English | 日本語
Microsegmentation talked about everywhere, almost never shown end-to-end. This repo runs eight different implementations on a laptop, so you can see what each pattern actually does to packets.
| # | Pattern | Tool | What you actually run |
|---|---|---|---|
| 01 | K8s NetworkPolicy | Calico CNI | kind cluster, nc from attacker pod gets blocked once you apply the policy |
| 02 | Cilium L7 + Hubble | Cilium eBPF + Envoy | curl DELETE returns 403 from Envoy, attacker times out at L4, Hubble UI shows the verdict |
| 03 | Calico tiered global policy | Calico GlobalNetworkPolicy | order/tier evaluation across namespaces |
| 04 | Istio mTLS + AuthZ | Istio sidecar | STRICT mTLS plus principal-based deny |
| 05 | SPIFFE/SPIRE + Envoy | SPIRE Server/Agent + Envoy | Envoy fetches an X.509-SVID via SDS and uses it for mTLS |
| 06 | Host firewall, agent-style | nftables in a privileged Docker container | per-host rules pushed from a controller |
| 07 | Admission-time control | OPA Gatekeeper | a Pod missing the required label is rejected at kubectl apply |
| 08 | AWS Security Group as code | LocalStack + OpenTofu | VPC/SG provisioned offline, API surface explored |
Each directory has its own README, run.sh, cleanup.sh, and manifests. The scripts are idempotent and clean up after themselves.
If you're starting from zero, the labs build on each other in numbered order: 01 establishes the L3/L4 baseline, 02 introduces L7 and identity, 04/05 swap label-trust for cert-trust, 06 covers the host-firewall view, 07 the admission-time guardrail, 08 the cloud API surface.
Docker (any of Docker Desktop / Rancher Desktop / OrbStack), plus kind, kubectl, helm. For specific patterns also cilium, istioctl, tofu, jq.
make check-toolsprints what's installed and what's missing.
cd 02-cilium-l7-identity
./run.sh
# ... outputs PASS/FAIL for each connectivity check
./cleanup.shmake clean-all runs every cleanup.sh if you want to wipe everything.
MIT.