Control: 7.7 Ensure Network policy is enabled on Kubernetes Engine Clusters
Description
A network policy is a specification of how groups of pods are allowed to communicate with each other and other network endpoints. NetworkPolicy resources use labels to select pods and define rules which specify what traffic is allowed to the selected pods. The Kubernetes Network Policy API allows the cluster administrator to specify what pods are allowed to communicate with each other.
Remediation
Only the Terway network plugin support the Network Policy feature, so please make sure not choose Flannel as network plugin when creating cluster.
From Console
- Logon to ACK console.
- Click the
Create Kubernetes Clusterbutton and selectTerwayinNetwork Pluginoption.
Usage
Run the control in your terminal:
powerpipe control run alicloud_compliance.control.cis_v100_7_7Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run alicloud_compliance.control.cis_v100_7_7 --shareSQL
This control uses a named query:
with network_policy_enabled as ( select cluster_id from alicloud_cs_kubernetes_cluster, jsonb_array_elements(meta_data -> 'Addons') as a where a ->> 'name' = 'terway-eniip' and regexp_replace(a ->> 'config', '\\"', '"', 'g') :: jsonb @> '{"NetworkPolicy":"true"}')select arn as resource, case when a.meta_data -> 'Addons' @> '[{"name": "flannel"}]' then 'skip' when n.cluster_id is null then 'alarm' else 'ok' end as status, case when a.meta_data -> 'Addons' @> '[{"name": "flannel"}]' then a.title || ' does not support network policy.' when n.cluster_id is null then a.title || ' network policy disabled.' else a.title || ' network policy enabled.' end as reason , a.account_id as account_id, a.region as regionfrom alicloud_cs_kubernetes_cluster a left join network_policy_enabled n on a.cluster_id = n.cluster_id;