1.6.8 Configure Network policies as appropriate

Information

Configure Network policies as appropriate.

Rationale:

The Network Policy API is now stable. Network policy, implemented through a network plug-in, allows users to set and enforce rules governing which pods can communicate with each other. You should leverage it as appropriate in your environment.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Follow the Kubernetes documentation and setup network policies as appropriate.

For example, you could create a 'default' isolation policy for a Namespace by creating a NetworkPolicy that selects all pods but does not allow any traffic:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny
spec:
podSelector:

Impact:

You need to regularly maintain your network policies and design them carefully. Also, network policies v1 support depends on your CNI. Carefully choose your CNI.

See Also

https://workbench.cisecurity.org/files/1788