Skip to content
ROOT
STUB

Zero-Trust Networking

The pattern: never trust the network; every connection authenticates + authorizes. No “inside the firewall = trusted.” Identity-based access (workload identity for services, OIDC for humans) replaces IP-based access. Lateral movement after a breach becomes much harder.

The trade-off: operational complexity vs. blast radius. Zero-trust requires every connection to do crypto + identity checks (mTLS, signed tokens) — more moving parts than “trust everything in the VPC.” But the alternative is the famous flat-network breach pattern: one compromised host, total network ownership. Modern platforms (K8s + service mesh + workload identity + OIDC) make zero-trust feasible.

Deepens in Year 2 Phase 12: Platform Engineering — UX + Security — service mesh mTLS + Tailscale on the homelab + Dex OIDC. The L3/L4 fundamentals come from Year 1 Phase 2: Networking, the segmentation substrate from Year 1 Phase 7: Kubernetes + GitOps, and the audit/visibility layer from Year 3 Phase 14: Observability + eBPF.

  • service-mesh — where workload-identity mTLS actually lands at scale.
  • network-policy — L3/L4 segmentation as one tactical control under the zero-trust frame.
  • service-discovery — discovery has to deliver identity, not just an address.
  • zero-trust-security — same principle viewed from the security category.
  • least-privilege — the per-connection authorization decision zero-trust enforces.
  • defense-in-depth — identity + mTLS + policy + audit are layered, not alternatives.