Ensure AKS cluster has Network Policy configured

Default Severity: high

Explanation

The Kubernetes object type NetworkPolicy should be defined to have opportunity allow or block traffic to pods, as in a Kubernetes cluster configured with default settings, all pods can discover and communicate with each other without any restrictions.

Possible Impact

No network policy is protecting the AKS cluster

Suggested Resolution

Configure a network policy

Insecure Example

The following example will fail the azure-container-configured-network-policy check.

 resource "azurerm_kubernetes_cluster" "bad_example" {
    network_profile {
      }
 }

Secure Example

The following example will pass the azure-container-configured-network-policy check.

 resource "azurerm_kubernetes_cluster" "good_example" {
    network_profile {
      network_policy = "calico"
      }
 }

Links

• https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster#network_policy

• https://kubernetes.io/docs/concepts/services-networking/network-policies