zero-trust-patternslisted

# Zero-Trust Patterns ## When to Activate - Designing service-to-service communication in Kubernetes or cloud environments - Implementing mTLS between microservices - Setting up SPIFFE/SPIRE for workload identity - Configuring Istio or Linkerd service mesh - Writing Kubernetes NetworkPolicies - Reviewing east-west traffic security - Building BeyondCorp-style access controls - Auditing existing cluster network policies for trust boundary gaps --- ## Core Principles (NIST SP 800-207) Zero-Trust Architecture operates on four pillars: 1. **Never trust, always verify** — even traffic from within the private network is untrusted. Every connection requires authentication and authorization. 2. **Explicit verification** — identity + device + context checked at every request (not just at the perimeter). 3. **Least Privilege Access** — minimal rights, just enough to complete the task, scoped to the operation. 4. **Assume Breach** — design to minimize lateral movement when an attacker is already inside the network. --- ## Service Identity with SPIFFE/SPIRE **SPIFFE** (Secure Production Identity Framework for Everyone) is the standard for cryptographic service identities. ### SVID Format ``` spiffe://trust-domain/path/to/workload # Example: spiffe://prod.example.com/ns/payments/sa/checkout-service ``` ### SPIRE Server + Agent Setup ```yaml # spire-server.yaml apiVersion: apps/v1 kind: StatefulSet metadata: name: spire-server namespace: spire spec: replicas: 1 selector