Do not allow public ingress via network policies
Severity | Exploitability | Providers | Categories |
---|---|---|---|
HIGH | HIGH | Kubernetes | NETWORK |
Description
Network policy ingress rules dictate allowed traffic initiated outside the local network and destined for a local network. It is considered the first line of defense in a network security strategy.
By allowing traffic from /0. all incoming traffic are authorized. This includes unauthorized, suspicious and harmful traffic.
In general, it is good practice to avoid very broad network subnet in network policies.
Impact
Potential data exposure | Visible in logs | User interaction required | Privileges required |
---|---|---|---|
True | True | False | False |
- Suspicious traffic not filtered.
- Unauthorized instance access.
- Distributed Denial of Service (DDoS) attacks vulnerability.
Remediation guidelines
Define a more restrictive firewall ingress rule. A log review may be relevant to find any unwanted connection.