Restrict Traffic Among Pods with a Network Policy
Network policies are Kubernetes resources that control the traffic between pods and/or network endpoints. They uses labels to select pods and specify the traffic that is directed toward those pods using rules.
Risk Level: High
Cloud Entity: Network Policies
CloudGuard Rule ID: D9.K8S.NET.23
Covered by Spectral: Yes
Category: Networking & Content Delivery
GSL LOGIC
List<KubernetesNetworkPolicy> should not have items with [spec.ingress isEmpty()]>0
REMEDIATION
Pods in a cluster can communicate with each other and should be controlled using Network Policies as needed for your workload.
Network policies are implemented by the network plugin, so you must be using a networking solution which supports NetworkPolicy - simply creating the resource without a controller to implement it will have no effect.
Kubernetes' Network Policies make it much more difficult for attackers to move laterally within your cluster. You can also use the Kubernetes Network Policy API to create Pod-level firewall rules. These firewall rules determine which Pods and services can access one another inside your cluster.
References
You can find an example of NetworkPolicy : https://kubernetes.io/docs/concepts/services-networking/network-policies/#the-networkpolicy-resource
For more information on NetworkPolicy, please refer : https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.16/#networkpolicy-v1-networking-k8s-io
Network Policies
A network policy is a specification of how groups of pods are allowed to communicate with each other and other network endpoints.
Compliance Frameworks
- CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1
- CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.1.0
- Kubernetes NIST.SP.800-190
- Kubernetes v.1.13 CloudGuard Best Practices
- Kubernetes v.1.14 CloudGuard Best Practices
Updated over 1 year ago