Profile Applicability:
• Level 1
Description:
Amazon EKS provides two ways to implement network policy:
Calico Network Policies – An open-source network and network security solution founded by Tigera.
Both options use Linux IPTables to enforce the specified policies, translating the policies into sets of allowed and disallowed IP pairs, which are then programmed as IPTable filter rules.
Rationale:
By default, all pod-to-pod traffic within a cluster is allowed. Network Policies create a pod-level firewall that can be used to restrict traffic between sources. A Network Policy is applied through the use of labels that select which pods the policy applies to. Once a pod is selected by a policy, it will reject any connections not explicitly allowed by that policy. Pods not selected by any Network Policy will continue to accept all traffic.
Impact:
Network Policy requires the Network Policy add-on. For newly created clusters, this add-on is included by default, but it must be manually added for existing clusters.
Enabling or disabling Network Policy causes a rolling update of all cluster nodes. This process will block other operations (including delete operations) until completed.
Enabling Network Policy enforcement increases resource consumption on nodes, adding approximately 128MB of memory and 300 millicores of CPU to the kube-system process.
Default Value:
By default, Network Policy is disabled.
Pre-requisites:
Ensure that the network policy addon is enabled on the EKS cluster. If using a third-party solution like Calico, ensure that it is installed and configured correctly to enforce network policies.
Remediation:
Test Plan:
Using AWS Console:
Enable Network Policy by utilizing Calico or another network policy engine to segment and isolate your traffic within the cluster.
For clusters that are not yet configured, follow the documentation to enable Network Policy enforcement.
Using AWS CLI:
1. Run the following command to confirm network policy settings:
aws eks describe-addon --cluster-name <cluster-name> --addon-name vpc-cni --query addon.configurationValuesImplementation plan:
Using AWS Console:
Ensure that the Calico Network Policies or the built-in AWS VPC CNI plugin with network policy support is installed on the cluster.
Apply appropriate network policies to define allowed communication between pods based on their labels.
Using AWS CLI:
To enable network policies and ensure the CNI plugin is installed:
aws eks update-cluster-config --name <cluster-name> --region <region> --resources-vpc-config endpointPrivateAccess=true,endpointPublicAccess=falseCreate the necessary network policies for each namespace: kubectl apply -f my-network-policy.yaml
Backout Plan:
Using AWS Console:
1. If you need to disable network policies, remove the policies by deleting the applied policy files and adjusting the network plugin settings.
Using AWS CLI:
Disable Network Policy: If enabling the network policy results in unexpected issues, you can disable it using the following AWS CLI command:
aws eks update-cluster-config --region <region-code> --name <cluster-name> --resources-vpc-config endpointPublicAccess=true,endpointPrivateAccess=falseAdjust Network Policies: Review and modify the network policies to ensure they are correctly applied and do not unintentionally restrict traffic that should be allowed.