Skip to main content

lacework-global-346

4.3.1 Ensure latest CNI version is used (Manual)

Profile Applicability

• Level 1

Description

There are a variety of CNI plugins available for Kubernetes. If the CNI in use does not support Network Policies it may not be possible to effectively restrict traffic in the cluster.

Rationale

Kubernetes network policies are enforced by the CNI plugin in use. As such it is important to ensure that the CNI plugin supports both Ingress and Egress network policies.

Impact

None.

Audit

Review the documentation of CNI plugin in use by the cluster, and confirm that it supports network policies.

Remediation

As with RBAC policies, network policies should adhere to the policy of least privileged access. Start by creating a deny all policy that restricts all inbound and outbound traffic from a namespace or create a global policy using Calico.

References

https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/
https://aws.github.io/aws-eks-best-practices/network/

Additional Information

One example here is Flannel (https://github.com/coreos/flannel) which does not support Network policy unless Calico is also in use.