Chapter 10. Container Network Security
Every external attack reaches your deployment across a network, so it’s important to understand something about networking in order to consider how to secure your applications and data. This isn’t going to be a comprehensive treatment of everything to do with networking (that would make this book a lot longer!), but it should give you the essentials of a sensible mental model you can use to think about network security in your container deployment.
I’ll start with an overview of container firewalling, which can provide a much more granular approach to network security than traditional firewalling approaches.
Then there is a review of the seven-layer networking model, which is worth knowing about so that you can understand the level a network security feature acts at. With this in place, we will discuss how container firewalling is implemented and look at some best practices for network policy rules. We end the chapter by looking at the network security features of service meshes.
Containers often go hand in hand with microservice architectures, where an application is broken into small components that can be deployed independently of each other. This can offer real benefits from a security perspective, because it’s much easier to define what normal behavior looks like in a small component. A given container probably has to communicate with only a limited set of other containers, and only a subset of containers need contact ...