C-0030 - Ingress and Egress blocked
Framework
ArmoBest, NSA, AllControls
Severity
Medium
Description of the the issue
Network policies control traffic flow between Pods, namespaces, and external IP addresses. By default, no network policies are applied to Pods or namespaces, resulting in unrestricted ingress and egress traffic within the Pod network. Pods become isolated through a network policy that applies to the Pod or the Pod’s namespace. Once a Pod is selected in a network policy, it rejects any connections that are not specifically allowed by any applicable policy object.Administrators should use a default policy selecting all Pods to deny all ingress and egress traffic and ensure any unselected Pods are isolated. Additional policies could then relax these restrictions for permissible connections.
Related resources
CronJob, DaemonSet, Deployment, Job, NetworkPolicy, Pod, ReplicaSet, StatefulSet
What does this control test
Check for each Pod whether there is an ingress and egress policy defined (whether using Pod or Namespace).
Remediation
Define a network policy that restricts ingress and egress connections.
Example
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: shop
spec:
podSelector:
matchLabels:
app: adservice #we match it to the workload labels
policyTypes:
- Ingress
- Egress
ingress: #we look for this
- from:
- ipBlock:
cidr: 172.17.0.0/16
except:
- 172.17.1.0/24
- namespaceSelector:
matchLabels:
project: myproject
- podSelector:
matchLabels:
role: frontend
ports:
- protocol: TCP
port: 6379
egress:
- to:
- ipBlock:
cidr: 10.0.0.0/24
ports:
- protocol: TCP
port: 5978
Updated 11 days ago