Network Security Layers

Calendar February 22, 2026
Security
Intermediate
Network-Policy-Design, Service-Mesh-Mtls, Firewall-Management, Zero-Trust-Networking
Network-Security, Network-Policies, Mtls, Service-Mesh, Zero-Trust, Wireguard, Firewall
Iptables, Nftables, Kubectl, Istio, Linkerd, Wireguard

Defense in Depth#

No single network control stops every attack. Layer controls so that a failure in one does not compromise the system: host firewalls, Kubernetes network policies, service mesh encryption, API gateway authentication, and DNS security, each operating independently.

Host Firewall: iptables and nftables#

Every node should run a host firewall regardless of the orchestrator. Block everything by default:

# iptables: default deny with essential allows
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# Allow established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow SSH from management network only
iptables -A INPUT -p tcp --dport 22 -s 10.0.100.0/24 -j ACCEPT

# Allow kubelet API (for k8s nodes)
iptables -A INPUT -p tcp --dport 10250 -s 10.0.0.0/16 -j ACCEPT

# Allow loopback
iptables -A INPUT -i lo -j ACCEPT

The nftables equivalent is more readable for complex rulesets:

Cilium Deep Dive: eBPF Networking, L7 Policies, Hubble Observability, and Cluster Mesh

Calendar February 21, 2026
Kubernetes
Advanced
Cilium-Deployment, Ebpf-Networking, L7-Network-Policy, Hubble-Observability, Cluster-Mesh-Configuration, Fqdn-Policy
Cilium, Ebpf, Cni, Network-Policies, Hubble, Observability, Cluster-Mesh, Service-Mesh, Encryption, Wireguard
Cilium-Cli, Hubble-Cli, Helm, Kubectl

Cilium Deep Dive#

Cilium replaces the traditional Kubernetes networking stack with eBPF programs that run directly in the Linux kernel. Instead of kube-proxy translating Service definitions into iptables rules and a traditional CNI plugin managing pod networking through bridge interfaces and routing tables, Cilium attaches eBPF programs to kernel hooks that process packets at wire speed. The result is a networking layer that is faster at scale, capable of Layer 7 policy enforcement, and provides built-in observability without application instrumentation.

Zero Trust Networking

Calendar February 21, 2026
Security
Intermediate
Zero-Trust-Architecture, Wireguard-Configuration, Tailscale-Acl-Management, Boundary-Session-Management
Zero-Trust, Wireguard, Tailscale, Boundary, Beyondcorp, Vpn, Mtls, Spiffe
Wireguard, Tailscale, Boundary, Istio, Linkerd, Spire

The Core Principle#

Zero trust networking operates on a simple premise: no network location is inherently trusted. Being inside the corporate network, inside a VPC, or inside a Kubernetes cluster does not grant access to anything. Every request must be authenticated, authorized, and encrypted regardless of where it originates.

This is a departure from the traditional castle-and-moat model where a VPN places you “inside” the network and everything inside is implicitly trusted. That model fails because attackers who breach the perimeter have unrestricted lateral movement. Zero trust eliminates the concept of inside versus outside.