Egress traffic is restricted to approved destinations; no open egress to 0.0.0.0/0

Open egress to 0.0.0.0/0 means a compromised pod can exfiltrate data to any external server, download attacker tooling, or call command-and-control infrastructure — the container boundary provides zero containment for outbound traffic (NIST 800-53 SC-7, AC-4). Most production workloads communicate with a small, predictable set of destinations: a database, a few external APIs, and the Kubernetes control plane. Default Kubernetes networking permits unrestricted egress, so without explicit NetworkPolicy egress rules, a compromised pod has an outbound channel to the public internet from inside your cluster perimeter.

Add egress NetworkPolicies to every application namespace in k8s/network-policies.yaml. Start with a blanket deny, then allow specific required destinations:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: restrict-egress
  namespace: production
spec:
  podSelector: {}
  policyTypes:
    - Egress
  egress:
    - to:
        - podSelector:
            matchLabels:
              role: database
      ports:
        - protocol: TCP
          port: 5432
    - to:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: kube-system
      ports:
        - protocol: UDP
          port: 53
    - to:
        - ipBlock:
            cidr: 10.0.0.0/8  # Internal VPC only
      ports:
        - protocol: TCP
          port: 443

For external API calls, use a dedicated egress gateway so the allowed destination list is auditable.

• ID: egress-restricted

• Severity: medium

• What to look for: List all NetworkPolicy resources that define egress rules and all cloud provider security group or firewall rules that control outbound traffic. For each policy, check whether egress is restricted to specific CIDR blocks and ports, or is open to 0.0.0.0/0. Count the total egress rules and how many restrict to approved destinations only.

• Pass criteria: 100% of namespaces with application pods have NetworkPolicies or firewall rules that restrict egress to specific, approved destinations (named CIDRs and ports). No open egress to all destinations (0.0.0.0/0 on all ports) — 0 unrestricted egress rules. Report: "X egress rules found, all Y restrict to specific destinations."

• Fail criteria: Egress traffic allows all destinations (0.0.0.0/0 on all ports), or no egress policy is defined (which defaults to allow all outbound).

• Skip (N/A) when: The project does not use Kubernetes or container orchestration.

• Detail on fail: Quote the policy name. Example: "No NetworkPolicy defines egress rules. All outbound traffic is allowed." or "NetworkPolicy 'app-egress' allows egress to 0.0.0.0/0 on all ports"

• Remediation: Restrict egress to approved destinations:

  apiVersion: networking.k8s.io/v1
  kind: NetworkPolicy
  metadata:
    name: deny-egress
  spec:
    podSelector: {}
    policyTypes:
      - Egress
    egress:
      - to:
          - podSelector:
              matchLabels:
                role: database
        ports:
          - protocol: TCP
            port: 5432
      - to:
          - namespaceSelector:
              matchLabels:
                name: kube-system
        ports:
          - protocol: TCP
            port: 53
      - to:
          - ipBlock:
              cidr: 0.0.0.0/0
              except:
                - 169.254.169.254/32  # AWS metadata endpoint
        ports:
          - protocol: TCP
            port: 443