Chapter 14
2 min read
Watched from the Woods
Network Boundary Monitoring
Most attacks do not start inside your system. They begin at the edges—probing, observing, waiting.
Most attacks do not start inside your system.
They begin at the edges—probing, observing, waiting.
Just like the shadows in the woods:
- scanning ports without triggering alerts,
- slow lateral movement,
- unusual but low-volume traffic,
- behavior that looks almost normal.
If you only monitor what happens inside your workloads, you miss the approach.
What to watch at the boundaries
- North–south traffic (ingress / egress)
- East–west traffic between services
- Unexpected destinations
- Unusual DNS or connection patterns
Practical examples
Monitor unexpected outbound traffic from pods:
$ kubectl get networkpolicies -A
Ensure default-deny policies are in place, then explicitly allow only known traffic.
Example: deny all egress by default, allow specific endpoints only.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-egress
spec:
podSelector: {}
policyTypes:
- Egress
Then, add specific allow rules as needed.
More on pod security and network policies in Chapter 6 of Docker and Kubernetes Security.
Exercise
- Review your current network policies. Do you have a default-deny policy in place? If not, implement one and then add specific allow rules for necessary traffic.
- Set up monitoring for unexpected outbound traffic from your pods. Use tools like
kubectlto check for any unusual patterns or destinations. Consider implementing a network monitoring solution that can alert you to suspicious activity at the boundaries of your cluster.