C-0205 - Ensure that the CNI in use supports Network Policies
Run Kubescape with host sensor (see here)
cis-v1.23-t1.0.1, cis-eks-t1.2.0, cis-aks-t1.2.0
Description of the the issue
Kubernetes network policies are enforced by the CNI plugin in use. As such it is important to ensure that the CNI plugin supports both Ingress and Egress network policies.
What does this control test
There are a variety of CNI plugins available for Kubernetes. If the CNI in use does not support Network Policies it may not be possible to effectively restrict traffic in the cluster.
How to check it manually
Review the documentation of CNI plugin in use by the cluster, and confirm that it supports Ingress and Egress network policies.
If the CNI plugin in use does not support network policies, consideration should be given to making use of a different plugin, or finding an alternate mechanism for restricting traffic in the Kubernetes cluster.
This will depend on the CNI plugin in use.
Updated 8 days ago