Container Security
Kubernetes Service Mesh Policy Depth
Service meshes promise layered policy. The promise is real, but the layers only help if you use them, and most deployments use one.
Sep 15, 20247 min read
Deep dives, practical guides, and incident analyses from engineers who build Safeguard. No fluff, no vendor FUD — just what you need to ship secure software.
Service meshes promise layered policy. The promise is real, but the layers only help if you use them, and most deployments use one.
Both are CNCF graduated runtimes. Both run production clusters. Their security properties diverge in ways that matter for hardened environments.
Rancher is the distribution that runs when your Kubernetes is neither EKS nor OpenShift. Hardening it well is specific work.
What Azure Container Registry actually guarantees about the images you pull — signing, attestation, content trust, and where the trust chain breaks in practice.
Image signing in ECR has moved from nice-to-have to table stakes. Here is what it actually takes to run cosign and AWS Signer in production without breaking every deploy.
A senior engineer's walkthrough of External Secrets Operator, covering architecture, SecretStore design, rotation, and the patterns that hold up in production.
AWS built Firecracker to run Lambda. The security model is the entire value proposition, and it holds up under scrutiny.
A practical walkthrough for signing container images with Cosign using keyless OIDC, verifying signatures, and enforcing policy in your Kubernetes cluster.
containerd runs most of Kubernetes today. Its defaults are reasonable, but reasonable is not hardened. Here is how to close the gaps.
Weekly insights on software supply chain security, delivered to your inbox.