Kubernetes is inherently insecure. That’s a fact. Before we started using cloud computing, we used to spend a lot of time designing and planning before we put new servers into the network:

• Create a subnet
• Assign IPs
• Configure routing
• Configure firewall rules
• We used a tiered network

Cloud computing changed the rules of the game, many companies stopped using tiered networks and preferred flat networks secured by Security Groups instead.

But then we had Kubernetes. Whilst most people are still securing access to Kubernetes Workers and Control Planes, they don’t realise the more granular component is no longer the VM/Baremetal but the container.

Kubernetes Network

Kubernetes uses two different networks: pod network and services network. Both are usually very large networks (often /16 giving you 65,536 IPs) and traffic between pods is not controlled, it’s fully open.

It means that everyone can talk to everyone, no questions asked. Is this secure? No. The network is no longer segmented. If you are unlucky enough to have your public-facing components compromised (hacked web for example) everything else in your Kubernetes cluster has fallen as well.

Network Policies

Kubernetes provides some basic ways of securing access, by using network policies. This may be enough for small unregulated businesses but it is not for highly regulated ones like the Financial Sector.

Security is not just about controlling access between pods but it is also about reporting, auditing and compliance.

This is why we have partnered with Tigera and we recommend Calico to our customers. The webinar below shows in a bit more detail why and there is a nice demo towards the end. I hope you enjoy it.

‍