Without NetworkPolicies, any compromised pod in your cluster can initiate connections to any other pod or external service — an attacker who owns the frontend container can directly query your database, scrape environment variables from other pods, or exfiltrate data to an external server. NIST 800-53 SC-7 and AC-4 require network segmentation and information flow enforcement. CIS Kubernetes 5.3.2 mandates network policies. Default Kubernetes networking is flat — every pod can reach every other pod by default, which is the opposite of least-privilege.
High because flat cluster networking means a single compromised pod has unrestricted lateral movement to databases, secret stores, and control plane endpoints.
Deploy default-deny NetworkPolicies in every application namespace, then explicitly allow required communication paths. In k8s/network-policies.yaml:
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
namespace: production
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-api-to-db
namespace: production
spec:
podSelector:
matchLabels:
role: database
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
role: api
ports:
- protocol: TCP
port: 5432
Apply the deny-all policy first, then layer explicit allow rules — not the reverse.
ID: infrastructure-hardening.network-tls.network-policies
Severity: high
What to look for: Count all NetworkPolicy resources across all Kubernetes namespaces and manifest directories. For each namespace, check whether a default-deny NetworkPolicy exists for both Ingress and Egress. Enumerate the policyTypes covered by each NetworkPolicy and verify at least 1 NetworkPolicy per namespace enforces default-deny.
Pass criteria: NetworkPolicies are defined with default-deny rules in every namespace that runs application pods. Both Ingress and Egress traffic are restricted to specific pods and ports via explicit allow rules. At least 1 default-deny NetworkPolicy exists per namespace. Report: "X NetworkPolicies found across Y namespaces."
Fail criteria: No NetworkPolicy resources found, or policies are present but overly permissive (allow all traffic, or missing either ingress or egress policyTypes).
Skip (N/A) when: The project does not use Kubernetes, or runs on a non-CNI platform that does not support NetworkPolicies.
Cross-reference: The egress-restricted check further verifies that egress is not open to 0.0.0.0/0.
Detail on fail: Quote the namespace and policy gap. Example: "No NetworkPolicy found in namespace 'production'. Pod-to-pod traffic is unrestricted." or "NetworkPolicy exists but allows traffic from all namespaces via podSelector: {}."
Remediation: Implement default-deny NetworkPolicies and explicitly allow required traffic:
# Default deny all ingress
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-ingress
spec:
podSelector: {}
policyTypes:
- Ingress
# Allow traffic from app to database
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-app-to-db
spec:
podSelector:
matchLabels:
role: database
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
role: app
ports:
- protocol: TCP
port: 5432