In a cloud-native environment, Kubernetes-based containerized orchestration has brought developer agility – but it has also fundamentally changed the security paradigm. Traditional “castle-and-moat” security designs that rely on a perimeter firewall are no longer enough to protect modern workloads. Once an attacker breaches that outer shell, the flat network architecture common in many Kubernetes environments allows them to move laterally with ease, potentially compromising many applications in their hunt for high-value assets to ransom. The cyber landscape is further exacerbated by recent cyberattacks that have halted business operations for weeks and months, causing massive financial losses (hundreds of millions of dollars or more) and the emergence of AI-driven autonomous attacks.
Bridging this lateral security gap with VMware vDefend is crucial for organizations leveraging vSphere Kubernetes Service (VKS) within VMware Cloud Foundation (VCF). The fact that vDefend is fully integrated with VKS and completely plug-and-play with VCF makes a comprehensive rollout of Zero Trust lateral protection across all VKS clusters operationally simple and fast. Businesses can finally implement a true Zero Trust security model consistently across Virtual Machines and Containers – the same policy model, the same management console and APIs, the same troubleshooting tools. The powerful combination of vDefend with VKS Clusters decouples security policy from static, ephemeral IP addresses and instead uses workload-based identity to enforce granular protection.
In a typical Kubernetes cluster, network identity is fleeting. Containers are designed to be short-lived; when a pod is terminated, and a new one is created, a completely different IP address is assigned. This “ephemeral” nature makes traditional IP-based firewall rules obsolete almost instantly, leading to administrative overhead or, worse, massive security holes.
The integration of VMware vDefend and vSphere Kubernetes Service (VKS) solves this by decoupling security from the networking layer. Instead of relying on static IPs, vDefend uses Antrea CNI, the default CNI with VKS, to enforce context-aware policies based on logical metadata – such as labels applied to namespaces, services, and pods. Because the security policy is tied to the workload’s identity rather than its IP address, the protection follows the Pod automatically, even as it scales or is recreated on a different node. Furthermore, this enforcement occurs at the immediate point of origin—the Pod interface for containerized workloads and the vNIC for Virtual Machines within the Hypervisor. This ensures that security is applied at the ‘first hop,’ neutralizing threats before they ever traverse the physical or virtual network.
Read the full blog here.