Skip to content
ATO Pathways
Log In
Overview
Search
Catalogs
SCAP
OSCAL
Catalogs
Profiles
Documents
References
Knowledge Base
Platform Documentation
Compliance Dictionary
Platform Changelog
About
Catalogs
XCCDF
Guide to the Secure Configuration of Amazon Elastic Kubernetes Service
Kubernetes Settings
Kubernetes - Network Configuration and Firewalls
Kubernetes - Network Configuration and Firewalls
An XCCDF Group - A logical subset of the XCCDF Benchmark
Details
Profiles
Prose
Kubernetes - Network Configuration and Firewalls
6 Rules
Most systems must be connected to a network of some sort, and this brings with it the substantial risk of network attack. This section discusses the security impact of decisions about networking which must be made when configuring a system.
This section also discusses firewalls, network access controls, and other network security frameworks, which allow system-level rules to be written that can limit an attackers' ability to connect to your system. These rules can specify that network traffic should be allowed or denied from certain IP addresses, hosts, and networks. The rules can also specify which of the system's network services are available to particular hosts or networks.
Ensure that application Namespaces have Network Policies defined.
High Severity
Use network policies to isolate traffic in your cluster network.
Ensure Network Policy is Enabled
Unknown Severity
Use Network Policy to restrict pod to pod traffic within a cluster and segregate workloads.
Encrypt Traffic to Load Balancers and Workloads
Unknown Severity
Encrypt traffic to HTTPS load balancers using TLS certificates.
Restrict Access to the Control Plane Endpoint
Unknown Severity
Enable Endpoint Private Access to restrict access to the cluster's control plane to only an allowlist of authorized IPs.
Ensure Private Endpoint Access
Unknown Severity
Disable access to the Kubernetes API from outside the node network if it is not required.
Ensure Cluster Private Nodes
Unknown Severity
Disable public IP addresses for cluster nodes, so that they only have private IP addresses. Private Nodes are nodes with no public IP addresses.