Ensure that a network policy is in place to secure traffic between pods

In Kubernetes when you run modern, microservices-based applications, you often want to control which components can communicate with each other. The principle of least privilege should be applied to how traffic can flow between pods in an Azure Kubernetes Service (AKS) cluster. The Network Policy feature in Kubernetes lets you define rules for ingress and egress traffic between pods in a cluster.

Suggest Edits

Risk Level: Low
Cloud Entity: Azure AKS
CloudGuard Rule ID: D9.AZU.AKS.05
Covered by Spectral: Yes
Category: Compute

GSL LOGIC

AksCluster should not have properties.networkProfile.networkPolicy isEmpty()

REMEDIATION

From Portal

Log in to your Azure portal.
Navigate to 'Kubernetes services'.
Create Kubernetes cluster.
Fill the required details and under the 'Networking' tab select 'Calico or Azure' in 'Network policy'.
Click on 'Review + Create'.
Note : The network policy feature can only be enabled when the cluster is created. You can't enable network policy on an existing AKS cluster.

From TF
Set the 'network_profile' argument under 'azurerm_kubernetes_cluster' as below:

resource "azurerm_kubernetes_cluster" "example" {
	...
	network_profile = {
		...
		network_plugin = KUBENET/AZURE
		network_policy = CALICO/AZURE
		...
	}
	...
}

From Command Line
Run

az aks create --resource-group RESOURCEGROUP --name CLUSTERNAME --node-count 1 --network-plugin KUBENET/AZURE --network-policy CALICO/AZURE

References

Azure AKS

AKS is an open-source fully managed container orchestration service that became available in June 2018 and is available on the Microsoft Azure public cloud that can be used to deploy, scale and manage Docker containers and container-based applications in a cluster environment.

Compliance Frameworks

Azure CSA CCM v.4.0.1
Azure CloudGuard Best Practices
CloudGuard Azure All Rules Ruleset

Updated about 1 year ago