Open RajikaJain opened 1 month ago
Hello @RajikaJain, Glad to hear you are using netfetch. First of all, the scoring logic was implemented as a placeholder until something more "advanced" was developed. Unfortunately, I have not had time to work on this yet. The score 42 is set as the base score when you start a scan, and this is because I work at a company called fortytwo, so I took some inspiration from that. This base score is subject to change in the future though. Currently, the application checks if you have any policy in your cluster - if you dont, 20 points will be deducted from your base score of 42. In addition to this, every pod not hit by a network policy will reduce your score with 1.
Example:
No network policy present + 10 unprotected pods = 12
Let me know if this sufficiently answers your questions or if you have any more. Thanks again for using netfetch.
Hi @deggja Could you please tell me -
@RajikaJain
The score will be incremented on two occasions. Firstly, if there are zero policies, the first policy will greatly increase your score. Secondly, your score will be increased every time any unprotected pod is targeted by a new network policy.
Currently, there is no evaluation in place beyond checking if a policy is either a default deny or some other type of policy. Currently working on logic that will analyse and evaluate policies that are detected, in addition to updating the scoring logic itself. So improvements are on the way here. All policies in your cluster will still be evaluated, but as long as you have more then zero policies, they are all weighted the same.
Thats a very good point. Currently, the score will be capped at 42, meaning that you could essentially have what is deemed a "unsafe" cluster yet still receive the top score of 42 if your cluster is large enough with enough pods targeted by network policies. I will take that into account when updating the scoring logic going forward.
Thank you for your questions. Keep them coming if you have more!
I have been using the Netfetch tool and appreciate its capability to assess the security posture of our Kubernetes namespaces. I have a few questions regarding the scoring mechanism:
Score Derivation: Could you please provide detailed information on how the Netfetch score is calculated? Specifically, how is the base score of 42 determined? Denominator Basis: What is the rationale behind choosing 42 as the highest possible score? Is there a specific methodology or set of criteria that defines this value? Impact of Policies: How does the Network Policies influence the score? For example, if I apply a new policy, how is the increase in score calculated? Are there specific increments based on the type or number of policies applied?
Understanding these details would greatly assist in interpreting the scores accurately and making informed decisions to improve our cluster's security posture. Thankyou