Was thinking to use Ambassador design pattern and filter each request through Nginx with Waf (mod_security or Naxsi) in reverse proxy and ACL, authentication and authorization to pod.
What are the best practices?
How to prevent "soft belly" of each microservice being open in the network (vlan, vpc or similar)
Thanks,
If you're looking to harden a Kubernetes cluster for east-west traffic, then you can generally use the Kubernetes Network Policy API. This will allow you to restrict traffic to specific white-listed sources and destinations based on Kubernetes labelling and/or CIDR ranges.
In addition to base functionality provided by k8s, you can supplement this with additional policy options based on the CNI provider you're using. For example both Cilium and Calico, support the creation of global network policies to allow for the establishment of baseline security in the cluster network.
