APP.4.4.A7

[sluetze]

Networks for the administration of nodes, the control plane, and the individual networks of application services SHOULD be separated.

rules:
- ?

Only the network ports of the pods necessary for operation SHOULD be released into the designated networks.

rules:
# check if a network plugin is used which supports network policies
- configure_network_policies
# check that network policies exist in every non control plane namespace
- configure_network_policies_namespaces

If a Kubernetes cluster contains multiple applications, all the network connections between the Kubernetes namespaces SHOULD first be prohibited and only required network connections permitted (whitelisting).

rules:
# check that there is a default network policy configured and included
- project_config_and_template_network_policy

The network ports necessary for the administration of the nodes, the runtime, and Kubernetes (including its extensions) SHOULD ONLY be accessible from the corresponding administration network and from pods that need them. cannot be checked?

Only selected administrators SHOULD be authorised in Kubernetes to manage the CNI and create or change rules for the network.

rules:
- rbac check if there is a special cluser-admin for cni and network_policies? or check that noone but cluster-admins can manage CNI or network_policies?

[benruland]

On comment on

Networks for the administration of nodes, the control plane, and the individual networks of application services SHOULD be separated.

In on-prem environments, I would see a requirement for additional IngressController, in order to seperate app-traffic from admin traffic (e.g. OpenShift console). Or, one needs to use a solution based on K8S Services of type Load Balancer using Cloud LBs or Metal LB in on-prem.

[sluetze]

https://github.com/ComplianceAsCode/content/pull/11794

[sluetze]

upstream merged