https://cbnative.com Articles on Kubernetes security, DevSecOps tooling, and cloud-native practices. en https://cbnative.com/rss-logo.png https://cbnative.com https://cbnative.com/posts/frsca-slsa-levels-practice https://cbnative.com/posts/frsca-slsa-levels-practice Fri, 05 Jun 2026 00:00:00 GMT FRSCA wires together Tekton, Tekton Chains, SPIRE, Vault, and Kyverno so that every image a pipeline builds is automatically signed, gets in-toto SLSA provenance attached, and is checked at admission. No human ever touches the signing key. This post covers the build-to-verify flow, how the signing trust model works, and which SLSA level it actually reaches in practice. https://cbnative.com/posts/jenkins-security-pipeline-plug-and-play https://cbnative.com/posts/jenkins-security-pipeline-plug-and-play Sat, 16 May 2026 00:00:00 GMT A technical runbook for wiring any Jenkins build to a centralized security pipeline, including credentials, trigger integration, reporting, validation, and production hardening. https://cbnative.com/posts/cka-study-notes https://cbnative.com/posts/cka-study-notes Tue, 17 Feb 2026 00:00:00 GMT A phase-by-phase prep roadmap for the updated CKA exam (2025 curriculum). Covers the study sequence, the resources worth using, what changed in the February 2025 update, and the exact exam day habits that keep you from losing points on questions you actually know. https://cbnative.com/posts/cupcake-ai-guardrails https://cbnative.com/posts/cupcake-ai-guardrails Tue, 27 Jan 2026 00:00:00 GMT Cupcake lets you enforce Rego-based policies on AI coding agents like Claude Code and Cursor, controlling what they can read, write, and execute at both machine and repository level. https://cbnative.com/posts/tetragon-part2-detection-engineering https://cbnative.com/posts/tetragon-part2-detection-engineering Mon, 19 Jan 2026 00:00:00 GMT Part 2 of 2. How Tetragon turns kernel events into Kubernetes-aware detections. Covers kprobes vs LSM hooks, detection policies for real attack patterns, enforcement, the tiered architecture that keeps noise under control, and the full observability pipeline the team built on kubeadm. https://cbnative.com/posts/tetragon-part1-installation https://cbnative.com/posts/tetragon-part1-installation Wed, 07 Jan 2026 00:00:00 GMT Part 1 of 2. A step-by-step guide for installing Tetragon on a kubeadm cluster, writing your first TracingPolicy, reading the JSON events it produces, and shipping everything to Loki. Covers kernel requirements, resource limits, and day-2 operations. https://cbnative.com/posts/gatekeeper-vs-kyverno https://cbnative.com/posts/gatekeeper-vs-kyverno Sat, 15 Nov 2025 00:00:00 GMT Gatekeeper (OPA) and Kyverno are the two main Kubernetes policy engines. Both enforce admission control policies, but they have different approaches to policy authoring, testing, and operational complexity. This post compares them on the criteria that matter for a production environment. https://cbnative.com/posts/opa-enforcement-gatekeeper-conftest https://cbnative.com/posts/opa-enforcement-gatekeeper-conftest Tue, 15 Jul 2025 00:00:00 GMT You wrote the Rego policy. Now how do you actually enforce it? This post covers two tools: Conftest for catching violations before deployment, and Gatekeeper for blocking them inside Kubernetes. https://cbnative.com/posts/rego-patterns-policy-testing https://cbnative.com/posts/rego-patterns-policy-testing Tue, 01 Jul 2025 00:00:00 GMT A practical introduction to writing and testing Rego policies with OPA: what Rego is for, how the logic works, and how to test it before it causes real problems. https://cbnative.com/posts/kubernetes-rbac-multi-tenant https://cbnative.com/posts/kubernetes-rbac-multi-tenant Sat, 07 Jun 2025 00:00:00 GMT A field guide to designing Kubernetes RBAC for clusters that host workloads from multiple teams, with least-privilege enforced through reusable role templates. https://cbnative.com/posts/hands-on-sonarqube https://cbnative.com/posts/hands-on-sonarqube Fri, 11 Apr 2025 00:00:00 GMT SonarQube runs static analysis on your code and gives you a pass or fail signal you can trust. This post sets up an instance, puts it behind HTTPS, then creates a project, runs a first scan against OWASP Juice Shop, and reads the results. https://cbnative.com/posts/trivy-all-in-one-security-scanner https://cbnative.com/posts/trivy-all-in-one-security-scanner Tue, 25 Mar 2025 00:00:00 GMT Trivy scans container images, filesystems, Git repositories, IaC configs, and live Kubernetes clusters for vulnerabilities, misconfigurations, secrets, and license issues, all through a single binary with a consistent interface and shared database. https://cbnative.com/posts/conjur-policy-in-production https://cbnative.com/posts/conjur-policy-in-production Thu, 20 Feb 2025 00:00:00 GMT Conjur models secrets access as code: identities, groups, variables, and permissions all live in YAML policy files. This post covers a production-grade policy layout, from the privilege model and environment separation to Kubernetes follower architecture, ESO integration, and LDAP operator authentication. https://cbnative.com/posts/falco-runtime-detection-kubernetes https://cbnative.com/posts/falco-runtime-detection-kubernetes Wed, 05 Feb 2025 00:00:00 GMT Falco detects unexpected behavior in running containers using eBPF-based system call monitoring. This post covers rule syntax, writing custom rules for Kubernetes workloads, tuning false positives, and forwarding alerts to a SIEM. https://cbnative.com/posts/securing-kubernetes-control-plane https://cbnative.com/posts/securing-kubernetes-control-plane Tue, 12 Nov 2024 00:00:00 GMT The Kubernetes control plane is the most security-critical component of a cluster. This post covers hardening the API server, etcd encryption, RBAC for control plane components, network isolation, and the checks that matter in a CIS benchmark audit. https://cbnative.com/posts/external-secrets-operator https://cbnative.com/posts/external-secrets-operator Thu, 19 Sep 2024 00:00:00 GMT External Secrets Operator (ESO) syncs secrets from external providers (HashiCorp Vault, CyberArk Conjur, AWS Secrets Manager, and GCP Secret Manager) into Kubernetes Secrets. This post covers installation, configuration for multiple backends, secret rotation, and the access control model. https://cbnative.com/posts/secure-coding-dojo-training-3-black-belt https://cbnative.com/posts/secure-coding-dojo-training-3-black-belt Thu, 29 Feb 2024 00:00:00 GMT Walkthrough notes for the Black Belt module from OWASP Secure Coding Dojo. Twelve hands-on lessons covering open redirect, XSS, CSRF, JWT forgery, file upload, XXE, path traversal, broken authorization, OS command injection, SQL injection, buffer overflow, and format string injection. https://cbnative.com/posts/secure-coding-dojo-training-2-green-belt https://cbnative.com/posts/secure-coding-dojo-training-2-green-belt Fri, 23 Feb 2024 00:00:00 GMT Walkthrough notes for the Green Belt module from OWASP Secure Coding Dojo. Twelve hands-on lessons covering the OWASP Top 10 at an introductory level. You exploit each vulnerability before seeing the fix. https://cbnative.com/posts/secure-coding-dojo-training-1-security-code-review-ninja https://cbnative.com/posts/secure-coding-dojo-training-1-security-code-review-ninja Fri, 16 Feb 2024 00:00:00 GMT Walkthrough notes for the Security Code Review Ninja module from OWASP Secure Coding Dojo. Six lessons on how to identify security flaws during code review, before they reach production. https://cbnative.com/posts/secure-coding-dojo https://cbnative.com/posts/secure-coding-dojo Fri, 09 Feb 2024 00:00:00 GMT Most vulnerabilities are introduced at the code level, not the infrastructure level. Fixing them at the firewall is expensive and unreliable. This post covers OWASP Secure Coding Dojo as a practical starting point for building security culture inside development teams. https://cbnative.com/posts/vulnmanager-unified-scanner-normalization https://cbnative.com/posts/vulnmanager-unified-scanner-normalization Tue, 07 Nov 2023 00:00:00 GMT Architecture retrospective on VulnManager, a Django platform I built that normalizes findings from different security scanners into a single unified table using the NVD API. https://cbnative.com/posts/owasp-dependency-check https://cbnative.com/posts/owasp-dependency-check Wed, 01 Nov 2023 00:00:00 GMT A practical guide to installing OWASP Dependency Check, running your first scan, and reading what the report is telling you. https://cbnative.com/posts/grype-vulnerability-triage https://cbnative.com/posts/grype-vulnerability-triage Mon, 30 Oct 2023 00:00:00 GMT Grype is a fast, accurate vulnerability scanner for container images and filesystems. This post covers integrating it into CI/CD, interpreting results with EPSS and CVSS together, writing effective ignore rules, and building a triage workflow that keeps the signal-to-noise ratio manageable. https://cbnative.com/posts/kubernetes-audit-logs https://cbnative.com/posts/kubernetes-audit-logs Wed, 23 Aug 2023 00:00:00 GMT Kubernetes audit logs record every API server request. This post covers how to enable audit logging, design an audit policy that captures what matters, forward events to a SIEM, and query them for security monitoring. https://cbnative.com/posts/cis-benchmark-kubernetes https://cbnative.com/posts/cis-benchmark-kubernetes Tue, 11 Apr 2023 00:00:00 GMT The CIS Kubernetes Benchmark defines hardening requirements for control plane components, worker nodes, and cluster configuration. This post covers the most impactful checks and how to apply and audit them in practice. https://cbnative.com/posts/sigstore-cosign-image-signing https://cbnative.com/posts/sigstore-cosign-image-signing Wed, 08 Feb 2023 00:00:00 GMT Cryptographic signing proves that a container image came from a known source and has not been tampered with. Attestations attach signed metadata (SBOMs, scan results) to images. This post covers signing concepts, verification, and enforcement at Kubernetes admission. https://cbnative.com/posts/pod-security-standards https://cbnative.com/posts/pod-security-standards Tue, 06 Sep 2022 00:00:00 GMT Kubernetes ships a built-in admission controller that restricts what pods can request at the namespace level. This post covers the three profiles, how to combine enforcement modes, a namespace labeling strategy that holds up in production, and what to reach for when PSS is not enough. https://cbnative.com/posts/hashicorp-vault-architecture https://cbnative.com/posts/hashicorp-vault-architecture Tue, 15 Feb 2022 00:00:00 GMT HashiCorp Vault is a secrets management platform built around the principle that secrets should be dynamic, audited, and short-lived. This post covers the core architecture, authentication methods, secret engines, the Kubernetes integration, and the operational patterns that keep a Vault cluster healthy. https://cbnative.com/posts/multi-stage-dockerfiles https://cbnative.com/posts/multi-stage-dockerfiles Tue, 04 Aug 2020 00:00:00 GMT Multi-stage Dockerfiles separate build dependencies from runtime artifacts. The result is smaller images that carry less attack surface. This post covers the patterns that work in practice, the common pitfalls, and how to integrate image scanning into the build. https://cbnative.com/posts/distroless-minimal-base-images https://cbnative.com/posts/distroless-minimal-base-images Wed, 12 Feb 2020 00:00:00 GMT Why the base image you choose determines most of your container attack surface, and how distroless, scratch, and Chainguard images reduce it without breaking your build. https://cbnative.com/posts/burp-suite-manual-testing https://cbnative.com/posts/burp-suite-manual-testing Mon, 15 Oct 2018 00:00:00 GMT Burp Suite is the standard tool for manual web application security testing. This guide covers configuring the proxy, intercept and replay workflows, the Scanner, active crawling, and the practical techniques that surface the issues automated scanners miss.