Unrestricted access between network segments

Need

Restrict access between Kubernetes network segments using NetworkPolicy

Context

• Usage of Helm for Kubernetes resource deployment

• Lack of network segmentation enforcement via Kubernetes NetworkPolicy

Description

1. Non compliant code

# templates/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: {{ .Release.Name }}-app
spec:
  selector:
      app: {{ .Release.Name }}-app...

This Helm chart defines a Deployment and Service without any NetworkPolicy, allowing unrestricted communication from any pod in the cluster. This permits lateral movement and violates network segmentation principles.

2. Steps

• Define a `NetworkPolicy` in the Helm chart

• Use `podSelector` and label-based ingress rules

• Limit incoming traffic to trusted pods only

3. Secure code example

# templates/networkpolicy.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: {{ .Release.Name }}-np
spec:
  podSelector:
      app: {{ .Release.Name }}-app...

This example adds a minimal NetworkPolicy to restrict ingress traffic only to pods with the label `access: allowed`, enforcing network segmentation.

References

• 157. Unrestricted access between network segments

On this page