Profile Applicability:
• Level 1
Description:
Network policies should be defined for each namespace in the Kubernetes cluster to control the traffic between pods and prevent unwanted access. This ensures traffic isolation and enforces security policies across the cluster network.
Rationale:
Running different applications within the same Kubernetes cluster can introduce the risk of cross-application attacks if one application is compromised. By using network policies, you can segment network traffic, ensuring that containers can only communicate with those they are intended to. A network policy allows the specification of how pods can communicate with each other and other network endpoints, enforcing traffic isolation.
Once a network policy selects a pod, it will only accept traffic that is explicitly allowed by the network policy, rejecting any other connections. If a pod is not selected by any network policy, it will continue to accept all traffic by default.
Impact:
Pros:
Enhances the security of applications by isolating network traffic.
Ensures that only authorized traffic can flow between pods, reducing the risk of lateral movement by attackers.
Helps meet compliance requirements by enforcing traffic segmentation.
Cons:
Misconfigured network policies may lead to unintended disruptions in communication between pods that need to interact.
Requires careful management and updates as applications and their communication needs evolve.
Default Value:
By default, network policies are not created, and all pods can communicate with each other freely.
Pre-requisites:
Access to the Kubernetes cluster with sufficient privileges to define and enforce Network Policies.
Understanding of the traffic requirements between applications running in different namespaces.
Remediation
Test Plan:
Using AWS Console:
Navigate to the Network Policies section for each namespace and ensure that at least one Network Policy is defined.
Review the configuration of the existing policies to ensure they provide the necessary traffic isolation for each namespace.
Using AWS CLI:
To check for existing network policies in the cluster, run the following command:
kubectl get networkpolicy --all-namespaces
Review the output to ensure that each namespace has at least one network policy defined. If any namespace lacks a policy, proceed with remediation.
Implementation Plan
Using AWS Console:
For each namespace, define a network policy that restricts ingress and egress traffic. A simple "deny all" policy can be used to start with:
Apply the network policy for each namespace:
For namespaces that need specific traffic allowances, define appropriate ingress and egress rules in their network policies.
Using AWS CLI:
To create a network policy that denies all inbound and outbound traffic in a namespace, use the following YAML definition and apply it using
kubectl:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
namespace: <namespace>
spec:
podSelector: {}
policyTypes:
- Ingress
- EgressApply the policy using this command:
kubectl apply -f default-deny-all.yaml
Review the list of namespaces and ensure that each one has at least one network policy defined:
kubectl get networkpolicy --all-namespaces
Define specific ingress and egress rules for any namespace that requires exceptions to the deny-all policy.
Backout Plan
Using AWS Console:
If network policies cause issues, revert to a previous configuration where necessary.
Remove or modify policies that are incorrectly blocking required communication.
Using AWS CLI:
If the new network policies cause disruptions, remove them by running:
kubectl delete networkpolicy default-deny-all -n <namespace>
If necessary, reapply the previous, working network policies for each affected namespace.
References:
Kubernetes Network Policies Documentation