𝔩𝔢𝔩𝕠𝔭𝔢𝔷
Buy Me a Coffee Connect With Me on LinkedIn
Theme

Homelab

Security Hardening Series

Hardening a Kubernetes Homelab: VLAN Segmentation, NetworkPolicies, and Defense-in-Depth Security

Overview

This series documents hardening my Kubernetes homelab after completing the V2 setup. If your cluster works but lacks network isolation, container hardening, or proper access controls, this guide shows how to add production-grade security without rebuilding from scratch.

Tip:See v2.0.0 for the complete repository. Each article links to its corresponding milestone tag.

Before You Begin

Prerequisites

Before starting, you should have:

  • V2 Series completed: Working Talos cluster with Flux GitOps
  • UniFi networking gear: UDM Pro or similar with VLAN support
  • Basic security concepts: Understanding of network isolation, firewall rules, least privilege

What We're Building

A hardened homelab with defense-in-depth security:

  • VLAN Segmentation: Isolate infrastructure, lab, IoT, and user devices at layer 2
  • NetworkPolicies: Block lateral movement from compromised pods to home network
  • Container Hardening: Non-root containers, dropped capabilities, resource limits
  • Tailscale ACLs: Tag-based access control for remote access

What V3 Adds

AreaV2 StateV3 Hardening
NetworkFlat 192.168.1.0/24VLANs by security tier
PodsNo NetworkPolicyBlock all private ranges
ContainersRoot, no limitsNon-root, resource limits
Images:latest tagsPinned versions
TailscaleFull subnet accessACL-restricted by tag
StorageLonghorn unencryptedLonghorn encrypted
BootGRUB, no SecureBootUKI with UEFI SecureBoot
System diskUnencryptedTPM-sealed LUKS2 encrypted

Why This Approach

The Core Problem: V2 works, but a compromised game server pod can reach everything - the UDM, NAS, personal devices. No container escape required, just network access.

Defense-in-Depth: V3 adds multiple independent security layers. Even if one fails, others limit the blast radius:

  1. VLANs isolate at layer 2 (network boundary)
  2. NetworkPolicies isolate at layer 3 (pod boundary)
  3. Container hardening limits escape vectors
  4. Tailscale ACLs limit remote access scope

Incremental Migration: Each phase is independently testable. VLAN creation doesn't break existing services. NetworkPolicies can be deployed per-namespace. You can pause between phases without leaving the cluster in a broken state.

What's Not In Scope

This series focuses on hardening existing infrastructure. These are deferred to V4:

  • Longhorn backups: UNAS Pro lacks NFSv4 support required by Longhorn (see backup storage plan)
  • NAS storage setup: UNAS Pro configuration and bulk media storage
  • Public exposure: Self-hosted tunnels (frp) for web services
  • New applications: Matrix, Nextcloud, or other self-hosted services
  • Vulnerability scanning: Nessus/OpenVAS for active scanning
  • Maintenance processes: Security audits, CVE review, firewall review, firmware updates

Target Architecture

flowchart TD
    subgraph Internet
        A[Attacker]
    end

    subgraph Lab["Lab VLAN 192.168.10.0/24"]
        G[Game Server Pod]
        P[Plex Pod]
    end

    subgraph Network["Network VLAN 192.168.1.0/24"]
        UDM[UDM Pro]
    end

    subgraph Drive["Drive VLAN 192.168.5.0/24"]
        NAS[NAS]
    end

    subgraph Users["Unrestricted-Trusted VLAN 192.168.30.0/24"]
        PERSONAL[Personal Devices]
    end

    A -->|playit.gg tunnel| G
    G x--x|"VLAN firewall"| UDM
    G x--x|"VLAN firewall"| PERSONAL
    G x--x|"VLAN firewall"| NAS
    G -.->|"NetworkPolicy"| P

    style G fill:#6bcb77,color:#fff
    style UDM fill:#6bcb77,color:#fff
    style NAS fill:#6bcb77,color:#fff
    style PERSONAL fill:#6bcb77,color:#fff

Key principle: No single compromise grants access to the Network VLAN. Infrastructure is air-gapped from all attack surfaces.

Follow the Series

Follow these articles in order to harden your homelab:

Network Prep (UDM configuration)

  1. VLAN Architecture - Create VLANs, SSIDs, and switch port profiles
  2. Firewall Rules - Inter-VLAN traffic control

Migration (GitOps changes)

  1. Talos Migration - Update node IPs and gateway for Lab VLAN
  2. Tailscale Migration - Update routes for remote access
  3. MetalLB Migration - Update IP pool for Lab VLAN
  4. Plex LAN Configuration - Static IP, ADVERTISE_IP, cross-VLAN direct play

Infrastructure Hardening (per-service, complete hardening)

  1. Tailscale Hardening - Helm pin, ACLs, NetworkPolicy
  2. MetalLB & Ingress Hardening - Helm pins, NetworkPolicies
  3. Longhorn Hardening - Helm pin, encryption, NetworkPolicy

Application Hardening (per-service, complete hardening)

  1. Minecraft Hardening - Encrypted storage, NetworkPolicy, Helm pin
  2. Factorio Hardening - Encrypted storage, NetworkPolicy, Helm pin
  3. Plex Hardening - Encrypted storage, NetworkPolicy, read-only media, Helm pin

Trusted Boot & Disk Encryption (SecureBoot + TPM encryption)

  1. SecureBoot & Encryption Prep - Verify TPM, generate SecureBoot ISO, update cluster config with TPM encryption
  2. Secure Node Re-image - Rolling re-image with UEFI SecureBoot and TPM-sealed LUKS2 encryption

Appendix

Talos Security Checklist

The Talos Security Checklist1 covers nine areas for production clusters. This series addresses six of them:

Checklist ItemStatusSeries Coverage
Protect secretsSOPS/Age encryption (v2-04)
Enable disk encryptionTPM + SecureBoot (v3-13/14)
Keep Talos up to dateUpgrade process (v2-05a)
Pod security controlsNetworkPolicies (v3-07 through v3-12)
Network/firewall configVLANs + firewall rules (v3-01/02)
SecureBoot + verified bootSecureBoot re-image (v3-13/14)
Limit API accessFuture: cert rotation, talosconfig scoping
Cluster backupsFuture: etcd snapshots, disaster recovery
Monitor and auditFuture: Prometheus, audit logs

Getting Help

If you get stuck:

  1. Consult official docs (UniFi, Talos, Kubernetes NetworkPolicy)
  2. Leave a comment on the article - I'll try to help
  3. Ask in community forums (r/homelab, r/kubernetes, r/Ubiquiti)

What's Next?

Ready to begin? Start with VLAN architecture - the foundation for all other hardening.

See: VLAN Architecture

Resources

Footnotes

  1. Sidero Labs, "Talos Security Checklist," docs.siderolabs.com. Accessed: Mar. 3, 2026. [Online]. Available: https://docs.siderolabs.com/talos/v1.12/security/talos-security-checklist

Next
VLAN Architecture