Profile Applicability:
Level 1
Description:
Network Policies in Kubernetes are used to define how groups of pods can communicate with each other and with other network endpoints. This check ensures that Network Policies are defined for all namespaces in the cluster, providing access control over pod-to-pod communication and enhancing the security of the Kubernetes environment.
Rationale:
By defining Network Policies, you can restrict traffic to and from pods based on their labels, namespaces, or IP addresses. This helps ensure that only authorized communication is allowed between services within the Kubernetes cluster. Having network policies in place for all namespaces improves cluster security by preventing unwanted or unauthorized traffic from reaching sensitive pods or services.
Impact:
Pros:
Enhances security by controlling communication between pods.
Helps isolate workloads from each other within a namespace or across namespaces.
Reduces the risk of lateral movement in the event of a compromise.
Cons:
Requires careful configuration to ensure that legitimate traffic is not inadvertently blocked.
Increases complexity in network management, especially with large numbers of namespaces and services.
Default Value:
By default, Kubernetes does not define any network policies, and all pods within a namespace can communicate with each other. Network policies need to be defined manually.
Pre-requisites:
Ensure that network policy enforcement is enabled for your cluster and that a network plugin, such as Calico or Azure CNI, is used to support and enforce network policies.
Test Plan:
Using Azure Console:
Navigate to the Azure portal and access the Azure Kubernetes Service (AKS) cluster.
Review the Network Policies applied to each namespace to ensure that network policies are defined for each one.
Ensure that the Network Policies restrict traffic appropriately, using labels, namespaces, or IP addresses to define allowed traffic.
Using Azure CLI:
Use the following command to check if Network Policies are applied to all namespaces:
kubectl get networkpolicies --all-namespaces
Verify that each namespace has an associated Network Policy. If any namespace is missing a network policy, that namespace needs to be configured with one.
Check the Network Policies applied to a specific namespace by running:
kubectl get networkpolicies --namespace=<namespace-name>
Implementation Plan:
Using Azure Console:
In the Azure portal, navigate to the Azure Kubernetes Service (AKS) cluster and go to Networking settings.
Ensure that Network Policies are enabled for the AKS cluster by selecting the appropriate network plugin (e.g., Calico or Azure CNI).
Review the Pod specifications in each namespace and define the required Network Policies to control traffic between pods.
Apply the network policies to each namespace to restrict or allow traffic between services as needed.
Using Azure CLI:
To define a Network Policy for a namespace, create a YAML file with the required ingress and egress rules:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: example-policy
namespace: <namespace-name>
spec:
podSelector: {}
ingress:
- from:
- podSelector: {}
egress:
- to:
- podSelector: {}
Apply the Network Policy with the following command:
kubectl apply -f network-policy.yaml --namespace=<namespace-name>
Repeat the process for all namespaces that require network policies.
Backout Plan:
Using Azure Console:
If Network Policies cause issues with pod communication, revert the changes in the Azure portal by disabling or modifying the network policies.
Using Azure CLI:
If the Network Policies cause issues, remove them using the following command:
kubectl delete networkpolicy <policy-name> --namespace=<namespace-name>
You can also modify the policy to relax restrictions or allow additional traffic if needed.