4.3.1 Ensure that the CNI in use supports Network Policies

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

There are a variety of CNI plugins available for Kubernetes. If the CNI in use does not support Network Policies it may not be possible to effectively restrict traffic in the cluster.

Rationale:

Kubernetes network policies are enforced by the CNI plugin in use. As such it is important to ensure that the CNI plugin supports both Ingress and Egress network policies.

See also Recommendation 6.6.7 for GKE specifically.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

To use a CNI plugin with Network Policy, enable Network Policy in GKE, and the CNI plugin will be updated. See Recommendation 6.6.7.

Impact:

None.

Default Value:

This will depend on the CNI plugin in use.

See Also

https://workbench.cisecurity.org/files/2764