Network Isolation
Kubernetes NetworkPolicies enforce network-level isolation between tenant namespaces. Pods in one tenant namespace cannot communicate with pods in another tenant namespace. This provides defense-in-depth beyond application-level tenant context checks.
Default Deny Policy
Each tenant namespace starts with a default-deny policy:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
namespace: matih-data-plane-acme-corp
spec:
podSelector: {}
policyTypes:
- Ingress
- EgressThis blocks all traffic by default. Subsequent policies whitelist specific allowed traffic.
Allowed Ingress Traffic
| Source | Purpose |
|---|---|
| Same namespace (pod-to-pod) | Inter-service communication within tenant |
| Control Plane namespace | Management operations, health checks |
| Tenant's NGINX ingress controller | External traffic for tenant's domain |
ingress:
- from:
- podSelector: {}
- from:
- namespaceSelector:
matchLabels:
matih.ai/role: control-plane
- from:
- namespaceSelector:
matchLabels:
matih.ai/role: ingress
podSelector:
matchLabels:
matih.ai/tenant: acme-corpAllowed Egress Traffic
| Destination | Purpose |
|---|---|
| Same namespace | Inter-service communication |
| Shared infrastructure namespace | PostgreSQL, Redis, Kafka, Elasticsearch |
| DNS | Kubernetes DNS resolution |
egress:
- to:
- podSelector: {}
- to:
- namespaceSelector:
matchLabels:
matih.ai/role: shared-infra
- ports:
- port: 53
protocol: UDPBlocked Traffic
| Traffic Pattern | Status |
|---|---|
| Tenant A pods to Tenant B pods | Blocked |
| Tenant pods to Control Plane pods (except allowed) | Blocked |
| External egress (internet) | Blocked (except for declared exceptions) |
| Direct access to infrastructure from outside cluster | Blocked |
TLS Everywhere
All in-cluster communication uses TLS:
| Communication Path | TLS Implementation |
|---|---|
| Browser to ingress | cert-manager TLS certificates |
| Ingress to service | TLS termination at ingress |
| Service to service | mTLS (optional, via service mesh) |
| Service to database | TLS-encrypted PostgreSQL connections |
| Service to Redis | TLS-encrypted Redis connections |
Monitoring Network Policies
| Signal | Detection Method |
|---|---|
| Blocked connection attempts | Kubernetes audit logs |
| NetworkPolicy violations | CNI plugin flow logs (Calico/Cilium) |
| Unexpected egress | Egress policy violation alerts |
Related Pages
- Namespace Isolation -- Kubernetes namespace boundaries
- Data-Level Isolation -- Application data isolation
- Security: Tenant Isolation -- Comprehensive isolation overview