CNI in use supports network policies

Docs > Datadog Security > OOTB Rules > CNI in use supports network policies

Classification:

compliance

Framework:

cis-kubernetes

Control:

5.3.1

Set up the kubernetes integration.

Description

There are a variety of CNI plugins available for Kubernetes. If the CNI in use does not support network policies, it may not be possible to effectively restrict traffic in the cluster.

Rationale

Kubernetes network policies are enforced by the CNI plugin in use. It is important to ensure that the CNI plugin supports both ingress and egress network policies.

Remediation

If the CNI plugin in use does not support network policies, consideration should be given to making use of a different plugin, or finding an alternate mechanism for restricting traffic in the Kubernetes cluster.

Impact

None

Default value

This will depend on the CNI plugin in use.

References

https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/

Notes: One example here is Flannel which does not support Network policy unless Calico is also in use.

CIS controls

None

Audit

Review the documentation of CNI plugin in use by the cluster, and confirm that it supports Ingress and Egress network policies.