Ensure that the CNI in use supports Network Policies
There are a variety of CNI plugins available for Kubernetes. If the CNI in use does not support Network Policies it may not be possible to effectively restrict traffic in the cluster.
Risk Level: High
Cloud Entity: Network Policies
CloudGuard Rule ID: D9.K8S.NET.33
Covered by Spectral: No
Category: Networking & Content Delivery
GSL LOGIC
List<KubernetesNetworkPolicy> should have items length()>0
REMEDIATION
If the CNI plugin in use does not support network policies, consideration should be given to
making use of a different plugin, or finding an alternate mechanism for restricting traffic in
the Kubernetes cluster.
References
Network Policies
A network policy is a specification of how groups of pods are allowed to communicate with each other and other network endpoints.
Compliance Frameworks
- CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1
- CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.2.0
- CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.3.0
- CIS Google Kubernetes Engine (GKE) Benchmark v1.2.0
- CIS Google Kubernetes Engine (GKE) Benchmark v1.4.0
- CIS Kubernetes Benchmark v1.23
- CIS Kubernetes Benchmark v1.24
- CIS Kubernetes Benchmark v1.5.1
- CIS Kubernetes Benchmark v1.6.1
- CIS Microsoft Kubernetes Engine (AKS) Benchmark v1.1.0
- CIS Microsoft Kubernetes Engine (AKS) Benchmark v1.3.0
- CIS OpenShift Container Platform v4 Benchmark v1.1.0
- CIS OpenShift Container Platform v4 Benchmark v1.4.0
- OpenShift Container Platform v3
Updated over 1 year ago