Safeguard
Tag

rbac

Safeguard articles tagged "rbac" — guides, analysis, and best practices for software supply chain and application security.

25 articles

Application Security

RBAC vs. ABAC vs. ReBAC: choosing an access-control model for multi-tenant cloud apps

Google's Zanzibar paper (USENIX ATC 2019) showed relationship graphs authorizing access with sub-10ms latency at massive scale — here's when RBAC or ABAC beats it instead.

Jul 15, 20266 min read
Kubernetes Security

TLS termination and cert-manager: a hardening guide for Kubernetes Ingress

IngressNightmare's CVSS 9.8 RCE showed that ingress-nginx's own admission webhook can be turned against cluster Secrets — here's how to configure TLS safely.

Jul 15, 20267 min read
Kubernetes Security

A practical guide to least privilege in Kubernetes RBAC

One RBAC flaw, CVE-2018-1002105 (CVSS 9.8), let any authenticated user escalate to cluster-admin — here's how to actually scope roles so that never happens again.

Jul 13, 20266 min read
Kubernetes Security

Best practices for securing Kubernetes ConfigMaps

ConfigMaps store plaintext in etcd with no size guardrail beyond 1 MiB — teams that drop credentials in them expose secrets to a far bigger RBAC audience.

Jul 13, 20266 min read
Kubernetes Security

Securing the Argo CD to Kubernetes GitOps Pipeline

One symlinked Helm values file (CVE-2022-24348, CVSS 7.7) let attackers read secrets across Argo CD tenants — GitOps trust needs hardening, not just adoption.

Jul 12, 20266 min read
Kubernetes Security

Running Multiple Custom Controllers Without RBAC or CRD Collisions

Kubernetes CRDs are singletons by group and kind, and RBAC has no tenant concept — two facts that quietly break most multi-controller clusters.

Jul 11, 20268 min read
Kubernetes Security

Designing Least-Privilege Kubernetes RBAC: A Practical Guide

CVE-2018-1002105 (CVSS 9.8) let an unauthenticated request reach cluster-admin through pod exec endpoints — most RBAC breaches since trace back to the same handful of over-broad bindings.

Jul 8, 20267 min read
Application Security

Secure multi-tenant SaaS access control patterns

Broken Access Control has topped OWASP's Top 10 for two straight cycles, found in 100% of tested apps in 2025 — most of that risk starts with one missing tenant_id check.

Jul 8, 20266 min read
Container Security

Securing the Kubernetes API Server

The API server is the front door to your cluster — every kubectl command, controller, and kubelet talks to it. If it is misconfigured, nothing else you harden matters. Here is how to lock it down.

Jul 4, 20265 min read
Container Security

Kubernetes RBAC Security: Least Privilege That Actually Holds

Wildcard verbs, cluster-admin bindings, and forgotten service account tokens turn RBAC into a rubber stamp. Here is how to design roles that contain a breach instead of amplifying it.

Jul 3, 20266 min read
Container Security

Kubernetes Security Best Practices for 2026

A default Kubernetes cluster trusts too much: root pods, flat networking, and readable secrets. Here are the hardening practices that actually move the needle in 2026.

Jul 1, 20265 min read
Container Security

Securing Kubernetes Secrets management

Base64 isn't encryption. Here's how Kubernetes Secrets actually get exposed, and the encryption, RBAC, and rotation controls that fix it.

Jun 25, 20266 min read
rbac — Safeguard Blog