iCompaas Support

Profile Applicability:

• Level 1
  
  

Description:
 The Container Network Interface (CNI) in Kubernetes defines how networking is configured for containers and pods. This check ensures that the CNI being used in the cluster supports Network Policies to control traffic between pods and services. Network policies can only be enforced if the underlying CNI plugin supports them (e.g., Calico, Azure CNI).

Rationale:
 To implement fine-grained traffic controls and isolate workloads in a Kubernetes cluster, Network Policies must be supported by the CNI plugin. Without a CNI plugin that supports Network Policies, Kubernetes will not be able to enforce policies to control pod-to-pod communication, leaving the cluster vulnerable to unwanted or unauthorized traffic.

Impact:

• Pros:
  
  

  • Ensures that security controls can be enforced at the network level, protecting workloads from unauthorized access.
    
    

  • Enables fine-grained network security policies to restrict traffic based on pod labels and namespaces.
    
    

• Cons:
  
  

  • Requires that a compatible CNI plugin is selected and properly configured.
    
    

  • Adds complexity in managing and troubleshooting network configurations.
    
    

Default Value:
 Not all CNIs support Network Policies by default. Azure CNI and Calico are commonly used CNI plugins that support Network Policies, but others may not.

Pre-requisites:
 Ensure that your Kubernetes cluster uses a CNI that supports Network Policies (e.g., Calico, Azure CNI). This may require updating or configuring the CNI plugin in your AKS cluster.

Test Plan:

Using Azure Console:

1. Navigate to the Azure portal and access your Azure Kubernetes Service (AKS) cluster.
   
   

2. Check the Networking settings to see which CNI plugin is in use.
   
   

3. Review the CNI plugin documentation (e.g., Azure CNI or Calico) to verify that Network Policies are supported and enabled.
   
   

Using Azure CLI:

1. Run the following command to check the current CNI plugin in use:
    
   

   az aks show --resource-group <resource-group-name> --name <aks-cluster-name> --query "networkProfile.networkPlugin"

2. Ensure that the CNI plugin is one that supports Network Policies. If the plugin is azure, calico, or flannel, you can proceed with network policy configuration.
    If using Azure CNI or Calico, run the following command to verify if Network Policies are enabled:
   

    kubectl get networkpolicies --all-namespaces

   
   

3. Confirm that the Network Policies are being enforced.
   
   

Implementation Plan:

Using Azure Console:

1. In the Azure portal, verify the CNI plugin used by your AKS cluster under Networking settings.
   
   

2. If the current CNI does not support Network Policies (e.g., kubenet), consider switching to Azure CNI or Calico as the network plugin to enable network policy enforcement.
   
   

3. Update the AKS cluster to use a CNI that supports Network Policies. For example, to update to Azure CNI with Network Policies support:
   
   

   • Navigate to the AKS cluster settings in the Azure portal and enable Azure CNI with Network Policies.
     
     

4. Verify that the Network Policies are being enforced after the update.
   
   

Using Azure CLI:

1. If your current cluster is not using a compatible CNI, you can update your AKS cluster to use Azure CNI with the following command:
   

    az aks update --resource-group <resource-group-name> --name <aks-cluster-name> --network-plugin azure

   
   

2. After the update, verify that Network Policies are applied by running the following command:
   

    kubectl get networkpolicies --all-namespaces

   
   

If Calico is preferred, you can install Calico as the CNI plugin and enable Network Policies:

az aks enable-addons --resource-group <resource-group-name> --name <aks-cluster-name> --addons azure-keyvault-secrets-provider --network-plugin calico

Backout Plan:

Using Azure Console:

1. If enabling Network Policies causes issues, revert the configuration in the Azure portal by switching back to the previous CNI plugin (e.g., kubenet).
   
   

2. Disable Network Policies or switch to a less restrictive network configuration if necessary.
   
   

Using Azure CLI:

1. If the updated CNI plugin or Network Policies cause issues, revert by using the following command to switch back to kubenet:
   

    az aks update --resource-group <resource-group-name> --name <aks-cluster-name> --network-plugin kubenet

   
   
   

2. Check if the Network Policies are still being applied by running:
   

    kubectl get networkpolicies --all-namespaces

   
   

References:

1. Azure Kubernetes Service (AKS) Network Policies Documentation
   
   

2. Azure CNI Networking for AKs