[REVIEW] segmentation: add service-mesh bypass and host-network gates

[wangedmund77-cmyk]

Skill Being Reviewed

Skill name: segmentation
Skill path: skills/network/segmentation/SKILL.md

False Positive Analysis

Benign code/config that can be over-flagged:

namespace=payments
default_deny_network_policy=true
istio_peer_authentication=STRICT
pods_hostNetwork=false
sidecar_injection=required

Why this is a false positive:
A Kubernetes namespace with strict mTLS, default-deny policy, and no host-network pods should not be scored as flat simply because services share a cluster. The assessment should verify mesh and network-policy enforcement before flagging co-residency.

Coverage Gaps

Missed variant 1:

Pod runs with hostNetwork or hostPort and bypasses service mesh sidecar policy, reaching node or VPC resources outside intended namespace segmentation.

Why it should be caught:
This creates a lateral path that ordinary namespace-level service-mesh policy may not control.

Missed variant 2:

Namespace has Istio AuthorizationPolicy, but no Kubernetes default-deny NetworkPolicy, so traffic that bypasses the sidecar or targets non-mesh workloads remains open.

Why it should be caught:
Mesh policy and network policy are complementary; relying on one without the other leaves bypass paths.

Edge Cases

Init containers, CNI failures, debug pods, node-local services, and DaemonSets can legitimately need different paths. They require explicit exceptions, owner, expiry, and evidence that host-level routes cannot reach protected zones.

Remediation Quality

• Fix resolves the vulnerability
• Fix doesn't introduce new security issues
• Fix doesn't break functionality
• Issues found: Add gates for hostNetwork/hostPort use, sidecar injection coverage, mTLS strictness, default-deny NetworkPolicy, CNI enforcement status, node-local bypass paths, and exception expiry.

Comparison to Other Tools

Tool	Catches this?	Notes
Istio/Linkerd policy	Partial	Enforces mesh traffic but may not cover host-network or non-mesh paths.
Kubernetes NetworkPolicy	Partial	Controls pod traffic if CNI supports it, but not all host-level flows.
Cilium/Calico	Partial	Can enforce both, but configuration evidence must be checked.

Overall Assessment

Strengths:
The skill already covers zones, east-west traffic, Kubernetes NetworkPolicy, Calico, Cilium, and service mesh readiness.

Needs improvement:
It should explicitly test mesh bypass paths where workload identity policy and network enforcement diverge.

Priority recommendations:

1. Add a service-mesh bypass checklist to intra-zone evaluation.
2. Require default-deny network policy and sidecar coverage evidence together.
3. Track hostNetwork/hostPort exceptions with owner, expiry, and allowed destination.

Bounty Info

• I have read and agree to the CONTRIBUTING.md bounty terms
• Preferred payment method: Crypto or PayPal after maintainer acceptance.

[rock2089]

I'd like to work on this bounty.

[exodusubuntu-tech]

/opire try

Automated fix submitted by REAPR.
PR: #1925

[JamesJi79]

/attempt

[JamesJi79]

VALID GAP — Service Mesh Bypass & Host Network

Why Valid (FP confirmed)

A namespace with default_deny_network_policy=true, istio_peer_authentication=STRICT, and pods NOT using hostNetwork is not a segmentation failure. Istio mTLS + Kubernetes NetworkPolicy provides defense-in-depth. Flagging this as a flat risk ignores compensating mesh controls.

Coverage Gaps

Gap 1 — Sidecar injection disabled — Pod with sidecar.istio.io/inject: "false" annotation bypasses mesh mTLS even when PeerAuthentication=STRICT exists at namespace level. The skill checks namespace policy but not per-pod injection status.

Gap 2 — hostNetwork pods bypass mesh entirely — spec.hostNetwork: true pods are invisible to Istio — they use host networking and skip the sidecar proxy entirely. The current DFD does not distinguish hostNetwork from regular pods in the segmentation model.

Gap 3 — Egress via mesh vs bypass — A pod can reach external services via mesh egress gateway (tracked) OR via meshConfig.outboundTrafficPolicy.mode=ALLOW_ANY (untracked bypass). The skill does not capture egress mode.

Suggested Gates

1. SEG-SM-01: Verify sidecar injection is enabled for all mesh-joined pods. Evidence: no sidecar.istio.io/inject: "false" annotations on production pods.
2. SEG-HN-01: Flag pods with hostNetwork: true — they operate outside mesh segmentation boundary.
3. SEG-EG-01: Require REGISTRY_ONLY egress mode or explicit ServiceEntry for all external destinations.

[shensz2017]

/attempt #1916

[shensz2017]

[REVIEW] PR #1925 - segmentation service-mesh bypass and host-network gates

Reviewed PR #1925 against issue #1916 and the existing segmentation skill.

Verdict: do not merge as written.

Blocking issue:

• The patch removes roughly 330 lines from skills/network/segmentation/SKILL.md and replaces the structured segmentation workflow with a short ## Gates list near the top. That deletes core content such as discovery patterns, zone architecture analysis, trust-boundary evaluation, east-west traffic controls, DMZ review, output structure, pitfalls, references, and much of the NIST/CIS-aligned guidance. The issue asks to add service-mesh bypass and host-network evidence gates, not to collapse the skill into a small checklist.

Why this matters:

• A reviewer using the resulting skill would lose the baseline segmentation methodology that makes the service-mesh gates meaningful. HostNetwork/hostPort, sidecar coverage, CNI enforcement, and mTLS strictness should augment the existing Kubernetes/micro-segmentation sections, not replace zone mapping and boundary analysis.
• The new gates are too high-level to be actionable. They mention hostNetwork/hostPort and mTLS strictness, but they do not require concrete evidence such as pod specs, namespace labels, sidecar injection status, PeerAuthentication/AuthorizationPolicy, NetworkPolicy/Cilium/Calico enforcement, host-level routes, node-local services, exception owner/expiry, or bypass test results.

Recommended fix:

• Revert the deletion and add a focused subsection under the existing micro-segmentation/Kubernetes process. Include a small evidence table for workload, namespace, mesh enrollment, hostNetwork/hostPort, sidecar status, mTLS mode, CNI/network-policy enforcement, node-local bypass path, exception owner/expiry, and residual risk.

This PR addresses the topic name but regresses the skill substantially.