# security

Harden Kubernetes clusters for production with RBAC, network policies, pod security standards, secrets management, and admission controllers.

Security headers and configuration reference — copy-paste snippets for Nginx, Kubernetes Ingress, Cloudflare, and Helmet.js.

Add automated dependency vulnerability scanning to your CI pipeline using Trivy and Grype. Catch known CVEs before they hit production.

Harden GitHub Actions security with least-privilege permissions, OIDC federation, SHA-pinned actions, and secrets management best practices.

How to configure encryption at rest for Kubernetes secrets using KMS providers, because your secrets in etcd are stored in plaintext by default.

Deploy OPA Gatekeeper to enforce Kubernetes admission policies — block privileged containers, enforce labels, and prevent misconfigurations.

Use Mozilla SOPS to encrypt secrets in Git for secure GitOps workflows. Covers AGE, AWS KMS, and ArgoCD integration with real examples.

How to implement zero-trust networking in Kubernetes using NetworkPolicies — deny by default, allow by exception, and sleep better at night.

Set up Trivy for container image vulnerability scanning — from local development to CI/CD pipeline integration with actionable remediation.

Learn everything about Kubernetes Pod Security Standards (PSS) and Pod Security Admission (PSA) — from baseline to restricted profiles with practical examples.

Implement least-privilege RBAC in Kubernetes to prevent lateral movement and privilege escalation — with real threat models and pipeline-ready examples.

Integrate HashiCorp Vault with Kubernetes to eliminate static secrets from your cluster — with working manifests, threat models, and pipeline automation.

Sign and verify your container images with Sigstore Cosign to prevent supply chain attacks — with keyless signing, SBOM attestation, and Kubernetes admission enforcement.