Kubernetes Security 2026
K8s Network Policies
Zero Trust Pod-to-Pod Security
Kubernetes Network Policies, Cilium, Calico, Ingress/Egress, DNS Policies. Cluster segmentation.
Zero TrustCiliumCalicoeBPF
Default-Deny: Zero Trust Foundation
By default, all pods in Kubernetes can communicate with each other. This is a security risk. Zero Trust means: default-deny, explicit allow.
Global Default-Deny Policy
# default-deny-all.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
namespace: production
spec:
podSelector: {} # All pods
policyTypes:
- Ingress
- Egress
# No ingress/egress rules = deny everything⚠️ Wichtig: Reihenfolge
Deployen Sie Default-Deny NICHT bevor explizite Allow-Policies existieren! Sonst ist alles offline.
Application-Specific Policies
Frontend → Backend → Database
# frontend-policy.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: frontend-policy
namespace: production
spec:
podSelector:
matchLabels:
app: frontend
policyTypes:
- Ingress
- Egress
ingress:
- from:
- namespaceSelector:
matchLabels:
name: ingress-nginx
ports:
- protocol: TCP
port: 3000
egress:
- to:
- podSelector:
matchLabels:
app: backend
ports:
- protocol: TCP
port: 8080
- to: # DNS
- namespaceSelector: {}
ports:
- protocol: UDP
port: 53
---
# backend-policy.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: backend-policy
namespace: production
spec:
podSelector:
matchLabels:
app: backend
policyTypes:
- Ingress
- Egress
ingress:
- from:
- podSelector:
matchLabels:
app: frontend
ports:
- protocol: TCP
port: 8080
egress:
- to:
- podSelector:
matchLabels:
app: database
ports:
- protocol: TCP
port: 5432Egress Control: Outbound Traffic
Restrict External Access
# egress-allow-specific.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: egress-external-api
namespace: production
spec:
podSelector:
matchLabels:
app: payment-service
policyTypes:
- Egress
egress:
# Allow Stripe API only
- to:
- ipBlock:
cidr: 54.187.216.0/21 # Stripe IP range
ports:
- protocol: TCP
port: 443
# Allow DNS
- to:
- namespaceSelector: {}
ports:
- protocol: UDP
port: 53
- protocol: TCP
port: 53
# Allow internal cluster
- to:
- podSelector: {}
- namespaceSelector: {}
---
# Cilium: DNS-based policy (more flexible)
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: egress-dns-based
spec:
endpointSelector:
matchLabels:
app: api-service
egress:
- toFQDNs:
- matchName: "api.stripe.com"
- matchName: "api.github.com"
toPorts:
- ports:
- port: "443"
protocol: TCPCilium: Advanced Policies
Layer 7 HTTP Policy
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: l7-http-restrict
spec:
endpointSelector:
matchLabels:
app: frontend
ingress:
- fromEndpoints:
- matchLabels:
io.kubernetes.pod.namespace: ingress-nginx
toPorts:
- ports:
- port: "3000"
protocol: TCP
rules:
http:
- method: GET
path: "/api/.*"
- method: POST
path: "/api/users"
headers:
- name: Content-Type
value: application/json
- method: "^GET$"
path: "/health"
egress:
- toEndpoints:
- matchLabels:
app: backend
toPorts:
- ports:
- port: "8080"
protocol: TCP
rules:
http:
- method: GET
path: "/internal/.*"
headers:
- name: X-Internal-Auth
required: trueTLS Inspection (mTLS)
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: mtls-enforcement
spec:
mutualAuth: true # Require mTLS
endpointSelector:
matchLabels:
app: secure-service
ingress:
- fromEndpoints:
- matchLabels:
trusted-client: "true"
toPorts:
- ports:
- port: "8443"
protocol: TCPPolicy Troubleshooting
Debug Commands
# Check if policy is applied
kubectl describe netpol -n production frontend-policy
# Cilium: Check policy enforcement
cilium policy get -n production
cilium endpoint list
# Test connectivity
kubectl run test --rm -it --image=nicolaka/netshoot -- /bin/bash
nc -zv backend 8080
# Enable policy audit mode (log only, don't block)
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
annotations:
io.cilium.policy.audit-mode: "true"K8s Network Security Assessment
Validieren Sie Ihre Kubernetes Network Policies.
Security Assessment