Profile Applicability:
Level 1
Description:
In Kubernetes, a Network Policy is a set of rules that controls the communication between pods and/or services within a Kubernetes cluster. By default, Kubernetes allows all traffic between pods in the cluster, but using Network Policies, administrators can restrict traffic based on pod selectors, IP blocks, and other factors. These policies provide fine-grained control over the communication between Kubernetes workloads, enhancing security by limiting which pods can communicate with others.
Enabling Network Policies ensures that only the intended traffic is allowed within the cluster, protecting workloads from unauthorized access or malicious traffic.
Rationale:
Enabling and properly configuring Network Policies in Kubernetes clusters is critical for:
Security: Helps prevent unauthorized communication between pods and limits the attack surface by allowing only the necessary communication.
Microsegmentation: Helps to implement microsegmentation at the network level, which is a key security measure in cloud-native environments.
Compliance: Meets security standards and best practices that require restricting access between pods, thereby ensuring that sensitive workloads are isolated.
Traffic Control: Ensures that network traffic is tightly controlled, preventing potential lateral movement in case of a compromised pod.
Impact:
Pros:
Enhanced Security: Restricting traffic ensures that only trusted pods can communicate with each other, minimizing the risk of internal breaches.
Granular Control: Provides the ability to define strict communication rules, allowing security teams to enforce policies based on labels, IPs, and namespaces.
Compliance: Helps meet compliance requirements for network isolation and segmentation.
Auditability: Network policies provide clear and auditable configurations for traffic control.
Cons:
Complex Configuration: Misconfigured network policies can lead to unintended traffic blocks, breaking application connectivity.
Increased Overhead: Managing network policies for complex applications and services can add operational overhead.
Requires CNI Plugin Support: Network policies require a CNI (Container Network Interface) plugin that supports them (e.g., Calico, Cilium).
Default Value:
By default, Network Policies are not enabled in Kubernetes. You must manually create and configure policies for pod-to-pod communication control.
Pre-requisite:
Kubernetes Cluster should have a CNI plugin that supports Network Policies (e.g., Calico, Cilium, Weave).
IAM Permissions:
kubectl create
kubectl get networkpolicies
kubectl apply
kubectl installed and configured to interact with your Kubernetes cluster.
Basic understanding of Kubernetes networking and CNI plugins.
Remediation:
Test Plan:
Using AWS Console (EKS):
Sign in to the AWS Management Console.
Navigate to Amazon EKS under Services.
Go to the Clusters section and select the desired EKS cluster.
Ensure that the CNI plugin supporting Network Policies (e.g., Calico) is installed and configured.
Check if Network Policies are configured in your EKS cluster by using the kubectl CLI.
Go to the EKS console and check if the CNI plugin has been installed and properly configured.
Using kubectl (CLI):
To check if Network Policies are enabled, run:
kubectl get networkpolicies --all-namespaces
If the output returns a list of network policies, they are enabled and in place.
To verify whether the correct CNI plugin (e.g., Calico, Cilium) is installed and supports network policies, run:
kubectl describe pod -n kube-system <CNI-plugin-pod-name>
Check if network policies are applied in the specific namespace by running:
kubectl get networkpolicies -n <namespace-name>
To create a simple Network Policy that restricts ingress traffic for a specific pod, you can run:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny
namespace: default
spec:
podSelector: {}
policyTypes:
- IngressApply the policy:
kubectl apply -f <network-policy-file>.yaml
Implementation Steps:
Using kubectl (CLI):
To enable Network Policies, ensure that the CNI plugin (such as Calico or Cilium) is properly configured for your Kubernetes cluster.
For EKS, ensure that Calico is enabled by selecting the appropriate configuration during cluster setup or modification.
Create the Network Policy for your workloads. For example, to deny all ingress traffic except from a specific pod, you can use the following policy:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-ingress
namespace: <namespace-name>
spec:
podSelector: {}
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
app: <specific-app-name>Apply the Network Policy:
kubectl apply -f <network-policy-file>.yaml
Ensure that all required Network Policies are in place for other workloads by creating and applying similar policies based on the application's access requirements.
Backout Plan:
If enabling Network Policies causes connectivity issues:
Identify the affected pods by reviewing the kubectl logs and Network Policy events.
Disable the applied Network Policy to restore access:
kubectl delete networkpolicy <policy-name> -n <namespace>
Investigate and adjust the Network Policy configurations to ensure correct traffic flow.
Apply the updated Network Policy once the issue has been resolved.
Note:
Test Network Policies: Before applying them in a production environment, test network policies in a staging or dev cluster to avoid service interruptions.
Policy Aggregation: Ensure that policies are aggregated across multiple namespaces and services for a consistent security posture.
Logging and Monitoring: Set up monitoring tools (e.g., Prometheus, Grafana) to visualize and track network traffic and ensure that your Network Policies are being enforced as expected.