Hardening Kubernetes workloads goes beyond RBAC tweaks or image scans. This post shares field-tested pod-level guardrails aligned with the Pod Security Standards (Restricted profile), covering non-root containers, dropped capabilities, read-only filesystems, NetworkPolicies, and ServiceAccount hardening.

In memory-constrained environments, the Linux OOM Killer decides what lives and what gets killed. This guide shows how to protect critical processes like sshd and mysqld using oom_score_adj values, with a script that applies them reliably and securely. Make memory pressure predictable and survivable.