secure k8 s

Blog

Long-form notes on hardening Kubernetes.

Hello, securek8s

18. Mai 2026 · meta

Why this site exists, what to expect, and how it's hosted.

Hosting this site on my own cluster

18. Mai 2026 · self-hosting · helm · nginx · hardening · psa

Astro static build, multi-stage container with nginx-unprivileged, Helm chart, restricted-PSA namespace. The eat-your-own-dog-food write-up.

How my NetworkPolicy silently turned ingress-nginx into a 5-second tarpit

18. Mai 2026 · networkpolicy · ingress-nginx · calico · rke2

A default-deny NetworkPolicy that looked correct, an ingress controller on hostNetwork, and a 5-second TCP retransmit that hid in the gap between them.

Pinning images by digest: what I learned the multi-arch way

18. Mai 2026 · supply-chain · docker · image-digest · multi-arch

Tags are mutable. Multi-arch manifests are tags-of-tags. Pinning by digest fixes one problem and creates another.

Unattended security updates on Kubernetes nodes, without drama

18. Mai 2026 · unattended-upgrades · kured · node-management · patching · rke2

unattended-upgrades on the OS, kured inside the cluster, PodDisruptionBudgets on the workloads. The three pieces that turn a 3 a.m. kernel patch into a graceful rolling reboot.