Zero Trust Architecture
Implement "never trust, always verify" security model.
Core Principles
zero_trust_principles:
- Verify explicitly (authenticate all access)
- Least privilege access
- Assume breach (micro-segmentation)
- Continuous validation
- End-to-end encryption
Identity-Based Access
Service mesh mTLS
apiVersion: security.istio.io/v1beta1 kind: PeerAuthentication metadata: name: default spec: mtls: mode: STRICT
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: frontend-to-backend spec: selector: matchLabels: app: backend rules:
- from:
- source: principals: ["cluster.local/ns/default/sa/frontend"]
Network Segmentation
Kubernetes Network Policy
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: deny-all spec: podSelector: {} policyTypes:
- Ingress
- Egress
Implementation Steps
-
Identify sensitive resources
-
Map access patterns
-
Implement strong authentication
-
Apply micro-segmentation
-
Enable logging and monitoring
-
Continuous verification
Best Practices
-
Identity-aware proxies
-
Device trust verification
-
Context-based access
-
Encrypted communications
-
Continuous monitoring
Related Skills
-
service-mesh - mTLS implementation
-
kubernetes-hardening - K8s security