Ensure that a network policy is in place to secure traffic between pods
In Kubernetes when you run modern, microservices-based applications, you often want to control which components can communicate with each other. The principle of least privilege should be applied to how traffic can flow between pods in an Azure Kubernetes Service (AKS) cluster. The Network Policy feature in Kubernetes lets you define rules for ingress and egress traffic between pods in a cluster.
Risk Level: Low
Cloud Entity: Azure AKS
CloudGuard Rule ID: D9.AZU.AKS.05
Covered by Spectral: Yes
Category: Compute
GSL LOGIC
AksCluster should not have properties.networkProfile.networkPolicy isEmpty()
REMEDIATION
From Portal
- Log in to your Azure portal.
- Navigate to 'Kubernetes services'.
- Create Kubernetes cluster.
- Fill the required details and under the 'Networking' tab select 'Calico or Azure' in 'Network policy'.
- Click on 'Review + Create'.
Note : The network policy feature can only be enabled when the cluster is created. You can't enable network policy on an existing AKS cluster.
From TF
Set the 'network_profile' argument under 'azurerm_kubernetes_cluster' as below:
resource "azurerm_kubernetes_cluster" "example" {
...
network_profile = {
...
network_plugin = KUBENET/AZURE
network_policy = CALICO/AZURE
...
}
...
}
From Command Line
Run
az aks create --resource-group RESOURCEGROUP --name CLUSTERNAME --node-count 1 --network-plugin KUBENET/AZURE --network-policy CALICO/AZURE
References
- https://docs.microsoft.com/en-us/azure/aks/use-network-policies?ocid=AID754288&wt.mc_id=CFID0471#create-an-aks-cluster-and-enable-network-policy
- https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster#network_policy
Azure AKS
AKS is an open-source fully managed container orchestration service that became available in June 2018 and is available on the Microsoft Azure public cloud that can be used to deploy, scale and manage Docker containers and container-based applications in a cluster environment.
Compliance Frameworks
- Azure CSA CCM v.4.0.1
- Azure CloudGuard Best Practices
- CloudGuard Azure All Rules Ruleset
Updated over 1 year ago