GCP Kubernetes Engine Clusters Have Network Policy Disabled

This policy identifies Kubernetes Engine Clusters which have disabled Network policy. A network policy defines how groups of pods are allowed to communicate with each other and other network endpoints. By enabling network policy in a namespace for a pod, it will reject any connections that are not allowed by the network policy.

Policy Details

Policy Subtype
Run, Build
Severity
Medium
Template Type
Terraform

Build Rules

GCP Kubernetes Engine Clusters have Network policy disabled.
JSON Query:
$.resource[*].google_container_cluster exists and ($.resource[*].google_container_cluster.*[*].*.network_policy anyNull or $.resource[*].google_container_cluster.*[*].*.addons_config[*].network_policy_config anyNull or $.resource[*].google_container_cluster.*[*].*.addons_config[*].network_policy_config[*].disabled anyNull or $.resource[*].google_container_cluster.*[*].*.addons_config[*].network_policy_config[*].disabled anyTrue)
Recommendation:
Recommended solution to enable GCP Kubernetes Engine Clusters Network policy.
Ensure that GCP Kubernetes Engine Clusters Network policy is enabled. Please make sure that "network_policy_config" is enabled in the template.
For example:
"google_container_cluster": [ { "<container_cluster_name>": [ { "network_policy": [ { "enabled": true, "provider": "CALICO" } ], "addons_config": [ { "network_policy_config": [ { "disabled": false } ] } ] } ] } ]

Run Rule Recommendation

  1. Login to GCP Portal.
  2. Go to Kubernetes Engine (Left Panel).
  3. Select Kubernetes clusters.
  4. From the list of clusters, choose the reported cluster.
  5. Click on EDIT button.
  6. Set 'Network policy for master' and 'Network policy for nodes' to Enabled.
  7. Click on Save.

Compliance

There are 9 standards that are applicable to this policy:
  • PCI DSS v3.2
  • HIPAA
  • CSA CCM v3.0.1
  • SOC 2
  • CIS v1.0.0 (GCP)
  • PIPEDA
  • ISO 27001:2013
  • CCPA 2018
  • NIST 800-53 Rev4

Recommended For You