Ensure that application Namespaces have Network Policies defined.
An XCCDF Rule
Description
Use network policies to isolate traffic in your cluster network.
warning alert: Warning
This rule's check operates on the cluster configuration dump.
Therefore, you need to use a tool that can query the OCP API, retrieve the following:
-
/apis/networking.k8s.io/v1/networkpoliciesAPI endpoint, filter with with thejqutility using the following filter[.items[] | select((.metadata.namespace | startswith("openshift") | not) and (.metadata.namespace | startswith("kube-") | not) and .metadata.namespace != "default" and ({{if ne .var_network_policies_namespaces_exempt_regex "None"}}.metadata.namespace | test("{{.var_network_policies_namespaces_exempt_regex}}") | not{{else}}true{{end}})) | .metadata.namespace] | uniqueand persist it to the local -
/api/v1/namespacesAPI endpoint, filter with with thejqutility using the following filter[.items[] | select((.metadata.name | startswith("openshift") | not) and (.metadata.name | startswith("kube-") | not) and .metadata.name != "default" and ({{if ne .var_network_policies_namespaces_exempt_regex "None"}}.metadata.name | test("{{.var_network_policies_namespaces_exempt_regex}}") | not{{else}}true{{end}}))]and persist it to the local
Rationale
Running different applications on the same Kubernetes cluster creates a risk of one compromised application attacking a neighboring application. Network segmentation is important to ensure that containers can communicate only with those they are supposed to. When a network policy is introduced to a given namespace, all traffic not allowed by the policy is denied. However, if there are no network policies in a namespace all traffic will be allowed into and out of the pods in that namespace.
- ID
- xccdf_org.ssgproject.content_rule_configure_network_policies_namespaces
- Severity
- High
- References
- Updated