Risks

CNIs create a virtual network that connects containers across multiple host VMs and enables their auto-discovery. With CNIs, portable microservices-based applications composed of multiple containers can run anywhere: on one host VM, multiple host VMs, or even across cloud providers and data centers. Applications use the network as if the containers were all connected to the same network switch, without having to configure port mappings, ambassadors, or links.

Without CNIs, the cluster works only partially; however, communication is only encrypted for some CNIs. As a result, Network Policies are simply ignored for such CNIs.

We recommend using only CNIs that offer the possibility of encrypted communication and to activate it.

Furthermore, it is recommended to provide the CNI in a separate namespace.

Importance of Encrypted Communication in CNIs

Some CNIs do not offer encryption, which can pose significant security risks. Here are key points to understand why encryption is essential and the risks associated with unencrypted internal communications:

Potential Eavesdropping Attacks: Unencrypted communication within the cluster can be intercepted by malicious actors. Eavesdropping attacks can compromise sensitive data transmitted between containers, leading to data breaches and unauthorized access to confidential information.

Data Integrity Risks: Without encryption, data transmitted between containers can be tampered with. This means an attacker could alter the data in transit, potentially causing application malfunctions or introducing malicious payloads.

Network Policies Ineffectiveness: For CNIs that do not support encrypted communication, Network Policies might be ignored or not enforced correctly. This can leave the cluster vulnerable to unauthorized access and lateral movement by attackers within the network.

Regulatory Compliance: Many industries have strict regulatory requirements for data protection and encryption. Using CNIs that do not support encryption could result in non-compliance with these regulations, leading to legal and financial repercussions.

Examples of Secure CNIs: Weave and Calico are examples of CNIs that support encrypted communication. These CNIs ensure that all data transmitted within the cluster is encrypted, providing an additional layer of security.

By using CNIs that offer and enable encrypted communication, you protect your cluster from eavesdropping attacks, ensure data integrity, and maintain compliance with regulatory standards. Additionally, segregating the CNI into a separate namespace can further enhance security by isolating network configurations from other resources within the cluster