Hi all,

As many customers we have a standard implementation with a non production OpenShift cluster running dev, test, acceptance and some other environments and a production OpenShift cluster. The non production cluster has shared services like ibm-sls, mongodb and dro.

I was wondering if there is anyone in the community who has experience with implementing Zero Trust networking (macro / micro network segmentation) on Maximo Application Suite - OpenShift environments. 

From the research I did it is not recommended (and maybe even impossible) to manipulate the standard network policies that come along with the MAS deployment in order to tighten them down further (not allowing lateral movement between environments (dev - test - acceptance). If this is indeed a no go that would leave you with two options if you want to reach a higher level of network security:

1) Deploying an open shift environment per MAS instance. 

• This is in my opinion an overkill in terms of required infrastructure and (maintenance) costs involved. 

2) Implement additional networking tools (like Cilium) within the OpenShift cluster that can assist to implement network segmentation

• help to identify network traffic flows (which pods talk to which pods, which namespaces interact)
• help to implement additional network policies on top of the out of the box MAS network policies. 
• more options in terns of networking policies

I was wondering if there is anyone who has experience with this. Is there anyone who would like to share his/her insights or who has additional recommendations or considerations?

In addition, if there is anyone who has experience with implementing a tool like Cilium (or similar tool) to implement network segmentation for multiple Maximo Application Suite environments that are deployed on the same OpenShift cluster?

Thanks in advance!