Kubernetes Security: Missing Network Segmentation Controls

Gupta Bless
6 min readOct 30, 2022
Source

Introduction

Kubernetes has numerous layers for communication, and providing security across all of those layers is a difficult task. One of the challenges is the establishment of an isolating environment in which clusters, pods, and namespaces can communicate with one another. All of this is possible with the correct implementation of a network on Kubernetes; however, because Kubernetes employs a flat network topology, there is no need to map the resources, and faster communication may be provided among dispersed systems while machines are shared among applications. Let’s get into further detail about that.

What is Kubernetes Networking?

Source

In order for components to communicate with one another, Kubernetes makes use of networking. The networking in Kubernetes is built on a flat network topology, which means that rather than needing a lot of switches, users can just use one. This will assist to minimise the cost of implementations, as well as the cost of maintaining and implementing the system. Therefore, a flat network structure is beneficial because it lowers costs; however, there are times when it is not beneficial from a security standpoint. This is because any workload is free to communicate with any other workload, and there are no additional rules in place to restrict the communication.

For instance, in traditional networks, organisations would use a firewall so that they could ensure that only users with a particular IP address and port could access a particular resource. However, in a dynamic environment, the generation of a static IP address between pods is a very difficult task. Because pods are often removed or rearranged, attempting to use a static IP address will not be successful.

Therefore, an attacker can utilise the other workloads that exist on the same infrastructure and invoke the private APIs from there if they gain access to any one workload. This is the case even if they only gain access to a single workload. Consider the scenario of a cluster in which over one pod of the WordPress application is operating…

--

--

Gupta Bless

Security enthusiast working to secure web for others.