SECURITY ANALYSIS OF KUBERNETES NETWORK PLUGINS
DOI: 10.31673/2409-7292.2025.015886
DOI:
https://doi.org/10.31673/2409-7292.2025.015886Abstract
This paper examines Kubernetes, which uses the Container Network Interface (CNI) standard to provide communication
between containers deployed on different nodes, providing a flexible and scalable approach to network configuration. The paper
examines how such flexibility, while beneficial for efficient resource utilization and simplified management, also poses certain
security risks. Four popular network plugins—Flannel, Calico, Weave Net, and Cilium—are analyzed, examining their
architecture, methods for providing communication between pods, and highlighting various risks associated with their use, such
as the ability for an attacker to move within the network if a pod is compromised. The main focus is on how different plugins implement security features. Some of them provide the ability to configure advanced network policies and encrypt traffic, while
others rely on minimalism and ease of setup. The article emphasizes that effective traffic isolation cannot be based on default
settings alone, especially given the “flat” Kubernetes network model. That is why platform administrators are advised to
combine strategies of network segmentation, strict adherence to the principle of least privilege, regular plugin updates and
environment monitoring. The article presents a number of recommendations that cover technical measures, configuration
guidelines and organizational processes. These include applying network policies, enabling encryption, restricting the privileges
of CNI components and updating them in a timely manner. As the Kubernetes platform grows, the need for careful management
of network plugins increases so that their flexibility and scalability do not come at the expense of security.
Keywords: Kubernetes, CNI, BGP, eBPF, pods, network policies, traffic encryption.
References
1. With Kubernetes, the U.S. Department of Defense is enabling DevSecOps on F-16s and battleships (2020).
CNCF. https://www.cncf.io/case-studies/dod/
2. CNCF SURVEY 2019 (2019). CNCF. https://www.cncf.io/wp-content/uploads/2020/08/CNCF_Survey_
Report.pdf
3. Minna F. et al. (2021). Understanding the Security Implications of Kubernetes Networking. IEEE Security &
Privacy, 19(5), 46–54. https://balakrishnanc.github.io/papers/minna-ieeesp2021.pdf
4. Budigiri G. et al. (2021). Network Policies in Kubernetes: Performance Evaluation and Security Analysis. Joint
EuCNC & 6G Summit. https://doi.org/10.1109/EuCNC/6GSummit51104.2021.9482526
5. Yevle D. (2024). Exploring eBPF and its Integration with Kubernetes. OpenSourceForU. https://www.
opensourceforu.com/2024/12/exploring-ebpf-and-its-integration-with-kubernetes/
6. Calico Official Documentation. https://docs.tigera.io/calico/latest/about/
7. Hoffman K. (2023). Comparing Networking Solutions for Kubernetes: Cilium vs. Calico vs. Flannel. Civo
Blog. https://www.civo.com/blog/calico-vs-flannel-vs-cilium
8. Cilium Official Documentation. https://docs.cilium.io/en/stable/
9. Flannel Official Documentation. https://github.com/flannel-io/flannel
10. Weave Net Official Documentation. https://github.com/weaveworks/weave/tree/master
11. Nam J. et al. (2020). BASTION: A Security Enforcement Network Stack for Container Networks. У 2020
USENIX Annual Technical Conference. http://www.usenix.org/system/files/atc20-nam.pdf
12. Weaveworks (2020). Weave Net 2.8.0 Release Notes (Removal of hostPID and other hardening). OpenCVE.
https://app.opencve.io/cve/?vendor=weave
