Control: Network policies should not have a default policy to allow all ingress traffic
Description
Administrators should use a default policy selecting all Pods to deny all ingress and egress traffic and ensure any unselected Pods are isolated. An 'allow all' policy would override this default and should not be used. Instead, use specific policies to relax these restrictions only for permissible connections.
Usage
Run the control in your terminal:
powerpipe control run kubernetes_compliance.control.network_policy_default_dont_allow_ingressSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run kubernetes_compliance.control.network_policy_default_dont_allow_ingress --shareSQL
This control uses a named query:
with default_allows_all_ingress_count as ( select namespace, name, uid, context_name, _ctx, tags, p.path, p.start_line, p.end_line, p.source_type, -- Get the count of default allow Ingress policy count(*) filter (where rule = '{}') as num_allow_all_rules from kubernetes_network_policy p left join jsonb_array_elements(ingress) as rule on true group by namespace, name, uid, context_name, rule, policy_types, tags, _ctx, p.path, p.start_line, p.end_line, p.source_type)select coalesce(uid, concat(p.path, ':', p.start_line)) as resource, case when num_allow_all_rules > 0 then 'alarm' else 'ok' end as status, case when num_allow_all_rules > 0 then name || ' allows all ingress' else name || ' does not allow all ingress' end as reason, name as network_policy_name , coalesce(context_name, '') as context_name, namespace, source_type, coalesce(path || ':' || start_line || '-' || end_line, '') as pathfrom default_allows_all_ingress_count p;