buying three overlapping scanners.
Kubernetes Admission Controller Policy Patterns in 2026
A field guide to the admission control patterns that survived contact with production clusters: validating webhooks, image policy, mutating defaults, and what to skip.
Best Kubernetes Admission Controllers for Supply Chain Security
Kyverno, OPA Gatekeeper, Sigstore policy-controller, Ratify, or plain CEL? A field guide to admission controllers that actually block unsigned and vulnerable images.
Leaky Vessels: The runc Container Escape Class (2024)
Leaky Vessels bundled four CVEs that let container processes escape into the host. Two years later the class is still mispatched and misunderstood.
Sigstore Policy Controller for K8s in Production
How the Sigstore Policy Controller actually runs in production, what it does better than Kyverno, and the operational pitfalls nobody mentions in the quickstart.
Container Security Solutions vs Platforms: What You're Actually Buying
Container security solutions and container security platforms get marketed almost interchangeably — here's the actual difference in scope and what each one leaves you to build yourself.
Cilium Tetragon Runtime Security with eBPF
A practical look at Cilium Tetragon for Kubernetes runtime security, what eBPF gives you that audit logs do not, and where Tetragon fits in a real stack.
Deploying Falco for Runtime Security in 2026
A pragmatic deployment guide for Falco 0.41 in production Kubernetes: driver selection, rule tuning, alert routing, and the operational debt teams underestimate.
Container Security Best Practices Checklist 2026
A practical container security checklist for 2026 covering base images, runtime controls, registry hygiene, and signing, with specific thresholds defenders can adopt.
Cosign for Container Signing: A Production Setup
A working production setup for Cosign image signing across CI, registries, and Kubernetes admission, including the parts that break at scale and how to recover.
K8s Admission Controllers for Supply Chain Policy
How to design Kubernetes admission controllers that enforce supply chain policy without turning every deploy into a 30-minute argument with the cluster.
How Container Threat Detection identifies runtime attacks...
How Container Threat Detection GCP watches GKE kernels for reverse shells, added binaries, and privilege escalation—and why runtime signals catch what image scanning can't.