π‘οΈ Google GKE Cluster Network policy is disabled.π’
- Contextual name: π‘οΈ Cluster Network policy is disabledπ’
- ID:
/ce/ca/google/gke/cluster-network-policy - Tags:
- π’ Policy with categories
- π’ Policy with type
- π’ Production policy
- Policy Type:
COMPLIANCE_POLICY - Policy Categories:
SECURITY,RELIABILITY
Logicβ
- π§ prod.logic.yamlπ’
Descriptionβ
Descriptionβ
A network policy is a specification of how groups of pods are allowed to communicate with each other and other network endpoints. NetworkPolicy resources use labels to select pods and define rules which specify what traffic is allowed to the selected pods. The Kubernetes Network Policy API allows the cluster administrator to specify what pods are allowed to communicate with each other.
Rationaleβ
By default, pods are non-isolated; they accept traffic from any source. Pods become isolated by having a NetworkPolicy that selects them. Once there is any NetworkPolicy in a namespace selecting a particular pod, that pod will reject any connections that are not allowed by any NetworkPolicy. (Other pods in the namespace that are not selected by any NetworkPolicy will continue to accept all traffic.)
Auditβ
From Google Cloud Consoleβ
- Go to Kubernetes GCP Console visiting https://console.cloud.google.com/kubernetes/list?
- From the list of clusters, make sure for each cluster
Network policy for masterandNetwork policy for nodesare Enabled under Cluster section... see more
Remediationβ
Remediationβ
From Google Cloud Consoleβ
- Go to Kubernetes GCP Console by visiting https://console.cloud.google.com/kubernetes/list?
- Select Kubernetes clusters for which Network policy is disabled
- Click on EDIT button and Set
Network policy for masterandNetwork policy for nodestoEnabledunder Cluster sectionFrom Google Cloud CLIβ
To enable Network policy for an existing cluster, run the following command:
```sh
gcloud container clusters update [CLUSTER_NAME] --zone [COMPUTE_ZONE] --enable-network-policy
```