Notes on Kubernetes security.https://securek8s.de/https://securek8s.de/blog/hello-world/https://securek8s.de/blog/hello-world/Why this site exists, what to expect, and how it's hosted.Mon, 18 May 2026 00:00:00 GMThttps://securek8s.de/blog/hosting-this-site/https://securek8s.de/blog/hosting-this-site/Astro static build, multi-stage container with nginx-unprivileged, Helm chart, restricted-PSA namespace. The eat-your-own-dog-food write-up.Mon, 18 May 2026 00:00:00 GMThttps://securek8s.de/blog/networkpolicy-hostnetwork-tarpit/https://securek8s.de/blog/networkpolicy-hostnetwork-tarpit/A default-deny NetworkPolicy that looked correct, an ingress controller on hostNetwork, and a 5-second TCP retransmit that hid in the gap between them.Mon, 18 May 2026 00:00:00 GMThttps://securek8s.de/blog/pinning-images-by-digest/https://securek8s.de/blog/pinning-images-by-digest/Tags are mutable. Multi-arch manifests are tags-of-tags. Pinning by digest fixes one problem and creates another.Mon, 18 May 2026 00:00:00 GMThttps://securek8s.de/blog/unattended-upgrades-on-k8s-without-drama/https://securek8s.de/blog/unattended-upgrades-on-k8s-without-drama/unattended-upgrades on the OS, kured inside the cluster, PodDisruptionBudgets on the workloads. The three pieces that turn a 3 a.m. kernel patch into a graceful rolling reboot.Mon, 18 May 2026 00:00:00 GMT