groundforce Deploy us →
← All insights

Zero Trust for Kubernetes: mTLS, Network Policies, and Workload Identity

A flat cluster network is a single compromised pod away from lateral movement across everything. Zero trust means every workload proves who it is and is allowed to talk to exactly what it needs, nothing more.

Start with default-deny

The single highest-leverage change: deny all pod-to-pod traffic in a namespace, then allow the specific paths back.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata: { name: default-deny, namespace: payments }
spec:
 podSelector: {}
 policyTypes: [Ingress, Egress]
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata: { name: api-to-db, namespace: payments }
spec:
 podSelector: { matchLabels: { app: postgres } }
 ingress:
 - from: [{ podSelector: { matchLabels: { app: api } } }]
 ports: [{ port: 5432 }]

Identity, not IP

IPs are recycled and spoofable. Give every workload a cryptographic identity with SPIFFE/SPIRE (or a mesh) and enforce strict mTLS so traffic is authenticated and encrypted by default:

apiVersion: security.istio.io/v1
kind: PeerAuthentication
metadata: { name: default, namespace: payments }
spec:
 mtls: { mode: STRICT }
---
apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata: { name: only-api, namespace: payments }
spec:
 selector: { matchLabels: { app: postgres } }
 action: ALLOW
 rules:
 - from:
 - source:
 principals: ["cluster.local/ns/payments/sa/api"]

Least-privilege RBAC

The service account a pod runs as becomes an API key for an attacker if it is over-scoped. Grant verbs on named resources, never *:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata: { name: api-reader, namespace: payments }
rules:
 - apiGroups: [""]
 resources: ["configmaps"]
 resourceNames: ["api-config"]
 verbs: ["get", "list"]

The checklist

  • Default-deny NetworkPolicy in every namespace

  • STRICT mTLS mesh-wide; no plaintext east-west traffic

  • Workload identity via SPIFFE, authorization by service-account principal

  • No wildcard RBAC; automount service-account tokens off unless needed

  • Secrets from an external store (Vault/CSI), never baked into images

Zero trust is not a product you buy. It is the removal of every implicit of-course-they-can-talk-to-each-other.


Assume the perimeter is already breached and design so a single popped pod goes nowhere. Default-deny, verified identity, and least privilege turn lateral movement from trivial into a very bad day for the intruder.

// READY TO DEPLOY

Have a problem that needs to ship?

Tell us the terrain. We’ll tell you the fastest path to production — and put a unit on the ground.