Ensure that the CNI in use supports Network Policies

There are a variety of CNI plugins available for Kubernetes. If the CNI in use does not support Network Policies it may not be possible to effectively restrict traffic in the cluster.

Risk Level: High
Cloud Entity: Network Policies
CloudGuard Rule ID: D9.K8S.NET.33
Covered by Spectral: No
Category: Networking & Content Delivery

GSL LOGIC

List<KubernetesNetworkPolicy> should have items length()>0

REMEDIATION

If the CNI plugin in use does not support network policies, consideration should be given to
making use of a different plugin, or finding an alternate mechanism for restricting traffic in
the Kubernetes cluster.

References

  1. https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/

Network Policies

A network policy is a specification of how groups of pods are allowed to communicate with each other and other network endpoints.

Compliance Frameworks

  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1
  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.2.0
  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.3.0
  • CIS Google Kubernetes Engine (GKE) Benchmark v1.2.0
  • CIS Google Kubernetes Engine (GKE) Benchmark v1.4.0
  • CIS Kubernetes Benchmark v1.23
  • CIS Kubernetes Benchmark v1.24
  • CIS Kubernetes Benchmark v1.5.1
  • CIS Kubernetes Benchmark v1.6.1
  • CIS Microsoft Kubernetes Engine (AKS) Benchmark v1.1.0
  • CIS Microsoft Kubernetes Engine (AKS) Benchmark v1.3.0
  • CIS OpenShift Container Platform v4 Benchmark v1.1.0
  • CIS OpenShift Container Platform v4 Benchmark v1.4.0
  • OpenShift Container Platform v3