NetworkPolicies in place
Demonstrate that NetworkPolicies are defined, applied to all relevant namespaces and workloads, and actively enforce segmentation rules that restrict pod-to-pod and external network communication according to documented application requirements.
Description
What this control does
NetworkPolicies are Kubernetes-native resources that define rules controlling ingress and egress traffic between pods, namespaces, and external endpoints at the network layer. They function as a distributed firewall within the cluster, enforcing least-privilege network segmentation by default-denying traffic unless explicitly permitted. Proper implementation prevents lateral movement, contains breaches, and enforces micro-segmentation boundaries aligned with application trust zones.
Control objective
What auditing this proves
Demonstrate that NetworkPolicies are defined, applied to all relevant namespaces and workloads, and actively enforce segmentation rules that restrict pod-to-pod and external network communication according to documented application requirements.
Associated risks
Risks this control addresses
- Lateral movement by attackers who compromise a single pod and pivot across the cluster without network restrictions
- Unauthorized access to sensitive backend services (databases, internal APIs) from untrusted application tiers or namespaces
- Data exfiltration through unrestricted egress traffic from compromised workloads to external command-and-control servers
- Cross-tenant traffic leakage in multi-tenant environments where namespace isolation is not enforced at the network layer
- Compliance violations due to failure to segregate production and non-production environments or isolate PCI/PII processing workloads
- Deployment of workloads with overly permissive default-allow networking that bypasses security architecture requirements
- Ineffective incident response and containment when network boundaries do not exist to isolate affected components
Testing procedure
How an auditor verifies this control
- Identify the CNI plugin deployed in the Kubernetes cluster and confirm it supports NetworkPolicy enforcement (e.g., Calico, Cilium, Weave Net).
- Execute 'kubectl get networkpolicies --all-namespaces' and export the complete list of NetworkPolicy objects with details.
- Select a representative sample of critical namespaces (production apps, data tier, privileged workloads) and verify each has at least one NetworkPolicy applied.
- Review NetworkPolicy YAML definitions for sampled policies to validate ingress and egress rules match documented application communication requirements and security zones.
- Identify namespaces and pods lacking NetworkPolicy coverage by comparing inventory against applied policies, focusing on default or system namespaces.
- Conduct connectivity testing by deploying a test pod and attempting communication to restricted destinations (other namespaces, external IPs) to verify policy enforcement blocks unauthorized traffic.
- Examine change control records or GitOps commit history to confirm NetworkPolicies are versioned, reviewed, and approved through established processes.
- Validate that default-deny policies exist where required, ensuring pods without explicit allow rules cannot communicate freely within or outside the cluster.
Where this control is tested