Public egress should not be allowed via network policies
You should not expose infrastructure to the public internet except where explicitly required
Impact
Exfiltration of data to the public internet
Recommended Actions
Follow the appropriate remediation steps below to resolve the issue.
Remove public access except where explicitly required
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
|
resource "kubernetes_network_policy" "good_example" {
metadata {
name = "terraform-example-network-policy"
namespace = "default"
}
spec {
pod_selector {
match_expressions {
key = "name"
operator = "In"
values = ["webfront", "api"]
}
}
egress {
ports {
port = "http"
protocol = "TCP"
}
ports {
port = "8125"
protocol = "UDP"
}
to {
ip_block {
cidr = "10.0.0.0/16"
except = [
"10.0.0.0/24",
"10.0.1.0/24",
]
}
}
}
ingress {
ports {
port = "http"
protocol = "TCP"
}
ports {
port = "8125"
protocol = "UDP"
}
from {
ip_block {
cidr = "10.0.0.0/16"
except = [
"10.0.0.0/24",
"10.0.1.0/24",
]
}
}
}
policy_types = ["Ingress", "Egress"]
}
}
|