Profile Applicability: Level 1
When you run modern, microservices-based applications in Kubernetes, you often want
to control which components can communicate with each other. The principle of least
privilege should be applied to how traffic can flow between pods in an Azure Kubernetes
Service (AKS) cluster. Let's say you likely want to block traffic directly to back-end
applications. The Network Policy feature in Kubernetes lets you define rules for ingress
and egress traffic between pods in a cluster.
All pods in an AKS cluster can send and receive traffic without limitations, by default.
To improve security, you can define rules that control the flow of traffic. Back-end
applications are often only exposed to required front-end services, for example. Or,
database components are only accessible to the application tiers that connect to them.
Network Policy is a Kubernetes specification that defines access policies for communication
between Pods. Using Network Policies, you define an ordered set of rules to send and
receive traffic and apply them to a collection of pods that match one or more label
selectors.
These network policy rules are defined as YAML manifests. Network policies can be
included as part of a wider manifest that also creates a deployment or service.
 |
NoteBy default, Network Policy is disabled.
|
Impact
Network Policy requires the Network Policy add-on. This add-on is included automatically
when a cluster with Network Policy is created, but for an existing cluster, needs
to be added prior to enabling Network Policy.
Enabling/Disabling Network Policy causes a rolling update of all cluster nodes, similar
to performing a cluster upgrade. This operation is long-running and will block other
operations on the cluster (including delete) until it has run to completion.
If Network Policy is used, a cluster must have at least 2 nodes of type
n1-standard-1 or higher. The recommended minimum size cluster to run Network Policy enforcement
is 3 n1-standard-1 instances.Enabling Network Policy enforcement consumes additional resources in nodes. Specifically,
it increases the memory footprint of the
kube-system process by approximately 128MB, and requires approximately 300 millicores of CPU.Audit
Check for the following is not null and set with appropriate group id:
export CLUSTER_NAME=<your cluster name>
az aks show --name ${CLUSTER_NAME} --resource-group ${RESOURCE_GROUP}
--query "networkProfile.networkPolicy"
Remediation
Utilize Calico or other network policy engine to segment and isolate your traffic.