Kubernetes Security 2026

K8s Network Policies

Zero Trust Pod-to-Pod Security

Kubernetes Network Policies, Cilium, Calico, Ingress/Egress, DNS Policies. Cluster segmentation.

Zero TrustCiliumCalicoeBPF

Default-Deny: Zero Trust Foundation

Standardmäßig können alle Pods in Kubernetes miteinander kommunizieren. Das ist ein Security-Risiko. Zero Trust bedeutet: Default-Deny, explizite Erlaubnis.

Global Default-Deny Policy

# default-deny-all.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-all
  namespace: production
spec:
  podSelector: {}  # All pods
  policyTypes:
  - Ingress
  - Egress
  # No ingress/egress rules = deny everything

⚠️ Wichtig: Reihenfolge

Deployen Sie Default-Deny NICHT bevor explizite Allow-Policies existieren! Sonst ist alles offline.

Application-Specific Policies

Frontend → Backend → Database

# frontend-policy.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: frontend-policy
  namespace: production
spec:
  podSelector:
    matchLabels:
      app: frontend
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          name: ingress-nginx
    ports:
    - protocol: TCP
      port: 3000
  egress:
  - to:
    - podSelector:
        matchLabels:
          app: backend
    ports:
    - protocol: TCP
      port: 8080
  - to:  # DNS
    - namespaceSelector: {}
    ports:
    - protocol: UDP
      port: 53
---
# backend-policy.yaml  
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: backend-policy
  namespace: production
spec:
  podSelector:
    matchLabels:
      app: backend
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - podSelector:
        matchLabels:
          app: frontend
    ports:
    - protocol: TCP
      port: 8080
  egress:
  - to:
    - podSelector:
        matchLabels:
          app: database
    ports:
    - protocol: TCP
      port: 5432

Egress Control: Outbound Traffic

Restrict External Access

# egress-allow-specific.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: egress-external-api
  namespace: production
spec:
  podSelector:
    matchLabels:
      app: payment-service
  policyTypes:
  - Egress
  egress:
  # Allow Stripe API only
  - to:
    - ipBlock:
        cidr: 54.187.216.0/21  # Stripe IP range
    ports:
    - protocol: TCP
      port: 443
  
  # Allow DNS
  - to:
    - namespaceSelector: {}
    ports:
    - protocol: UDP
      port: 53
    - protocol: TCP
      port: 53
  
  # Allow internal cluster
  - to:
    - podSelector: {}
    - namespaceSelector: {}

---
# Cilium: DNS-based policy (more flexible)
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: egress-dns-based
spec:
  endpointSelector:
    matchLabels:
      app: api-service
  egress:
  - toFQDNs:
    - matchName: "api.stripe.com"
    - matchName: "api.github.com"
    toPorts:
    - ports:
      - port: "443"
        protocol: TCP

Cilium: Advanced Policies

Layer 7 HTTP Policy

apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: l7-http-restrict
spec:
  endpointSelector:
    matchLabels:
      app: frontend
  ingress:
  - fromEndpoints:
    - matchLabels:
        io.kubernetes.pod.namespace: ingress-nginx
    toPorts:
    - ports:
      - port: "3000"
        protocol: TCP
      rules:
        http:
        - method: GET
          path: "/api/.*"
        - method: POST
          path: "/api/users"
          headers:
          - name: Content-Type
            value: application/json
        - method: "^GET$"
          path: "/health"
  egress:
  - toEndpoints:
    - matchLabels:
        app: backend
    toPorts:
    - ports:
      - port: "8080"
        protocol: TCP
      rules:
        http:
        - method: GET
          path: "/internal/.*"
          headers:
          - name: X-Internal-Auth
            required: true

TLS Inspection (mTLS)

apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: mtls-enforcement
spec:
  mutualAuth: true  # Require mTLS
  endpointSelector:
    matchLabels:
      app: secure-service
  ingress:
  - fromEndpoints:
    - matchLabels:
        trusted-client: "true"
    toPorts:
    - ports:
      - port: "8443"
        protocol: TCP

Policy Troubleshooting

Debug Commands

# Check if policy is applied
kubectl describe netpol -n production frontend-policy

# Cilium: Check policy enforcement
cilium policy get -n production
cilium endpoint list

# Test connectivity
kubectl run test --rm -it --image=nicolaka/netshoot -- /bin/bash
nc -zv backend 8080

# Enable policy audit mode (log only, don't block)
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  annotations:
    io.cilium.policy.audit-mode: "true"

K8s Network Security Assessment

Validieren Sie Ihre Kubernetes Network Policies.

Security Assessment

OpenClaw Security Hub AI Agent Security Security Runbooks Methodology