Kubernetes Zero Trust: How to Secure Your Cluster with Network Policies

Stop the Lateral Movement: Zero Trust Security in Kubernetes 

By default, Kubernetes is an "open house"—any Pod can talk to any other Pod, even across different namespaces. If a hacker compromises your frontend web server, they can move laterally to your database and steal your data.

In this guide, we’ll implement a Default Deny strategy, ensuring that only authorized traffic can move through your cluster.

1. The Concept: "Default Deny"

Think of your cluster like a hotel. In a default setup, every guest has a master key to every room. In a Zero Trust setup, every door is locked by default, and you only get a key to the specific room you need.

2. Step 1: Lock Everything Down

We start by creating a policy that drops all ingress (incoming) and egress (outgoing) traffic for a specific namespace. This is your "Base Security."

apiVersion: networking.k8s.io/v1

kind: NetworkPolicy

metadata:

name: default-deny-all

namespace: production

spec:

podSelector: {} # Selects all pods in the namespace

policyTypes:

- Ingress

- Egress

3. Step 2: Open "Micro-Segments"

Now that everything is locked, we selectively open "holes" in the firewall. For example, let's allow the API Gateway to talk to the Order Service.

apiVersion: networking.k8s.io/v1

kind: NetworkPolicy

metadata:

name: allow-gateway-to-orders

namespace: production

spec:

podSelector:

matchLabels:

app: order-service

ingress:

- from:

- podSelector:

matchLabels:

app: api-gateway