As containers with different trust levels are increasingly co-located within Kubernetes Pods—particularly through patterns such as sidecar containers from external vendors or separate teams—stronger intra-Pod security has become critical. Once a container is compromised, other containers in the same Pod sharing the network namespace are at high risk of lateral movement attacks, traffic interception, and unauthorized access. We propose a zero-trust microsegmentation approach that blocks all intra-Pod communication by default and selectively permits only specified container-port pairs through manifest metadata. Implemented as a Cilium plugin with dynamic iptables rules, our method integrates seamlessly into existing Kubernetes deployments without requiring modifications to the control plane or container runtime. Performance evaluation reveals that TCP session latency increases sharply with container count due to iptables’ linear rule lookup, while rule application time grows polynomially with Pod and container counts, causing significant overhead in large-scale scenarios (e.g., 50 Pods with 50 containers each). These findings expose fundamental scalability limitations of iptables-based approaches that cannot be mitigated by distributing Pods. We conclude that iptables is unsuitable for large-scale deployments and recommend eBPF as a more scalable alternative.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Proposal and Evaluation of a Method for Container Micro-segmentation

  • Shoya Nakamura,
  • Kunio Akashi,
  • Yuji Sekiya

摘要

As containers with different trust levels are increasingly co-located within Kubernetes Pods—particularly through patterns such as sidecar containers from external vendors or separate teams—stronger intra-Pod security has become critical. Once a container is compromised, other containers in the same Pod sharing the network namespace are at high risk of lateral movement attacks, traffic interception, and unauthorized access. We propose a zero-trust microsegmentation approach that blocks all intra-Pod communication by default and selectively permits only specified container-port pairs through manifest metadata. Implemented as a Cilium plugin with dynamic iptables rules, our method integrates seamlessly into existing Kubernetes deployments without requiring modifications to the control plane or container runtime. Performance evaluation reveals that TCP session latency increases sharply with container count due to iptables’ linear rule lookup, while rule application time grows polynomially with Pod and container counts, causing significant overhead in large-scale scenarios (e.g., 50 Pods with 50 containers each). These findings expose fundamental scalability limitations of iptables-based approaches that cannot be mitigated by distributing Pods. We conclude that iptables is unsuitable for large-scale deployments and recommend eBPF as a more scalable alternative.