Risk Level: High
Cloud Entity: Network Policies
CloudGuard Rule ID: D9.K8S.NET.23
Covered by Spectral: Yes
Category: Networking & Content Delivery

GSL LOGIC

List<KubernetesNetworkPolicy> should not have items with [spec.ingress isEmpty()]>0

REMEDIATION

Pods in a cluster can communicate with each other and should be controlled using Network Policies as needed for your workload.

Network policies are implemented by the network plugin, so you must be using a networking solution which supports NetworkPolicy - simply creating the resource without a controller to implement it will have no effect.

Kubernetes' Network Policies make it much more difficult for attackers to move laterally within your cluster. You can also use the Kubernetes Network Policy API to create Pod-level firewall rules. These firewall rules determine which Pods and services can access one another inside your cluster.

References
You can find an example of NetworkPolicy: https://kubernetes.io/docs/concepts/services-networking/network-policies/#the-networkpolicy-resource

For more information on NetworkPolicy, please refer: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.16/#networkpolicy-v1-networking-k8s-io

Network Policies

A network policy is a specification of how groups of pods are allowed to communicate with each other and other network endpoints.

Compliance Frameworks

CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1
CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.1.0
Kubernetes NIST.SP.800-190
Kubernetes v.1.13 CloudGuard Best Practices
Kubernetes v.1.14 CloudGuard Best Practices