kubernetes
Safeguard articles tagged "kubernetes" — guides, analysis, and best practices for software supply chain and application security.
125 articles
Container Hardening Guide 2025: From Base Image to Production
A practical guide to hardening container images and deployments. Covers base image selection, build-time security, runtime protections, and Kubernetes-specific controls.
cAdvisor: Container Resource Monitoring, Explained
cAdvisor gives you per-container CPU, memory, network, and filesystem metrics out of the box — here's what it actually measures, how it fits with Prometheus and Kubernetes, and where its limits show up.
Container Image Digests vs Tags: Why Pinning Matters
A tag is a mutable pointer; a digest is the image. Pinning by digest is the difference between deploying what you tested and deploying whatever the registry says today.
eBPF Security Controls: A Production Experience Report
Field notes on running Tetragon, Falco, and Cilium eBPF controls in production Kubernetes clusters, with observed overhead, policy traps, and kernel constraints.
Container Security Best Practices for 2025: Beyond Image Scanning
Container security has evolved far past vulnerability scanning. Here is what mature container security programs look like heading into 2025.
Kata Containers Security Model Review
Kata wraps each pod in a lightweight VM. That is a real security boundary. It is also one that comes with real costs and real caveats.
Kubernetes 1.30 and 1.31 Security Rundown
ValidatingAdmissionPolicy GA, VolumeSource for OCI artifacts, and anonymous API cleanup: what 1.30 and 1.31 change for cluster security posture.
Kubernetes Service Mesh Policy Depth
Service meshes promise layered policy. The promise is real, but the layers only help if you use them, and most deployments use one.
FluxCD Security Model in Production
A production-focused look at FluxCD's security model, covering multi-tenancy isolation, source verification, image automation risks, and the CVE history behind the current defaults.
CRI-O vs containerd: Security Comparison
Both are CNCF graduated runtimes. Both run production clusters. Their security properties diverge in ways that matter for hardened environments.
Kubernetes 1.31 Security Improvements: What You Need to Know
Kubernetes 1.31 'Elli' shipped in August 2024 with significant security improvements including AppArmor GA support, refined pod security controls, and better secret management.
Rancher Cluster Security Hardening
Rancher is the distribution that runs when your Kubernetes is neither EKS nor OpenShift. Hardening it well is specific work.