Minimize the admission of pods which lack an associated NetworkPolicy
Description
This policy checks whether pods are admitted without an associated NetworkPolicy, which can lead to unintended network communication. By default, Kubernetes allows all traffic to and from pods if no NetworkPolicy is defined. This rule is important because it helps prevent potential security risks by ensuring that pods are properly isolated and only allowed to communicate with authorized pods or services. To minimize the admission of pods without a NetworkPolicy, it's essential to define and implement NetworkPolicies that restrict traffic flow.
Code Example
yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
ingress: []
egress:
- {}Remediation
Create a NetworkPolicy that defines the allowed incoming and outgoing traffic for pods.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-1197 |
| Severity | MEDIUM |
| IaC Type | Kubernetes |
| Frameworks | Deployment, Pod |
| Checkov ID | CKV2_K8S_6 |