Safeguard
Tag

kubernetes

Safeguard articles tagged "kubernetes" — guides, analysis, and best practices for software supply chain and application security.

125 articles

DevSecOps

Container Hardening Guide 2025: From Base Image to Production

A practical guide to hardening container images and deployments. Covers base image selection, build-time security, runtime protections, and Kubernetes-specific controls.

May 5, 20256 min read
Containers

cAdvisor: Container Resource Monitoring, Explained

cAdvisor gives you per-container CPU, memory, network, and filesystem metrics out of the box — here's what it actually measures, how it fits with Prometheus and Kubernetes, and where its limits show up.

Mar 18, 20255 min read
Engineering

Container Image Digests vs Tags: Why Pinning Matters

A tag is a mutable pointer; a digest is the image. Pinning by digest is the difference between deploying what you tested and deploying whatever the registry says today.

Feb 16, 20256 min read
Container Security

eBPF Security Controls: A Production Experience Report

Field notes on running Tetragon, Falco, and Cilium eBPF controls in production Kubernetes clusters, with observed overhead, policy traps, and kernel constraints.

Dec 20, 20245 min read
Best Practices

Container Security Best Practices for 2025: Beyond Image Scanning

Container security has evolved far past vulnerability scanning. Here is what mature container security programs look like heading into 2025.

Dec 1, 20247 min read
Container Security

Kata Containers Security Model Review

Kata wraps each pod in a lightweight VM. That is a real security boundary. It is also one that comes with real costs and real caveats.

Nov 14, 20246 min read
Container Security

Kubernetes 1.30 and 1.31 Security Rundown

ValidatingAdmissionPolicy GA, VolumeSource for OCI artifacts, and anonymous API cleanup: what 1.30 and 1.31 change for cluster security posture.

Sep 20, 20245 min read
Container Security

Kubernetes Service Mesh Policy Depth

Service meshes promise layered policy. The promise is real, but the layers only help if you use them, and most deployments use one.

Sep 15, 20247 min read
DevSecOps

FluxCD Security Model in Production

A production-focused look at FluxCD's security model, covering multi-tenancy isolation, source verification, image automation risks, and the CVE history behind the current defaults.

Sep 10, 20247 min read
Container Security

CRI-O vs containerd: Security Comparison

Both are CNCF graduated runtimes. Both run production clusters. Their security properties diverge in ways that matter for hardened environments.

Aug 22, 20246 min read
Cloud Security

Kubernetes 1.31 Security Improvements: What You Need to Know

Kubernetes 1.31 'Elli' shipped in August 2024 with significant security improvements including AppArmor GA support, refined pod security controls, and better secret management.

Aug 15, 20247 min read
Container Security

Rancher Cluster Security Hardening

Rancher is the distribution that runs when your Kubernetes is neither EKS nor OpenShift. Hardening it well is specific work.

Jul 30, 20247 min read
kubernetes (Page 8) — Safeguard Blog