Skip to content

Commit a9a27dc

Browse files
committed
blog: Add Zero Trust network policies article reference
1 parent 2a86ac1 commit a9a27dc

1 file changed

Lines changed: 57 additions & 0 deletions

File tree

Lines changed: 57 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,57 @@
1+
---
2+
date: 2026-06-26
3+
title: "Can't Patch Fast Enough? Zero Trust as a Last Line of Defense"
4+
summary: Network policies in the Layered Zero Trust Validated Pattern provide containment when vulnerabilities are discovered faster than patches can be applied. This post introduces the approach and links to the full Red Hat blog article.
5+
author: Przemyslaw Roguski
6+
blog_tags:
7+
- patterns
8+
- zero-trust
9+
- security
10+
- network-policies
11+
- openshift
12+
- spiffe
13+
---
14+
:toc:
15+
:imagesdir: /images
16+
17+
== The challenge
18+
19+
In 2025, over 40,000 new CVEs were published — more than 100 every single day. AI-powered exploit generation is accelerating the time from disclosure to active exploitation. For enterprise environments running hundreds of containerized workloads across OpenShift clusters, the patching math simply doesn't add up.
20+
21+
So what do you do in the gap between vulnerability disclosure and patch deployment?
22+
23+
== Zero Trust network segmentation
24+
25+
The https://validatedpatterns.io/patterns/layered-zero-trust/[Layered Zero Trust Validated Pattern] implements network policies following https://csrc.nist.gov/pubs/sp/800/207/final[NIST SP 800-207 (Zero Trust Architecture)] principles. The approach is built on two layers:
26+
27+
* **Default-deny** — a namespace-wide NetworkPolicy that blocks all ingress and egress for every pod unless an explicit allow rule exists. This transforms the security posture from "everything is open unless blocked" to "everything is blocked unless explicitly allowed."
28+
29+
* **Per-pod allow rules** — each pod type gets its own NetworkPolicy specifying exactly which connections it needs. Only explicitly required traffic flows are permitted — DNS, database connections, API access, and inter-component communication are all individually justified and documented.
30+
31+
This means that even if a vulnerability is exploited in one component, the attacker cannot move laterally across namespaces, exfiltrate data to external servers, or reach sensitive infrastructure like Vault or the Kubernetes API — because the network layer blocks those connections before any application-level security is evaluated.
32+
33+
== What the pattern covers
34+
35+
The ZTVP currently implements network policies for:
36+
37+
* **Vault** — secrets infrastructure with per-pod ingress/egress rules
38+
* **Keycloak (RHBK)** — identity provider with operator-managed ingress and custom egress rules
39+
* **ZTWIM (SPIRE/SPIFFE)** — workload identity infrastructure with special handling for hostNetwork agents
40+
* **qtodo** — sample application demonstrating the default-deny + allow pattern
41+
42+
Each namespace follows the same proven approach: default-deny foundation, per-pod allow rules with documented justifications, and dry-run verification on a live cluster before deployment.
43+
44+
== Read the full article
45+
46+
For a deep dive into why network policies are your last line of defense, how they align with NIST SP 800-207, and practical examples from the ZTVP, read the full article on the Red Hat Developer blog:
47+
48+
**https://developers.redhat.com/articles/2026/06/26/cant-patch-fast-enough-zero-trust-last-line-defense[Can't Patch Fast Enough? Zero Trust as a Last Line of Defense]**
49+
50+
== Get started
51+
52+
The Layered Zero Trust Validated Pattern is open source:
53+
54+
* https://validatedpatterns.io/patterns/layered-zero-trust/[Pattern documentation]
55+
* https://github.com/validatedpatterns/layered-zero-trust[Source repository]
56+
57+
This is the first in a planned series of articles covering the security layers in the ZTVP — workload identity (SPIFFE/SPIRE), Vault integration, supply chain security, and ACS runtime monitoring.

0 commit comments

Comments
 (0)