Proposal and Evaluation of a Method for Container Micro-segmentation
摘要
As containers with different trust levels are increasingly co-located within Kubernetes Pods—particularly through patterns such as sidecar containers from external vendors or separate teams—stronger intra-Pod security has become critical. Once a container is compromised, other containers in the same Pod sharing the network namespace are at high risk of lateral movement attacks, traffic interception, and unauthorized access. We propose a zero-trust microsegmentation approach that blocks all intra-Pod communication by default and selectively permits only specified container-port pairs through manifest metadata. Implemented as a Cilium plugin with dynamic iptables rules, our method integrates seamlessly into existing Kubernetes deployments without requiring modifications to the control plane or container runtime. Performance evaluation reveals that TCP session latency increases sharply with container count due to iptables’ linear rule lookup, while rule application time grows polynomially with Pod and container counts, causing significant overhead in large-scale scenarios (e.g., 50 Pods with 50 containers each). These findings expose fundamental scalability limitations of iptables-based approaches that cannot be mitigated by distributing Pods. We conclude that iptables is unsuitable for large-scale deployments and recommend eBPF as a more scalable alternative.