Your Kubernetes cluster on Azure is wide open. Not because you’re lazy. Not because you’re reckless. But because Microsoft made it easy to skip the hard stuff. And one of the most overlooked, misunderstood, and critically important security controls in AKS is something almost no one implements:
Network Policies.
The Time Bomb You Deployed Without Knowing It
When you spun up that shiny new AKS cluster with a couple of manifests and a managed identity, you probably felt good about it.
Pods are running. Ingress is live. Your CI/CD deploys beautifully. But guess what? Every pod can talk to every other pod. Every namespace is implicitly trusted. There is no isolation, no restrictions, and no segmentation. It’s Kubernetes, the “cloud-native” way — just not the secure way.
Most AKS Clusters Violate Zero Trust by Default
The entire premise of Zero Trust is explicit access, least privilege, and segmentation. Kubernetes doesn’t do any of that unless you make it.
In AKS:
- Network policies are opt-in.
- You need to explicitly enable them at cluster creation.
- And even if you do… You need to define policies for every namespace.
AKS supports only Calico or Azure CNI for network policies , and the differences between them trip up even senior engineers.
Why Nobody Uses Network Policies
Nobody wants to set up network policies in Kubernetes because:
- The syntax sucks. Writing egress/ingress YAML rules is like configuring firewalls in Morse code.
- It breaks stuff without clear feedback. You deploy a policy, and half your microservices disappear in a puff of network failure.
- Docs are dry and confusing. Microsoft gives you the “hello-world” of policies but never walks you through multi-team, multi-namespace real-world architectures.
- Most devs and even DevOps folks assume the cloud provider protects the network.
Real-World Consequences of Skipping Network Policies
Here’s what this looks like in production:
- A compromised logging container exfiltrates secrets from a neighboring microservice.
- Lateral movement happens effortlessly because every pod is an open port.
- Staging pods accidentally talk to production databases because… well, no one told them not to.
And if you’re in a regulated industry (finance, healthcare, or government)? You’re already non-compliant — whether or not you’ve been audited yet.
So what can you do?
If you want to get serious about securing your AKS workloads (and you should), here’s a quick-start playbook:
1. Use Azure CNI with Calico.
Don’t rely on the default Kubenet. It’s limited and doesn’t support advanced network policies.
2. Enable Network Policy at Cluster Creation
You can’t retroactively add a network policy to a cluster. You’ll have to destroy and recreate it.
3. Start With a Default Deny Policy
Block everything first. Then allow only what you explicitly need — by namespace, label, or CIDR.
4. Use Namespaces Strategically
Break your app into functional units: frontend, backend, data, and infrastructure. Then isolate with policy.
5. Monitor Traffic Flow
Tools like Azure Network Watcher or Calico’s policy audit logs will help visualize what’s happening.
Your cluster isn’t secure because it’s in Azure. Your cluster isn’t secure because your pods have managed identities. Your cluster is secure only if you control what can talk to what. And you’re not doing that if you’re not using network policies. Don’t wait for a breach or an audit to care. Don’t trust the defaults. Because Kubernetes won’t save you. Azure won’t save you. Only you, with a properly written NetworkPolicy YAML, can stop the threat you don’t even see coming.
No comments:
Post a Comment