Risks

In a Kubernetes environment using Calico CNI, containers can communicate at the node level without restrictions. This lack of control over node-level communication exposes the cluster to several security risks, including bypassing security measures like Network Policies and increasing the chances of unauthorized access.

Unencrypted communication at the node level means that attackers who compromise a container can bypass Network Policies by using the node’s networking stack. This can result in unauthorized access to other containers or node-level services, leading to lateral movement and potential privilege escalation.

To mitigate these risks, configuring Calico policies appropriately at the cluster level and ensuring encryption are essential steps.