Cloud Drops Episode #004 - Security Security Security

Welcome to Cloud Drops Episode 4 — and this week, the theme is security. Kubernetes security improvements, supply chain news, and compliance developments dominate the cloud native headlines. Here's what you need to know.

Pod Security Admission Is Now Stable

Kubernetes Pod Security Admission (PSA) graduated to stable in 1.25, replacing the deprecated PodSecurityPolicy. PSA enforces the three Pod Security Standards — Privileged, Baseline, and Restricted — at the namespace level using a simple label-based enforcement model. This is a significant improvement in usability over PSP while maintaining the same security guarantees.

If you're still running PodSecurityPolicy in older clusters, migration to PSA should be on your roadmap. PSP was removed in Kubernetes 1.25. PSA's Restricted profile blocks the most dangerous pod configurations: root containers, hostPath mounts, host network/PID access, and containers without read-only root filesystems.

Supply Chain Security: Sigstore Adoption Accelerates

Sigstore — the CNCF project providing tooling for artifact signing and verification — continues to see rapid adoption. Cosign (image signing), Rekor (transparency log), and Fulcio (certificate authority) form the complete signing chain. Major package registries and language ecosystems are integrating Sigstore: npm, PyPI, Maven Central, and several Linux distributions now publish Sigstore-signed artifacts.

For Kubernetes operators: start requiring Cosign-signed images in your admission policies now. The tooling has matured and the ecosystem momentum means that major base images and tooling are increasingly distributred with signatures. Kyverno makes enforcement simple with a few lines of YAML policy.

Falco 0.34: Improved Kubernetes Audit Log Integration

Falco 0.34 improved Kubernetes audit log support, making it easier to correlate runtime system call events with Kubernetes API audit events. This is significant for compliance environments (FedRAMP, HIPAA) where you need to answer: not just what system call happened, but which Kubernetes resource change triggered it and which user or service account made that change.

CNCF Security TAG Releases Updated Cloud Native Security Whitepaper

The CNCF Security Technical Advisory Group (TAG-Security) released an updated version of the Cloud Native Security Whitepaper. The updated paper covers zero-trust architecture patterns, supply chain security controls, and workload identity. It's required reading for any team building a security architecture for Kubernetes workloads. Download it free from the CNCF website.

Quick Security Headlines

• RBAC Least Privilege — Kubernetes contributor post on why 90% of RBAC configurations are over-permissioned and simple patterns to fix it
• etcd Backup Security — reminder that etcd backups contain all Secrets in plaintext if etcd encryption is not enabled; store backups encrypted
• cert-manager 1.11 — added support for ACME HTTP-01 challenges via Gateway API, simplifying certificate automation for Gateway-based ingress

Subscribe to Cloud Drops for weekly Kubernetes ecosystem news. THNKBIG's engineering team curates the developments that matter for organizations building and operating cloud native platforms at enterprise scale.

Cloud Drops 004: Cloud‑Native Security Consolidates

Cloud Drops Episode 004 centers on cloud‑native security at a time when the market is shifting from scattered point tools to integrated security platforms.

Big Stories

Backstage joins CNCF Incubation

Spotify’s internal developer portal, Backstage, is now a CNCF incubating project. It unifies tooling, services, apps, data, and docs into a single developer UI. Over 100 public adopters include American Airlines, Netflix, Expedia Group, Peloton, and Wayfair. For Kubernetes platform teams, Backstage:

• Reduces developer onboarding friction
• Provides a service catalog so engineers can find and own their services

NSA/CISA Kubernetes Hardening Guide updated

The refreshed guidance is now the essential reference for regulated or government‑adjacent Kubernetes environments. It covers:

• Pod security standards
• Network policy enforcement
• Audit logging
• Secrets management

The recommendations align closely with real‑world production hardening best practices.

Falco CNCF Graduation

Falco, the eBPF‑powered cloud‑native runtime security project, has graduated within the CNCF. Graduation signals:

• Maturity and production readiness
• Strong, vendor‑neutral community backing

For teams evaluating runtime threat detection, Falco is now validated as the open‑source standard for Kubernetes behavioral monitoring.

KubeCon + CloudNativeCon Europe 2022 schedule announced

The Europe 2022 program is heavily security‑focused, with content on:

• Service mesh hardening
• Zero‑trust networking
• Supply chain integrity
• Multi‑cluster policy management

Key Takeaways

• Security dominated Cloud Drops 004: consolidation of cloud‑native security tooling, the rise of integrated platforms, and Falco’s CNCF Graduation.
• The security tooling market is consolidating. Platforms that combine vulnerability scanning, runtime detection, and policy enforcement are outpacing single‑function tools.
• Falco’s Graduation confirms that Kubernetes runtime security now has a stable, vendor‑neutral open‑source foundation enterprises can confidently build on.

The Platform Shift in Kubernetes Security

Organizations that once ran separate tools for:

• Image and configuration scanning
• Runtime threat detection
• Network security
• Compliance reporting

are moving toward unified platforms (e.g., Sysdig, Lacework, Wiz) that correlate findings across the stack. The main driver is operational fatigue: maintaining five different tools and alert streams is no longer sustainable.

Falco’s Graduation, highlighted in this episode, underpins this shift by providing:

• A mature rule language
• A broad community rule library covering common Kubernetes attack patterns
• A rich integration ecosystem (SIEM connectors, alerting pipelines, automated response frameworks)

Falco can be deployed standalone or embedded as the detection engine inside commercial platforms.

How THNKBIG Helps

THNKBIG’s cybersecurity practice integrates both open‑source and commercial tools into unified Kubernetes security architectures for enterprises across Texas and California.

Talk to our security team to design an integrated, zero‑trust‑aligned security stack around Kubernetes and cloud‑native workloads.