A security engineer is hardening a Kubernetes-based microservices application that processes regulated customer data. The cluster spans several worker nodes across multiple availability zones, and the microservices exchange sensitive information during normal operation. Which of the following controls would BEST protect the confidentiality and integrity of the data while it is in transit between pods?
Place all worker nodes in a private subnet that has no direct internet access.
Apply Kubernetes NetworkPolicies that deny all ingress and egress traffic except required ports.
Configure a service mesh that enforces mutual TLS (mTLS) for all service-to-service communication.
Deploy host-based firewalls on each node to block unused TCP and UDP ports.
Mutual TLS (mTLS) enforced by a service mesh such as Istio or Linkerd encrypts every service-to-service connection and mutually authenticates the communicating workloads. This protects data from interception or tampering anywhere on the cluster network and satisfies many compliance requirements for encryption in transit. NetworkPolicies, private subnets, and host-based firewalls improve segmentation or perimeter defenses but do not themselves encrypt the traffic or provide end-to-end authentication between the containers.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why is encryption important for inter-container communication?
Open an interactive chat with Bash
What are some common methods to encrypt inter-container communication?
Open an interactive chat with Bash
What are the potential vulnerabilities of unencrypted inter-container communication?