Sign in Subscribe
Concepts

Identity-Aware Network Policies for Kubernetes Non-Human Identities

Andrios Robert

1 min read

The pod did not trust its neighbor. Traffic flowed, but rules were unclear. One misstep could open a hole wide enough for an attacker—or an untracked system account—to slip through.

Kubernetes network policies are built to control how workloads talk to each other and to the outside world. Most engineers use them to restrict or allow traffic between pods based on namespaces, labels, or IPs. But human operators are not the only actors in your cluster. Non-human identities—service accounts, CI/CD runners, automated controllers—initiate and receive network traffic constantly. Without specific enforcement, these identities can bypass intended security boundaries.

A non-human identity in Kubernetes is any service or process that operates under a service account instead of a person’s login. These accounts hold RBAC permissions, but network-level restrictions often rely on pod-level selectors, not the identity that caused or received the traffic. This gap is where risk accumulates.

Mapping network policies to non-human identities requires two steps:

  1. Identify all service accounts and the pods or jobs that use them.
  2. Apply network policy rules that match labels tied to those accounts, ensuring traffic rules follow identity context instead of only location or namespace.

For example, a policy could allow traffic from one automated ingestion job to a database pod, but block every other source, human or machine. By anchoring policies to the service account’s label set, you align enforcement with workload purpose. This stops rogue automation from probing beyond its scope.

A common pitfall is assuming that namespace isolation covers non-human traffic. Namespaces limit scope in the control plane, not at the network level unless explicitly defined. Attackers who compromise a service account can spawn a pod in the same namespace, then move laterally. A well-scoped network policy tied to that account disrupts the path.

Audit your cluster regularly for unused or overprivileged service accounts. Combine RBAC tightening with network segmentation to lock down every non-human identity. Treat their traffic as you would an external client—define what they can access, cut off everything else.

Kubernetes gives you the primitives. Your discipline defines the defense.

See how simple identity-aware network policies can be. Try it live in minutes at hoop.dev.