Open egress to 0.0.0.0/0 means a compromised pod can exfiltrate data to any external server, download attacker tooling, or call command-and-control infrastructure — the container boundary provides zero containment for outbound traffic (NIST 800-53 SC-7, AC-4). Most production workloads communicate with a small, predictable set of destinations: a database, a few external APIs, and the Kubernetes control plane. Default Kubernetes networking permits unrestricted egress, so without explicit NetworkPolicy egress rules, a compromised pod has an outbound channel to the public internet from inside your cluster perimeter.
Medium because unrestricted egress enables data exfiltration and C2 communication from compromised containers, but requires initial code execution within the pod first.
Add egress NetworkPolicies to every application namespace in k8s/network-policies.yaml. Start with a blanket deny, then allow specific required destinations:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: restrict-egress
namespace: production
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- podSelector:
matchLabels:
role: database
ports:
- protocol: TCP
port: 5432
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
ports:
- protocol: UDP
port: 53
- to:
- ipBlock:
cidr: 10.0.0.0/8 # Internal VPC only
ports:
- protocol: TCP
port: 443
For external API calls, use a dedicated egress gateway so the allowed destination list is auditable.
ID: infrastructure-hardening.monitoring-incident-response.egress-restricted
Severity: medium
What to look for: List all NetworkPolicy resources that define egress rules and all cloud provider security group or firewall rules that control outbound traffic. For each policy, check whether egress is restricted to specific CIDR blocks and ports, or is open to 0.0.0.0/0. Count the total egress rules and how many restrict to approved destinations only.
Pass criteria: 100% of namespaces with application pods have NetworkPolicies or firewall rules that restrict egress to specific, approved destinations (named CIDRs and ports). No open egress to all destinations (0.0.0.0/0 on all ports) — 0 unrestricted egress rules. Report: "X egress rules found, all Y restrict to specific destinations."
Fail criteria: Egress traffic allows all destinations (0.0.0.0/0 on all ports), or no egress policy is defined (which defaults to allow all outbound).
Skip (N/A) when: The project does not use Kubernetes or container orchestration.
Detail on fail: Quote the policy name. Example: "No NetworkPolicy defines egress rules. All outbound traffic is allowed." or "NetworkPolicy 'app-egress' allows egress to 0.0.0.0/0 on all ports"
Remediation: Restrict egress to approved destinations:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-egress
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- podSelector:
matchLabels:
role: database
ports:
- protocol: TCP
port: 5432
- to:
- namespaceSelector:
matchLabels:
name: kube-system
ports:
- protocol: TCP
port: 53
- to:
- ipBlock:
cidr: 0.0.0.0/0
except:
- 169.254.169.254/32 # AWS metadata endpoint
ports:
- protocol: TCP
port: 443