lacework-global-346
4.3.1 Ensure latest CNI version is used (Manual)
Profile Applicability
• Level 1
Description
There are a variety of CNI plugins available for Kubernetes. If the CNI in use does not support Network Policies it may not be possible to effectively restrict traffic in the cluster.
Rationale
Kubernetes network policies are enforced by the CNI plugin in use. As such it is important to ensure that the CNI plugin supports both Ingress and Egress network policies.
Impact
None.
Audit
Review the documentation of CNI plugin in use by the cluster, and confirm that it supports network policies.
Remediation
As with RBAC policies, network policies should adhere to the policy of least privileged access. Start by creating a deny all policy that restricts all inbound and outbound traffic from a namespace or create a global policy using Calico.
References
https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/
https://aws.github.io/aws-eks-best-practices/network/
Additional Information
One example here is Flannel (https://github.com/coreos/flannel) which does not support Network policy unless Calico is also in use.