We run our product services mostly as containers on AWS Elastic Kubernetes Service in one large cluster with separate pods. Some of the containers handle web requests. They are behind a load balancer and Web Application Firewall. Control SC-7 and the FedRAMP Subnetting guide ask for separation between containers/servers serving web pages from internal app and data containers/services (see https://www.fedramp.gov/assets/resources/documents/FedRAMP_subnets_white_paper.pdf ). This appears to imply we will need to either run the web containers on a separate cluster or implement something like Calico to isolate the web containers from the other containers. Both of these steps would cause many weeks of extra work and testing since a major change.

Has anyone that runs Kubernetes run into this challenge and found good solutions to address or at least easier solutions than splitting the cluster? It appears the goal of the control is to limit lateral movement within the cluster if the web server container becomes compromised, so any layer of defense that would help prevent lateral movement may help compensate.