C-0049 - Network mapping

Framework

ArmoBest, AllControls

Severity

Low

Description of the the issue

Attackers may try to map the cluster network to get information on the running applications, including scanning for known vulnerabilities. By default, there is no restriction on pods communication in Kubernetes. Therefore, attackers who gain access to a single container, may use it to probe the network.

Related resources

Namespace, NetworkPolicy

What does this control test

Check for each namespace if there is a network policy defined.

Remediation

Define network policies or use similar network protection mechanisms.

Example

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: test-network-policy
  namespace: default		# we make sure "NetworkPolicy" exists on this namespace