AKS cluster should have Network Policy configured

Severity	Exploitability	Providers	Categories
HIGH	MEDIUM	Azure	NETWORK

Description

Using Azure Kubernetes Service (AKS), you can set a Network Policy to define rules for ingress and egress traffic between pods in a cluster. By default, all ingress and egress traffic to and from pods.

Impact

Potential data exposure	Visible in logs	User interaction required	Privileges required
True	False	False	False

Without a Network Policy configured, AKS clusters are at risk of Distributed Denial-of-Service (DDoS). It may also be a risk of data exposure, if bruteforce attack is conducted.

Remediation guidelines

Configure a Network Policy for AKS clusters, so that only known pods, namespaces and IPs are allowed.

References

• Microsoft documentation - Secure traffic between pods using network policies in Azure Kubernetes Service (AKS)
• Kubernetes documentation - Network Policies

Was this page helpful?