Container Security
K8s Admission Controllers for Supply Chain Policy
How to design Kubernetes admission controllers that enforce supply chain policy without turning every deploy into a 30-minute argument with the cluster.
Jan 13, 20266 min read
Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
How to design Kubernetes admission controllers that enforce supply chain policy without turning every deploy into a 30-minute argument with the cluster.
Kubernetes operators run with broad cluster access. This checklist covers the controls that matter most in 2025, from RBAC scoping to image provenance.
Both Prisma Cloud and Wiz have expanded into supply chain territory from cloud security origins. A head-to-head on what each actually delivers on the supply chain dimension.
Kubernetes 1.33 shipped with meaningful security changes: stronger admission controls, expanded structured authorization, and several deprecations that will affect production clusters.
Using Istio, Linkerd, and Cilium service mesh to enforce signed-artifact, SPIFFE identity, and provenance-aware policy in production clusters.
Field notes on running Tetragon, Falco, and Cilium eBPF controls in production Kubernetes clusters, with observed overhead, policy traps, and kernel constraints.
Kata wraps each pod in a lightweight VM. That is a real security boundary. It is also one that comes with real costs and real caveats.
Policy design patterns for GCP Binary Authorization that hold up in production: attestor topology, exception handling, continuous validation, and the shapes that stop a deploy-time compromise without blocking legitimate rollouts.
ValidatingAdmissionPolicy GA, VolumeSource for OCI artifacts, and anonymous API cleanup: what 1.30 and 1.31 change for cluster security posture.
Weekly insights on software supply chain security, delivered to your inbox.