C-0049 - Network mapping
Framework
ArmoBest, AllControls
Severity
Low
Description of the the issue
Attackers may try to map the cluster network to get information on the running applications, including scanning for known vulnerabilities. By default, there is no restriction on pods communication in Kubernetes. Therefore, attackers who gain access to a single container, may use it to probe the network.
Related resources
Namespace, NetworkPolicy
What does this control test
Check for each namespace if there is a network policy defined.
Remediation
Define network policies or use similar network protection mechanisms.
Example
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: default # we make sure "NetworkPolicy" exists on this namespace
Updated 11 days ago