Kubernetes NetworkPolicies restrict pod-to-pod and pod-to-external traffic

ab-001637 · infrastructure-hardening.network-tls.network-policies

Severity: highactive

Why it matters

Without NetworkPolicies, any compromised pod in your cluster can initiate connections to any other pod or external service — an attacker who owns the frontend container can directly query your database, scrape environment variables from other pods, or exfiltrate data to an external server. NIST 800-53 SC-7 and AC-4 require network segmentation and information flow enforcement. CIS Kubernetes 5.3.2 mandates network policies. Default Kubernetes networking is flat — every pod can reach every other pod by default, which is the opposite of least-privilege.

Severity rationale

High because flat cluster networking means a single compromised pod has unrestricted lateral movement to databases, secret stores, and control plane endpoints.

Remediation

Deploy default-deny NetworkPolicies in every application namespace, then explicitly allow required communication paths. In k8s/network-policies.yaml:

---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-all
  namespace: production
spec:
  podSelector: {}
  policyTypes:
    - Ingress
    - Egress
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-api-to-db
  namespace: production
spec:
  podSelector:
    matchLabels:
      role: database
  policyTypes:
    - Ingress
  ingress:
    - from:
        - podSelector:
            matchLabels:
              role: api
      ports:
        - protocol: TCP
          port: 5432

Apply the deny-all policy first, then layer explicit allow rules — not the reverse.

Detection

ID: network-policies
Severity: high
What to look for: Count all NetworkPolicy resources across all Kubernetes namespaces and manifest directories. For each namespace, check whether a default-deny NetworkPolicy exists for both Ingress and Egress. Enumerate the policyTypes covered by each NetworkPolicy and verify at least 1 NetworkPolicy per namespace enforces default-deny.
Pass criteria: NetworkPolicies are defined with default-deny rules in every namespace that runs application pods. Both Ingress and Egress traffic are restricted to specific pods and ports via explicit allow rules. At least 1 default-deny NetworkPolicy exists per namespace. Report: "X NetworkPolicies found across Y namespaces."
Fail criteria: No NetworkPolicy resources found, or policies are present but overly permissive (allow all traffic, or missing either ingress or egress policyTypes).
Skip (N/A) when: The project does not use Kubernetes, or runs on a non-CNI platform that does not support NetworkPolicies.
Cross-reference: The egress-restricted check further verifies that egress is not open to 0.0.0.0/0.
Detail on fail: Quote the namespace and policy gap. Example: "No NetworkPolicy found in namespace 'production'. Pod-to-pod traffic is unrestricted." or "NetworkPolicy exists but allows traffic from all namespaces via podSelector: {}."

Remediation: Implement default-deny NetworkPolicies and explicitly allow required traffic:

# Default deny all ingress
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-ingress
spec:
  podSelector: {}
  policyTypes:
    - Ingress

# Allow traffic from app to database
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-app-to-db
spec:
  podSelector:
    matchLabels:
      role: database
  policyTypes:
    - Ingress
  ingress:
    - from:
        - podSelector:
            matchLabels:
              role: app
      ports:
        - protocol: TCP
          port: 5432

External references

nist:rev5 · SC-7 — Boundary Protection
nist:rev5 · AC-4 — Information Flow Enforcement
external · CIS-Kubernetes-5.3.2 — CIS Kubernetes Benchmark §5.3.2 — Ensure that all Namespaces have Network Policies defined

Taxons

operational-readiness

History

2026-04-18·v1.0.0·Initial import from infrastructure-hardening·automated