Public egress should not be allowed via network policies
Default Severity: high
Explanation
You should not expose infrastructure to the public internet except where explicitly required
Possible Impact
Exfiltration of data to the public internet
Suggested Resolution
Remove public access except where explicitly required
Insecure Example
The following example will fail the kubernetes-network-no-public-egress check.
resource "kubernetes_network_policy" "bad_example" {
metadata {
name = "terraform-example-network-policy"
namespace = "default"
}
spec {
pod_selector {
match_expressions {
key = "name"
operator = "In"
values = ["webfront", "api"]
}
}
egress {
ports {
port = "http"
protocol = "TCP"
}
ports {
port = "8125"
protocol = "UDP"
}
to {
ip_block {
cidr = "0.0.0.0/0"
except = [
"10.0.0.0/24",
"10.0.1.0/24",
]
}
}
}
ingress {
ports {
port = "http"
protocol = "TCP"
}
ports {
port = "8125"
protocol = "UDP"
}
from {
ip_block {
cidr = "10.0.0.0/16"
except = [
"10.0.0.0/24",
"10.0.1.0/24",
]
}
}
}
policy_types = ["Ingress", "Egress"]
}
}
Secure Example
The following example will pass the kubernetes-network-no-public-egress check.
resource "kubernetes_network_policy" "good_example" {
metadata {
name = "terraform-example-network-policy"
namespace = "default"
}
spec {
pod_selector {
match_expressions {
key = "name"
operator = "In"
values = ["webfront", "api"]
}
}
egress {
ports {
port = "http"
protocol = "TCP"
}
ports {
port = "8125"
protocol = "UDP"
}
to {
ip_block {
cidr = "10.0.0.0/16"
except = [
"10.0.0.0/24",
"10.0.1.0/24",
]
}
}
}
ingress {
ports {
port = "http"
protocol = "TCP"
}
ports {
port = "8125"
protocol = "UDP"
}
from {
ip_block {
cidr = "10.0.0.0/16"
except = [
"10.0.0.0/24",
"10.0.1.0/24",
]
}
}
}
policy_types = ["Ingress", "Egress"]
}
}