Portable service mesh implementations enable Layer 4 to Layer 7 policy enforcement across heterogeneous infrastructures, yet they depend on the underlying network's connectivity and policies. Layer 3 network policies govern IP traffic regardless of whether upper layers authorize the flow. While these policies are integral to security, correct enforcement often requires coordination across multiple teams, and achieving consistent policy behavior across heterogeneous environments is challenging. Studies show that most Kubernetes clusters do not enforce any network policies. We propose integrating Layer 3 network policy enforcement with service meshes to protect data-plane traffic in a portable, infrastructure-agnostic manner. This integration allows developers to define Layer 3-7 policies and to ensure enforcement across any infrastructure. Our solution builds an overlay Layer 3 network and enforces Layer 3 policies by routing traffic through specific policy enforcement points and applying default-deny principles with authorization keys. We prototyped our approach using Kubernetes and Istio and found that it adds less than 1ms of latency while supporting complex policies comparable to native Kubernetes network policies.

翻译：可移植的服务网格实现支持跨异构基础设施的第4层至第7层策略执行，但其依赖于底层网络的连通性与策略。第3层网络策略管理IP流量，无论上层是否授权该数据流。尽管这些策略对安全至关重要，但正确执行通常需要跨多个团队协调，且在异构环境中实现一致的策略行为具有挑战性。研究表明，大多数Kubernetes集群未执行任何网络策略。我们提出将第3层网络策略执行与服务网格集成，以可移植、基础设施无关的方式保护数据平面流量。该集成允许开发者定义第3至7层策略，并确保在任何基础设施上强制执行。我们的解决方案构建了一个覆盖式第3层网络，通过将流量路由至特定策略执行点并应用基于授权密钥的默认拒绝原则来执行第3层策略。我们使用Kubernetes和Istio对该方法进行了原型实现，发现其在支持与原生Kubernetes网络策略相当的复杂策略的同时，仅增加不足1毫秒的延迟。