Skip to content

Network Security

This document outlines the network security requirements and practices for Safespring on-demand Kubernetes services.

4.1 Network Protection

Safespring Kubernetes clusters are deployed on top of OpenStack infrastructure, where security groups provide the first line of network perimeter protection.

OpenStack Security Groups:

  • Stateful virtual firewalls applied to cluster nodes.
  • Default-deny rules for inbound traffic, with explicit allowlists for Kubernetes control plane and worker node communication.
  • Granular filtering for API access and service ports.

All external traffic to the Kubernetes cluster is routed through a dedicated HAProxy load balancer:

HAProxy Load Balancer:

  • Acts as a secure entry point to the Kubernetes control plane and ingress services.
  • Provides TLS termination for incoming traffic.
  • Supports high availability and redundancy across multiple nodes.
  • Enforces rate limiting, connection filtering, and DDoS protection at the edge.

On the cluster OS level, Talos Linux further reduces the attack surface by:

  • Disabling unnecessary services and network daemons.
  • Enforcing secure-by-default configurations with immutable networking settings.
  • Providing an API-driven firewall configuration mechanism.

4.2 Network Services Security

Protocol Security:

  • All internal Kubernetes communication is encrypted with TLS.
  • Mutual TLS (mTLS) can be enabled for pod-to-pod and service-to-service traffic using service mesh integrations.

Service Hardening:

  • Kubernetes API server access is restricted via Zitadel RBAC + MFA authentication.
  • Node-to-node and pod-to-pod traffic flows are minimized using default-deny NetworkPolicies.
  • Talos Linux ensures minimal exposure by running no general-purpose services on cluster nodes.

Ingress and Egress Control:

  • External ingress traffic flows through the HAProxy load balancer, which provides TLS termination and routing to the correct Kubernetes services.

4.3 Network Segmentation

Kubernetes Network Policies:

  • Workloads are isolated by default with explicit policies defining allowed communication paths.
  • Policies enforce micro-segmentation between namespaces, reducing lateral movement risks.

Cilium with eBPF for Network Hardening: Safespring leverages Cilium, a CNI (Container Network Interface) powered by eBPF, for advanced Kubernetes networking and security.