Detections
Analytics
5.6.7 Ensure Network Policy is Enabled and set as appropriate
Warning! Audit Deprecated
This audit has been deprecated and will be removed in a future update.
View Next Audit VersionInformation
Use Network Policy to restrict pod to pod traffic within a cluster and segregate workloads.Rationale:
By default, all pod to pod traffic within a cluster is allowed. Network Policy creates a pod-level firewall that can be used to restrict traffic between sources. Pod traffic is restricted by having a Network Policy that selects it (through the use of labels). Once there is any Network Policy in a namespace selecting a particular pod, that pod will reject any connections that are not allowed by any Network Policy. Other pods in the namespace that are not selected by any Network Policy will continue to accept all traffic.
Network Policies are managed via the Kubernetes Network Policy API and enforced by a network plugin, simply creating the resource without a compatible network plugin to implement it will have no effect. GKE supports Network Policy enforcement through the use of Calico.
Impact:
Network Policy requires the Network Policy add-on. This add-on is included automatically when a cluster with Network Policy is created, but for an existing cluster, needs to be added prior to enabling Network Policy.
Enabling/Disabling Network Policy causes a rolling update of all cluster nodes, similar to performing a cluster upgrade. This operation is long-running and will block other operations on the cluster (including delete) until it has run to completion.
If Network Policy is used, a cluster must have at least 2 nodes of type n1-standard-1 or higher. The recommended minimum size cluster to run Network Policy enforcement is 3 n1-standard-1 instances.
Enabling Network Policy enforcement consumes additional resources in nodes. Specifically, it increases the memory footprint of the kube-system process by approximately 128MB, and requires approximately 300 millicores of CPU.
Solution
Using Google Cloud ConsoleGo to Kubernetes Engine by visiting https://console.cloud.google.com/kubernetes/list
Select the cluster for which Network policy is disabled
Click EDIT
Set 'Network policy for master' to 'Enabled'
Click SAVE
Once the cluster has updated, repeat steps 1-3
Set 'Network Policy for nodes' to 'Enabled'
Click SAVE.
Using Command Line
To enable Network Policy for an existing cluster, firstly enable the Network Policy add-on:
gcloud container clusters update [CLUSTER_NAME] \
--zone [COMPUTE_ZONE] \
--update-addons NetworkPolicy=ENABLED
Then, enable Network Policy:
gcloud container clusters update [CLUSTER_NAME] \
--zone [COMPUTE_ZONE] \
--enable-network-policy
Default Value:
By default, Network Policy is disabled.
See Also
Item Details
Audit Name: CIS Google Kubernetes Engine (GKE) v1.3.0 L1
References: CSCv7|9.2, CSCv7|9.4
Plugin: GCP
Control ID: 9188fe1b207fe1d0810d42ab5267199202bbee8138763907fbe1056b98a3cd60