Network Security Monitoring

2 min read Infrastructure & DevOps Security

Network Security Monitoring

Network monitoring in Kubernetes provides visibility into pod-to-pod communications, external connections, and potential lateral movement. The CNI plugin choice affects available network monitoring capabilities. Some plugins provide native flow logs while others require additional components. eBPF-based solutions offer efficient network visibility without modifying packet paths.

Service mesh integration enhances network monitoring with application-layer visibility. Istio, Linkerd, and other service meshes provide detailed metrics about request rates, error rates, and latencies. This L7 visibility helps detect application-layer attacks that network-layer monitoring might miss. However, service mesh adoption requires architectural changes and operational overhead.

# Cilium Network Policy with monitoring
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: production-monitoring
  namespace: production
spec:
  endpointSelector:
    matchLabels:
      environment: production
  ingress:
  - fromEndpoints:
    - matchLabels:
        app: frontend
    toPorts:
    - ports:
      - port: "8080"
        protocol: TCP
      rules:
        http:
        - method: "GET"
          path: "/api/.*"
          headers:
          - 'X-Auth-Token: ^[A-Za-z0-9+/]+=*$'
  egress:
  - toEndpoints:
    - matchLabels:
        app: database
    toPorts:
    - ports:
      - port: "5432"
        protocol: TCP
  - toFQDNs:
    - matchPattern: "*.company.com"
    toPorts:
    - ports:
      - port: "443"
        protocol: TCP
  # Enable visibility for this policy
  enableVisibility: true

---
# Hubble configuration for network observability
apiVersion: v1
kind: ConfigMap
metadata:
  name: hubble-config
  namespace: kube-system
data:
  config.yaml: |
    metrics:
      enabled:
      - dns
      - drop
      - tcp
      - flow
      - port-distribution
      - icmp
      - http
    exporters:
      - prometheus:
          enabled: true
          port: 9091
      - otlp:
          enabled: true
          endpoint: otel-collector.monitoring:4317
    ui:
      enabled: true
    relay:
      enabled: true

DNS monitoring reveals command and control communications, data exfiltration, and service dependencies. Malware often uses DNS for covert channels, making DNS monitoring essential for security. CoreDNS plugins can log queries for security analysis. Analyzing query patterns helps detect DNS tunneling and domain generation algorithms.