Tigera: Insecure by Default: Taking Kubernetes Egress from Unrestricted to Least-Privilege
When you deploy a Kubernetes workload there are no outbound controls, no domain restrictions, and in most environments, no visibility into what it is actually talking to, both inside and outside the cluster. This is the default and while it might make networking simpler in a dynamic environment like Kubernetes it results in some significant risks that cannot go unaddressed. A compromised workload with unrestricted egress can exfiltrate data, establish a command-and-control channel, or pivot to external systems without triggering a single alert. Many organizations discover the gap during a compliance audit or after an incident which is far too late.
In this workshop, you will start with a real cluster in its default state and systematically build a least-privilege outbound posture. You will restrict workloads to approved domains using DNS-based policies, route outbound traffic through egress gateways for centralized control, and use flow logs to uncover what was previously invisible. You will leave with a roadmap for developing a working egress security architecture and a methodology to audit what is leaving your cluster.
You will learn: Mapping Your Egress ExposureUse Calico’s flow logs and observability dashboard to build a baseline picture of outbound traffic from a default-allow cluster—seeing exactly which workloads are reaching which external destinations.
DNS-Based Egress PoliciesImplement domain-level allowlists that restrict workloads to approved external services by name—without maintaining brittle IP-based rules that break when cloud providers rotate addresses.
Egress Gateway RoutingRoute approved outbound traffic through dedicated egress gateways, creating a single enforcement and logging point for everything leaving the cluster.
Detecting Unauthorized Egress AttemptsUse flow logs to identify workloads attempting to reach unapproved destinations—turning blocked connections into actionable security intelligence.
Join us to see how to take a Kubernetes cluster from wide-open egress to a fully auditable, least-privilege outbound posture, step by step, in a real environment.