Skip to main content

lacework-global-362

5.4.4 Enable Network Policy and set as appropriate (Manual)

Profile Applicability

• Level 1

Description

Amazon Elastic Kubernetes Service (EKS) provides two ways to implement network policy. You choose a network policy option when you create an EKS cluster. It is not possible to change the policy option after cluster creation: Calico Network Policies, an open source network and network security solution founded by Tigera. Both implementations use Linux IPTables to enforce the specified policies. Policies become sets of allowed and disallowed IP pairs. These pairs are then programmed as IPTable filter rules.

Rationale

By default, all pod to pod traffic within a cluster is allowed. Network Policy creates a pod-level firewall that can be used to restrict traffic between sources. Pod traffic is restricted by having a Network Policy that selects it (through the use of labels). Once there is any Network Policy in a namespace selecting a particular pod, that pod will reject any connections that are not allowed by any Network Policy. Other pods in the namespace that are not selected by any Network Policy will continue to accept all traffic.

Network Policies are managed via the Kubernetes Network Policy API and enforced by a network plugin, simply creating the resource without a compatible network plugin to implement it will have no effect.

Impact

Network Policy requires the Network Policy add-on. This add-on is included automatically when a cluster with Network Policy is created, but for an existing cluster, needs to be added prior to enabling Network Policy.

Enabling/Disabling Network Policy causes a rolling update of all cluster nodes, similar to performing a cluster upgrade. This operation is long-running and will block other operations on the cluster (including delete) until it has run to completion.

Enabling Network Policy enforcement consumes additional resources in nodes. Specifically, it increases the memory footprint of the kube-system process by approximately 128MB, and requires approximately 300 millicores of CPU.

Audit

CIS does not provide audit instructions for this recommendation.

Remediation

Center for Internet Security (CIS) does not provide remediation instructions for this recommendation.

Last updated on