Profile Applicability:

  • Level 2

Description:
 Network Policies in Kubernetes are used to control the communication between pods and services within a cluster. Ensuring that all namespaces have Network Policies defined helps protect the cluster by restricting communication between pods based on specific security requirements. This check ensures that every namespace has the necessary Network Policies to limit unnecessary inter-pod traffic.

Rationale:
 Without proper Network Policies, all pods within a namespace can freely communicate with each other, which can increase the risk of lateral movement in the event of a security breach. Defining and enforcing Network Policies helps reduce the attack surface by restricting communication only to the necessary services, thus improving security.

Impact:

  • Pros:

    • Enhances security by restricting unnecessary communication between pods.

    • Improves isolation between different namespaces and services.

  • Cons:

    • May require additional configuration to ensure all necessary services can still communicate.

    • Complex applications might require fine-tuning of the Network Policies to ensure they don’t break service functionality.

Default Value:
 By default, Kubernetes does not enforce any Network Policies unless explicitly configured. Without Network Policies, all pods within a namespace can communicate freely with each other.

Pre-requisites:
 Ensure that Network Policies are supported and implemented within the AKS cluster and that RBAC is properly configured to allow policy management.

Remediation

Test Plan:

Using Azure Console:

  1. Navigate to the Azure portal and access the Kubernetes cluster.

  2. Review the Network Policies for each namespace. Ensure that there are defined Network Policies for each namespace in the cluster.

  3. Check the Network Policies tab or use the Kubernetes dashboard to verify policy configurations.

Using Azure CLI:

  1. List all namespaces and check for existing Network Policies:

     kubectl get namespaces

  2. Verify that each namespace has associated Network Policies defined by running the following command:

     kubectl get networkpolicies --all-namespaces

  3. Ensure that the result shows Network Policies for every namespace.

Implementation Plan:

Using Azure Console:

  1. Navigate to the Azure portal and access the Kubernetes cluster.

  2. For each namespace, go to the Network Policies section and define a policy that restricts traffic as needed.

  3. Ensure that the policies are applied to the appropriate namespaces by verifying the settings in the Azure portal.

Using Azure CLI:

  1. To create a new Network Policy, use the following command:

     kubectl apply -f network-policy.yaml --namespace=<namespace>

  2. Ensure the YAML file defines appropriate ingress and egress rules to restrict pod communication within the namespace. Here is an example of a basic Network Policy:

     apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
 name: restrict-traffic
 spec:
 podSelector: {}
 ingress:
 - from:
 - podSelector: {}
 egress:
 - to:
 - podSelector: {}


Backout Plan:

Using Azure Console:

  1. If the Network Policies cause issues with application functionality, revert the changes in the Azure portal by deleting or modifying the policies.

Using Azure CLI:

  1. Revert any changes by deleting the applied Network Policies using the following command:

     kubectl delete networkpolicy <policy-name> --namespace=<namespace>

References:

  1. Azure Kubernetes Service (AKS) Network Policies Documentation

  2. Kubernetes Network Policy Documentation