Network Security and Segmentation
Network Security and Segmentation
Container orchestration platforms introduce complex networking with overlay networks, service discovery, and load balancing. Default configurations often allow unrestricted communication between all containers. Network policies provide essential segmentation to limit lateral movement after compromise. Both ingress and egress controls should be implemented following zero-trust principles.
Docker Swarm uses encrypted overlay networks for container communication. Encryption must be explicitly enabled for security. Network segmentation in Swarm relies on separate overlay networks for different applications. Service-to-service communication should use mutual TLS. External traffic should enter through controlled ingress points with appropriate security controls.
# Example: Kubernetes NetworkPolicy for microservices security
# Default deny all traffic
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
namespace: microservices
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
---
# Frontend service policy
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: frontend-policy
namespace: microservices
spec:
podSelector:
matchLabels:
app: frontend
policyTypes:
- Ingress
- Egress
ingress:
# Allow from ingress controller
- from:
- namespaceSelector:
matchLabels:
name: ingress-nginx
- podSelector:
matchLabels:
app: nginx-ingress
ports:
- protocol: TCP
port: 8080
egress:
# Allow to backend API
- to:
- podSelector:
matchLabels:
app: backend-api
ports:
- protocol: TCP
port: 8081
# Allow DNS
- to:
- namespaceSelector:
matchLabels:
name: kube-system
- podSelector:
matchLabels:
k8s-app: kube-dns
ports:
- protocol: UDP
port: 53
---
# Backend API policy with database access
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: backend-api-policy
namespace: microservices
spec:
podSelector:
matchLabels:
app: backend-api
policyTypes:
- Ingress
- Egress
ingress:
# Allow from frontend only
- from:
- podSelector:
matchLabels:
app: frontend
ports:
- protocol: TCP
port: 8081
egress:
# Allow to database
- to:
- podSelector:
matchLabels:
app: postgres
ports:
- protocol: TCP
port: 5432
# Allow to cache
- to:
- podSelector:
matchLabels:
app: redis
ports:
- protocol: TCP
port: 6379
# Allow external API calls to specific endpoints
- to:
- ipBlock:
cidr: 0.0.0.0/0
except:
- 10.0.0.0/8
- 192.168.0.0/16
- 172.16.0.0/12
ports:
- protocol: TCP
port: 443
---
# Service mesh integration for mTLS
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: microservices
spec:
mtls:
mode: STRICT
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: backend-api-authz
namespace: microservices
spec:
selector:
matchLabels:
app: backend-api
action: ALLOW
rules:
- from:
- source:
principals: ["cluster.local/ns/microservices/sa/frontend-sa"]
to:
- operation:
methods: ["GET", "POST"]
paths: ["/api/v1/*"]
Service mesh technologies add security features including automatic mTLS, fine-grained authorization, and circuit breaking. However, service meshes increase complexity and resource usage. Organizations should evaluate whether native orchestrator features meet their needs before adding service mesh layers. Gradual service mesh adoption allows teams to learn while maintaining stability.