kubernetes
Safeguard articles tagged "kubernetes" — guides, analysis, and best practices for software supply chain and application security.
125 articles
Kubernetes API server privilege escalation via aggregated API (CVE-2018-1002105)
A critical flaw in Kubernetes' aggregated API let unauthenticated users gain full admin privileges. Here's how it worked and how to fix it.
A Practical Kubernetes Operator Security Checklist
Kubernetes operators run with broad cluster access. This checklist covers the controls that matter most in 2025, from RBAC scoping to image provenance.
Helm 2 Tiller's Default Unauthenticated gRPC Endpoint (CV...
CVE-2019-18658 shows how Helm 2's Tiller ran an unauthenticated gRPC endpoint by default, letting network-adjacent attackers seize cluster-admin control.
CVE-2025-31133 in runc: Patch Posture & SBOM Response
runc container-escape via /proc mount manipulation affects Docker, Kubernetes, and every CRI runtime. Defender playbook below.
Kubernetes ingress controller vulnerability roundup
Ingress-nginx, Apache APISIX, and other Kubernetes ingress controllers have racked up critical CVEs since 2021 — here's what actually happened.
Kubernetes SecurityContext: The Settings That Matter
A pod's securityContext decides whether a compromised container is contained or a launchpad. Here are the fields that actually reduce blast radius — and the copy-paste block that sets a hardened baseline.
Choosing a Container Security Scanner
A practical checklist for choosing a container security scanner, covering base-image coverage, registry integration, runtime relevance, and how scan noise actually gets managed.
CVE-2025-55190 in Argo CD: Patch Posture & SBOM Response
Argo CD project details API leaks repository credentials, scored CVSS 9.9. GitOps platforms are now top-tier credential targets. Defender playbook below.
Container Image Security Tools, Compared
A container image security tool scans layers, packages, and configuration inside an image before and after it ships — here's how the major approaches differ and what actually matters when picking one.
Kubernetes securityContext, Explained From Scratch
How security context in kubernetes actually works at the pod and container level, what kubernetes runasuser and capability drops do, and a sane default policy to start from.
Kubernetes 1.33 Security Deep Dive
Kubernetes 1.33 shipped with meaningful security changes: stronger admission controls, expanded structured authorization, and several deprecations that will affect production clusters.
Kubernetes SecurityContext, Field by Field
SecurityContext in Kubernetes is where pod and container hardening actually lives — here's what each field controls and which defaults you should never leave in place.