Control: Namespaces should have a default network policy to deny all egress traffic
Description
Administrators should use a default policy selecting all Pods to deny all egress traffic and ensure any unselected Pods are isolated. Additional policies could then relax these restrictions for permissible connections.
Usage
Run the control in your terminal:
powerpipe control run kubernetes_compliance.control.network_policy_default_deny_egressSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run kubernetes_compliance.control.network_policy_default_deny_egress --shareSQL
This control uses a named query:
with default_deny_egress_count as ( select ns.uid, ns.name as namespace, ns.context_name, ns._ctx, count(pol.*) as num_netpol, ns.tags, ns.path, ns.start_line, ns.end_line, ns.source_type, -- Get the count of default deny Egress policy assoicated to each namespace COUNT(*) FILTER (where policy_types @> '["Egress"]' and pod_selector = '{}' and egress is null) AS num_default_deny from kubernetes_namespace as ns left join kubernetes_network_policy as pol on pol.namespace = ns.name and pol.source_type = ns.source_type group by ns.name, ns.uid, ns.context_name, ns.tags, ns._ctx, ns.path, ns.start_line, ns.end_line, ns.source_type)select coalesce(uid, concat(path, ':', start_line)) as resource, case when num_default_deny > 0 then 'ok' else 'alarm' end as status, namespace || ' has ' || num_default_deny || ' default deny egress policies.' as reason , coalesce(context_name, '') as context_name, namespace, source_type, coalesce(path || ':' || start_line || '-' || end_line, '') as pathfrom default_deny_egress_count;