iCompaas Support

Profile Applicability:

• Level 1
  

Description:
 Network policies in Kubernetes are used to control the traffic flow between pods and services within the cluster. This check ensures that Network Policies are enabled and configured appropriately, enforcing security controls to restrict and define which pods can communicate with each other.

Rationale:
 Enabling and configuring Network Policies is essential to ensure that only authorized pods and services can communicate with each other. Without proper network policies, pods within the same namespace or across namespaces may have unrestricted access to one another, which could lead to security vulnerabilities. Configuring appropriate Network Policies ensures that the principle of least privilege is applied to inter-pod communication.

Impact:

• Pros:
  
  

  • Enhances security by controlling communication between pods.
    

  • Helps in isolating applications and services from each other.
    

  • Prevents unauthorized access and data leaks within the cluster.
    

• Cons:
  
  

  • Requires careful configuration to avoid disrupting legitimate pod communication.
    

  • Can add operational complexity when managing multiple namespaces and services.
    

Default Value:
 Network Policies are not enabled by default in AKS. They must be explicitly configured and enabled, either by using Azure CNI or Calico network policies.

Pre-requisites:
 Ensure that network policy enforcement is enabled on the AKS cluster and that network plugins, such as Calico or Azure CNI, are configured to support Network Policies.

Test Plan:

Using Azure Console:

1. Navigate to the Azure portal and go to your Azure Kubernetes Service (AKS) cluster.
   

2. Under Networking, verify if Network Policy is enabled.
   

3. Check the Network Policies section to ensure that the appropriate policies are defined and applied to restrict traffic between pods.
   

Using Azure CLI:

1. Use the following command to verify if Network Policy is enabled for the AKS cluster:
   

   az aks show --resource-group <resource-group-name> --name <aks-cluster-name> --query "networkProfile.networkPolicy"

   
   

2. Ensure that the networkPolicy is set to calico or azure, indicating that network policies are enabled.
   

3. List the current network policies:

   kubectl get networkpolicies --all-namespaces

   
   

Implementation Plan:

Using Azure Console:

1. In the Azure portal, navigate to the Azure Kubernetes Service (AKS) cluster.
   

2. Under Networking, enable Network Policies by selecting the appropriate network policy provider (e.g., Azure CNI or Calico).
   

3. Configure the Network Policies to ensure that only allowed traffic is permitted between pods.
   

4. Define the necessary ingress and egress rules for inter-pod communication.
   

Using Azure CLI:

1. To enable Network Policies for your AKS cluster, run the following command:
   

    az aks update --resource-group <resource-group-name> --name <aks-cluster-name> --network-policy calico

   
   

2. To verify that the Network Policy is applied correctly, use the following command:
   

    kubectl get networkpolicies --all-namespac

   
   

Backout Plan:

Using Azure Console:

1. If enabling Network Policy causes connectivity issues, revert to the previous configuration by disabling Network Policies in the Azure portal.
   

Using Azure CLI:

1. Revert the Network Policy settings by running:
   

   az aks update --resource-group <resource-group-name> --name <aks-cluster-name> --network-policy none

   
   

2. Delete any applied Network Policies using the following command:
   

    kubectl delete networkpolicy <policy-name> --namespace=<namespace>

   
   

References:

1. Azure Kubernetes Service (AKS) Network Policies Documentation