Notes on Kubernetes security.

I'm Thomas Zachmann. I write about hardening Kubernetes in production — Pod Security Standards, supply chain, runtime, RBAC, and the things that go wrong when you forget about them. This site runs on my own cluster.

Latest articles

Hello, securek8s

18. Mai 2026 · meta

Why this site exists, what to expect, and how it's hosted.
Hosting this site on my own cluster

18. Mai 2026 · self-hosting · helm · nginx · hardening · psa

Astro static build, multi-stage container with nginx-unprivileged, Helm chart, restricted-PSA namespace. The eat-your-own-dog-food write-up.
How my NetworkPolicy silently turned ingress-nginx into a 5-second tarpit

18. Mai 2026 · networkpolicy · ingress-nginx · calico · rke2

A default-deny NetworkPolicy that looked correct, an ingress controller on hostNetwork, and a 5-second TCP retransmit that hid in the gap between them.

Currently working on

securek8s.de

Astro · Tailwind · nginx · Kubernetes

This site. Static Astro build, hardened nginx pod on my homelab cluster.

The site itself runs on a hardened Kubernetes namespace. See the setup →

Notes on Kubernetes security.

Latest articles

Hello, securek8s

Hosting this site on my own cluster

How my NetworkPolicy silently turned ingress-nginx into a 5-second tarpit

Currently working on

securek8s.de