4.3.2 Ensure that all Namespaces have Network Policies defined

Information

Use network policies to isolate traffic in the cluster network.

Running different applications on the same Kubernetes cluster creates a risk of one compromised application attacking a neighboring application. Network segmentation is important to ensure that containers can communicate only with those they are supposed to. A network policy is a specification of how selections of pods are allowed to communicate with each other and other network endpoints.

Network Policies are namespace scoped. When a network policy is introduced to a given namespace, all traffic not allowed by the policy is denied. However, if there are no network policies in a namespace all traffic will be allowed into and out of the pods in that namespace.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Follow the documentation and create NetworkPolicy objects as needed.See:

https://cloud.google.com/kubernetes-engine/docs/how-to/network-policy#creating_a_network_policy

for more information.

Impact:

Once network policies are in use within a given namespace, traffic not explicitly allowed by a network policy will be denied. As such it is important to ensure that, when introducing network policies, legitimate traffic is not blocked.

See Also

https://workbench.cisecurity.org/benchmarks/19166

Item Details

Category: SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CA-9, 800-53|SC-7, CSCv7|14.1, CSCv7|14.2

Plugin: GCP

Control ID: 36e7011ac950d25226701f495a1bda391448b40caeb7c321aa84bc9bb0a2ad5d