Pod Misconfigured Network Policy

  • Query id: 0401f71b-9c1e-4821-ab15-a955caa621be
  • Query name: Pod Misconfigured Network Policy
  • Platform: Kubernetes
  • Severity: Medium
  • Category: Networking and Firewall
  • URL: Github

Description

Check if any pod is not being targeted by a proper network policy.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
apiVersion: v1
kind: Pod
metadata:
  name: positive1-pod
  namespace: positive1-one
  labels:
    app: shouldmatch
spec:
  containers:
  - name: nginx
    image: nginx:1.14.2
    ports:
    - containerPort: 80
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: positive1-netpol
  labels:
    policy: no-ingress-no-egress
  namespace: positive1-anotherone
spec:
  podSelector:
    matchLabels:
      app: shouldmatch
  policyTypes: []
Positive test num. 2 - yaml file
apiVersion: v1
kind: Pod
metadata:
  name: positive2-pod
  namespace: positive2
spec:
  containers:
  - name: nginx
    image: nginx:1.14.2
    ports:
    - containerPort: 80
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: positive2-netpol
  namespace: positive2
spec:
  podSelector: {}
  policyTypes: []

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
apiVersion: v1
kind: Pod
metadata:
  name: negative1-pod
  namespace: negative1
spec:
  securityContext:
    runAsUser: 1000
  containers:
  - name: app
    image: images.my-company.example/app:v4
    securityContext:
      allowPrivilegeEscalation: false
    resources:
      requests:
        memory: "64Mi"
        cpu: "250m"
      limits:
        memory: "128Mi"
        cpu: "500m"
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: negative1-policy
  namespace: negative1
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress
Negative test num. 2 - yaml file
apiVersion: v1
kind: Pod
metadata:
  name: negative2-pod
  namespace: negative2-namespace
  labels:
    app: negative2-app
spec:
  securityContext:
    runAsUser: 1000
  containers:
  - name: app
    image: images.my-company.example/app:v4
    securityContext:
      allowPrivilegeEscalation: false
    resources:
      requests:
        memory: "64Mi"
        cpu: "250m"
      limits:
        memory: "128Mi"
        cpu: "500m"
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: negative2-policy
  namespace: negative2-othernamespace
spec:
  podSelector:
    matchLabels:
      app: negative2-app
  policyTypes:
  - Ingress
  egress:
  - to:
    - ipBlock:
        cidr: 10.0.0.0/24
    ports:
    - protocol: TCP
      port: 5978
Negative test num. 3 - yaml file
apiVersion: v1
kind: Pod
metadata:
  name: negative3-pod
  namespace: negative3
spec:
  containers:
  - name: nginx
    image: nginx:1.14.2
    ports:
    - containerPort: 80
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: negative3-netpol
  labels:
    policy: just-egress
  namespace: negative3
spec:
  podSelector: {}
  egress:
  - to:
    - ipBlock:
        cidr: 10.0.0.0/24
    ports:
    - protocol: TCP
      port: 5978