Skip to main content


4.3.1 Ensure latest CNI version is used (Manual)

Profile Applicability

• Level 1


There are a variety of CNI plugins available for Kubernetes. If the CNI in use does not support Network Policies it may not be possible to effectively restrict traffic in the cluster.


Kubernetes network policies are enforced by the CNI plugin in use. As such it is important to ensure that the CNI plugin supports both Ingress and Egress network policies.




Review the documentation of CNI plugin in use by the cluster, and confirm that it supports network policies.


As with RBAC policies, network policies should adhere to the policy of least privileged access. Start by creating a deny all policy that restricts all inbound and outbound traffic from a namespace or create a global policy using Calico.


Additional Information

One example here is Flannel ( which does not support Network policy unless Calico is also in use.