Views:
Profile applicability: Level 2
Use network policies to isolate traffic in the cluster network.
Running different applications on the same Kubernetes cluster creates a risk of one compromised application attacking a neighboring application. Network segmentation is important to ensure that containers can communicate only with those they are supposed to. A network policy is a specification of how selections of pods are allowed to communicate with each other and other network endpoints.
Network Policies are namespace scoped. When a network policy is introduced to a given namespace, all traffic not allowed by the policy is denied. However, if there are no network policies in a namespace all traffic will be allowed into and out of the pods in that namespace.
Note
Note
By default, network policies are not created.

Impact

Once network policies are in use within a given namespace, traffic not explicitly allowed by a network policy will be denied. As such it is important to ensure that, when introducing network policies, legitimate traffic is not blocked.

Audit

Run the below commands and review the NetworkPolicy objects created in the cluster.
Command line statement to show namespaces with 1 or more Network Policies set:
kubectl get ns -o jsonpath='{range .items[*]}{.metadata.name}{"\n"}{end}' | while read ns; do count=$(kubectl get networkpolicy -n "$ns" --no-headers 2>/dev/null | wc -l | tr -d ' ') if [ "$count" -gt 0 ]; then echo -e "${ns}\t${count}" fi done
Command line statement to show namespaces with 0 Network Policies set:
for ns in $(kubectl get ns -o jsonpath='{.items[*].metadata.name}'); do count=$(kubectl get networkpolicy -n "$ns" --no-headers 2>/dev/null | wc -l | tr -d ' ') if [ "$count" -eq 0 ]; then echo -e "${ns}\t${count}" fi done

Remediation

Follow the documentation and create NetworkPolicy objects as needed. See: GKE documentation for more information.