A network policy should not allow unrestricted egress to any IP address.
You should not expose infrastructure to the public internet except where explicitly required
Impact
Recommended Actions
Follow the appropriate remediation steps below to resolve the issue.
Remove public access except where explicitly required
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
|
resource "kubernetes_network_policy" "good_example" {
metadata {
name = "terraform-example-network-policy"
namespace = "default"
}
spec {
pod_selector {
match_expressions {
key = "name"
operator = "In"
values = ["webfront", "api"]
}
}
egress {
ports {
port = "http"
protocol = "TCP"
}
ports {
port = "8125"
protocol = "UDP"
}
to {
ip_block {
cidr = "10.0.0.0/16"
except = [
"10.0.0.0/24",
"10.0.1.0/24",
]
}
}
}
ingress {
ports {
port = "http"
protocol = "TCP"
}
ports {
port = "8125"
protocol = "UDP"
}
from {
ip_block {
cidr = "10.0.0.0/16"
except = [
"10.0.0.0/24",
"10.0.1.0/24",
]
}
}
}
policy_types = ["Ingress", "Egress"]
}
}
|