C-0030 - Ingress and Egress blocked

Framework

ArmoBest, NSA, AllControls

Severity

Medium

Description of the the issue

Network policies control traffic flow between Pods, namespaces, and external IP addresses. By default, no network policies are applied to Pods or namespaces, resulting in unrestricted ingress and egress traffic within the Pod network. Pods become isolated through a network policy that applies to the Pod or the Pod’s namespace. Once a Pod is selected in a network policy, it rejects any connections that are not specifically allowed by any applicable policy object.Administrators should use a default policy selecting all Pods to deny all ingress and egress traffic and ensure any unselected Pods are isolated. Additional policies could then relax these restrictions for permissible connections.

Related resources

CronJob, DaemonSet, Deployment, Job, NetworkPolicy, Pod, ReplicaSet, StatefulSet

What does this control test

Check for each Pod whether there is an ingress and egress policy defined (whether using Pod or Namespace).

Remediation

Define a network policy that restricts ingress and egress connections.

Example

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: test-network-policy
  namespace: shop
spec:
  podSelector:
    matchLabels:
        app: adservice		#we match it to the workload labels
  policyTypes:
  - Ingress
  - Egress
  ingress:			#we look for this 
  - from:
    - ipBlock:
        cidr: 172.17.0.0/16
        except:
        - 172.17.1.0/24
    - namespaceSelector:
        matchLabels:
          project: myproject
    - podSelector:
        matchLabels:
          role: frontend
    ports:
    - protocol: TCP
      port: 6379
  egress:			
  - to:
    - ipBlock:
        cidr: 10.0.0.0/24
    ports:
    - protocol: TCP
      port: 5978