Docs
HomeGitHubSign Up

C-0205 - Ensure that the CNI in use supports Network Policies

Suggest Edits

Prerequisites

Run Kubescape with host sensor (see here)

Framework

cis-eks-t1.2.0, cis-v1.23-t1.0.1, cis-aks-t1.2.0

Severity

Medium

Description of the the issue

Kubernetes network policies are enforced by the CNI plugin in use. As such it is important to ensure that the CNI plugin supports both Ingress and Egress network policies.

Related resources

What does this control test

There are a variety of CNI plugins available for Kubernetes. If the CNI in use does not support Network Policies it may not be possible to effectively restrict traffic in the cluster.

How to check it manually

Review the documentation of CNI plugin in use by the cluster, and confirm that it supports Ingress and Egress network policies.

Remediation

If the CNI plugin in use does not support network policies, consideration should be given to making use of a different plugin, or finding an alternate mechanism for restricting traffic in the Kubernetes cluster.

Impact Statement

None

Default Value

This will depend on the CNI plugin in use.

Example

No example

Updated 3 months ago