Clarification on Netfetch Score Calculation

[RajikaJain]

I have been using the Netfetch tool and appreciate its capability to assess the security posture of our Kubernetes namespaces. I have a few questions regarding the scoring mechanism:

Score Derivation: Could you please provide detailed information on how the Netfetch score is calculated? Specifically, how is the base score of 42 determined? Denominator Basis: What is the rationale behind choosing 42 as the highest possible score? Is there a specific methodology or set of criteria that defines this value? Impact of Policies: How does the Network Policies influence the score? For example, if I apply a new policy, how is the increase in score calculated? Are there specific increments based on the type or number of policies applied?

Understanding these details would greatly assist in interpreting the scores accurately and making informed decisions to improve our cluster's security posture. Thankyou

[deggja]

Hello @RajikaJain, Glad to hear you are using netfetch. First of all, the scoring logic was implemented as a placeholder until something more "advanced" was developed. Unfortunately, I have not had time to work on this yet. The score 42 is set as the base score when you start a scan, and this is because I work at a company called fortytwo, so I took some inspiration from that. This base score is subject to change in the future though. Currently, the application checks if you have any policy in your cluster - if you dont, 20 points will be deducted from your base score of 42. In addition to this, every pod not hit by a network policy will reduce your score with 1.

Example:

No network policy present + 10 unprotected pods = 12

Let me know if this sufficiently answers your questions or if you have any more. Thanks again for using netfetch.

[RajikaJain]

Hi @deggja Could you please tell me -

1. How is the score incremented when a new policy is applied?
2. Are there specific increments based on the type or number of policies applied? Specifically, I would like to understand how Netfetch interacts with existing network policies that are already running on some pods in our cluster. If our Kubernetes cluster has predefined network policies that differ from those suggested by Netfetch, how will the tool recognize and evaluate these policies? What kind of algorithm it is using to detect, read and understand Network policy? Will Netfetch still consider them when calculating the score, and if so, how does it define the impact of these policies on the overall score? Large Clusters: If we have a very large Kubernetes cluster with more than 42 unprotected pods, how will Netfetch calculate the score? Specifically, how does the scoring mechanism handle scenarios where the number of unprotected pods exceeds the base score of 42?

[deggja]

@RajikaJain

1. The score will be incremented on two occasions. Firstly, if there are zero policies, the first policy will greatly increase your score. Secondly, your score will be increased every time any unprotected pod is targeted by a new network policy.

2. Currently, there is no evaluation in place beyond checking if a policy is either a default deny or some other type of policy. Currently working on logic that will analyse and evaluate policies that are detected, in addition to updating the scoring logic itself. So improvements are on the way here. All policies in your cluster will still be evaluated, but as long as you have more then zero policies, they are all weighted the same.

3. Thats a very good point. Currently, the score will be capped at 42, meaning that you could essentially have what is deemed a "unsafe" cluster yet still receive the top score of 42 if your cluster is large enough with enough pods targeted by network policies. I will take that into account when updating the scoring logic going forward.

Thank you for your questions. Keep them coming if you have more!