Kubernetes Security: Container Segmentation | SUSE Communities

Kubernetes Security: Container Segmentation


Essential for PCI compliance and many financial organizations, NeuVector’s container segmentation capability creates a virtual wall to keep personal and private information securely isolated on your network.

Container segmentation, also called micro-segmentation or nano-segmentation, is often required because containers contain personal or private information about customers or employees or other critical business data. Without segmentation, this information could be exposed to anyone with access to the network because containers are often deployed as microservices which can be dynamically deployed and scaled across a Kubernetes cluster.

Typically, because different services can be deployed across a shared network and servers (or VMs, hosts), and each workload or pod has its own network addressable IP address, container segmentation policies can be difficult to create and enforce. Only NeuVector enables you to segment container connections and enforce network restrictions to prevent attacks that span an entire cluster or an entire container deployment across clouds. NeuVector offers virtualized network segmentation that is aligned tightly with cloud-native container services deployments as shown below.



With NeuVector, organizations receive:

  • Multi-vector threat protection with the combination of network security, application security, endpoint security, and host security.
  • Superior threat detection: NeuVector’s container firewall detects threats such as SQL injection, DDoS, DNS attacks and other application layer attacks by inspecting the payload even for trusted connections.
  • Service mesh integration: threat detection and segmentation even if the connection between two pods is encrypted.
  • Automated network segmentation: NeuVector’s patented, cloud-native Layer 7 container firewall uses behavioral learning to discover the connections and application protocols used between services and automatically creates whitelist rules to isolate them.
  • Flexibility to segment hybrid workloads: architects and DevOps teams can maximize performance, resource utilization, and speed up the pipeline with the ability to mix workloads of different required trust levels on the same infrastructure.

NeuVector’s container segmentation capabililty improves scalability, manageability, and flexibility for deployments without needing to change security rules. Layer 7 deep packet inspection allows the container firewall to inspect network traffic for hidden, or embedded attacks, even within trusted connections between workloads.

Download container segmentation guide


NeuVector: Full Lifecycle Cloud Container Security Platform

NeuVector is the only 100% open source, Zero Trust container security platform. Continuously scan throughout the container lifecycle,  remove security roadblocks, & bake in security policies at the start to maximize developer agility. Get started on kubernetes security by getting NeuVector on GitHub.

Avatar photo
Glen Kosaka Glen is head of product security at SUSE. Glen has more than 20 years of experience in enterprise security, marketing SaaS and infrastructure software. He has held executive management positions at NeuVector, Trend Micro, Provilla, Reactivity, Resonate, Quantum and Rignite.