Control: Namespaces should have a default network policy to deny all ingress traffic

Description

Administrators should use a default policy selecting all Pods to deny all ingress traffic and ensure any unselected Pods are isolated. Additional policies could then relax these restrictions for permissible connections.

Usage

Run the control in your terminal:

powerpipe control run kubernetes_compliance.control.network_policy_default_deny_ingress

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run kubernetes_compliance.control.network_policy_default_deny_ingress --share

SQL

This control uses a named query:

with default_deny_ingress_count as (
  select
    ns.uid,
    ns.name as namespace,
    ns.context_name,
    count(pol.*) as num_netpol,
    ns.tags,
    ns._ctx,
    ns.path,
    ns.start_line,
    ns.end_line,
    ns.source_type,
    -- Get the count of default deny Ingress policy assoicated to each namespace
    count(*) filter (where policy_types @> '["Ingress"]' and pod_selector = '{}' and ingress is null) AS num_default_deny
  from kubernetes_namespace as ns
  left join kubernetes_network_policy as pol on pol.namespace = ns.name and pol.source_type = ns.source_type
  group by
    ns.name,
    ns.uid,
    ns.context_name,
    ns.tags,
    ns._ctx,
    ns.path,
    ns.start_line,
    ns.end_line,
    ns.source_type
)
select
  coalesce(uid, concat(path, ':', start_line)) as resource,
  case
    when num_default_deny > 0  then 'ok'
    else 'alarm'
  end as status,
  namespace || ' has ' || num_default_deny || ' default deny ingress policies.' as reason
  
  , coalesce(context_name, '') as context_name, namespace, source_type, coalesce(path || ':' || start_line || '-' || end_line, '') as path
from
  default_deny_ingress_count;

Control: Namespaces should have a default network policy to deny all ingress traffic

Description

Usage

SQL

Tags