Ensure Network policy is enabled on Kubernetes Engine Clusters

A network policy is a specification of how groups of pods are allowed to communicate with each other and other network endpoints. NetworkPolicy resources use labels to select pods and define rules which specify what traffic is allowed to the selected pods. The Kubernetes Network Policy API allows the cluster administrator to specify what pods are allowed to communicate with each other.

Risk Level: Medium
Cloud Entity: Kubernetes Cluster
CloudGuard Rule ID: D9.GCP.NET.09
Covered by Spectral: Yes
Category: Compute

GSL LOGIC

GkeCluster should have (networkPolicy.enabled='true') or (currentMasterVersion with [$ regexMatch /[1-9].[20-30].-gke./])

REMEDIATION

From Portal

  1. Go to Kubernetes GCP Console by visiting https://console.cloud.google.com/kubernetes/list?
  2. In the cluster list, click the name of the cluster you want to modify.
  3. Under Networking, in the Network policy field, click Edit network policy.
  4. Select the Enable network policy for master checkbox and click Save Changes.
  5. Wait for your changes to apply, and then click Edit network policy again.
  6. Select the Enable network policy for nodes checkbox.
  7. Click Save Changes.

From TF
Set the 'network_policy' with 'enabled' filed is equal to 'true' and 'addons_config' with 'network_policy_config' block with 'disabled' is equal to 'false':

resource "google_container_cluster" "gke"{
	network_policy {
		enabled = true
		provider = "CALICO"
	}
	addons_config {
		network_policy_config {
			disabled = "false"
		}
	}

From Command Line
To enable network policy enforcement for an existing cluster, perform the following tasks:

  1. Run the following command to enable the add-on:
gcloud container clusters update CLUSTER_NAME --update-addons=NetworkPolicy=ENABLED
  1. Run the following command to enable network policy enforcement on your cluster, which in turn recreates your cluster's node pools with network policy enforcement enabled:
gcloud container clusters update CLUSTER_NAME --enable-network-policy

References

  1. https://kubernetes.io/docs/concepts/services-networking/network-policies/#the-networkpolicy-resource
  2. https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.10/#networkpolicy-v1-networking
  3. https://cloud.google.com/kubernetes-engine/docs/how-to/network-policy#gcloud

Kubernetes Cluster

Kubernetes Engine is a managed, production-ready environment for deploying containerized applications. It brings our latest innovations in developer productivity, resource efficiency, automated operations, and open source flexibility to accelerate your time to market.

Launched in 2015, Kubernetes Engine builds on Google's experience of running services like Gmail and YouTube in containers for over 12 years. Kubernetes Engine allows you to get up and running with Kubernetes in no time, by completely eliminating the need to install, manage, and operate your own Kubernetes clusters.

Compliance Frameworks

  • CloudGuard GCP All Rules Ruleset
  • GCP CIS Foundations v. 1.0.0
  • GCP CloudGuard Best Practices
  • GCP MITRE ATT&CK Framework v12.1
  • GCP NIST 800-53 Rev 5
  • GCP PCI-DSS 4.0