APP.4.4.A7

[sluetze]

No description provided.

[sluetze]

Networks for the administration of nodes, the control plane, and the individual networks of
application services SHOULD be separated.

rules:
- ?

Only the network ports of the pods necessary for operation SHOULD be released into the
designated networks.

rules:
# check if a network plugin is used which supports network policies
- configure_network_policies
# check that network policies exist in every non control plane namespace
- configure_network_policies_namespaces

If a Kubernetes cluster contains multiple applications, all the network
connections between the Kubernetes namespaces SHOULD first be prohibited and only
required network connections permitted (whitelisting).

rules:
# check that there is a default network policy configured and included
- project_config_and_template_network_policy

The network ports necessary for the
administration of the nodes, the runtime, and Kubernetes (including its extensions) SHOULD
ONLY be accessible from the corresponding administration network and from pods that need
them.
cannot be checked?

Only selected administrators SHOULD be authorised in Kubernetes to manage the CNI and
create or change rules for the network.

rules:
- rbac check if there is a special cluser-admin for cni and network_policies? or check that noone but cluster-admins can manage CNI or network_policies?

[benruland]

On comment on

Networks for the administration of nodes, the control plane, and the individual networks of
application services SHOULD be separated.

In on-prem environments, I would see a requirement for additional IngressController, in order to seperate app-traffic from admin traffic (e.g. OpenShift console).
Or, one needs to use a solution based on K8S Services of type Load Balancer using Cloud LBs or Metal LB in on-prem.

[sluetze]

ComplianceAsCode#11794

[sluetze]

upstream merged