Network Policy Should Be Enabled

More Info:

Ensures all Kubernetes clusters have network policy enabled. Kubernetes network policy creates isolation between cluster pods, this creates a more secure environment with only specified connections allowed.

Risk Level

Medium

Address

Security

Compliance Standards

NISTCSF

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the “Network Policy Should Be Enabled” misconfiguration in GCP using GCP CLI, follow the below steps:

Open the GCP Cloud Shell from the GCP console.
Run the following command to enable the Network Policy for the default network in your GCP project:
```
gcloud compute networks update default --update-policy=ENABLE_NETWORK_POLICY
```
This command will update the default network with the Network Policy enabled.

Once the Network Policy is enabled, you can create and apply the necessary firewall rules to control traffic between your VM instances. You can also create a custom network with the Network Policy enabled and use it for your VM instances.

Using Python

To remediate the misconfiguration “Network Policy Should Be Enabled” in GCP using Python, you can follow the below steps:

Import the required libraries:

from googleapiclient import discovery
from oauth2client.client import GoogleCredentials

Set the project ID and the zone where the cluster is located:

project_id = 'your-project-id'
zone = 'us-central1-a'

Get the credentials to access the GCP API:

credentials = GoogleCredentials.get_application_default()

Create a client object for the Kubernetes API:

container_api = discovery.build('container', 'v1', credentials=credentials)

Get the list of clusters in the project:

clusters = container_api.projects().zones().clusters().list(projectId=project_id, zone=zone).execute()

Loop through the clusters and enable network policy:

for cluster in clusters['clusters']:
    # Get the cluster name
    cluster_name = cluster['name']
    
    # Get the current cluster configuration
    cluster_config = container_api.projects().zones().clusters().get(projectId=project_id, zone=zone, clusterId=cluster_name).execute()
    
    # Check if network policy is already enabled
    if cluster_config['networkPolicy']['enabled']:
        print(f"Network policy is already enabled for cluster {cluster_name}")
    else:
        # Enable network policy
        cluster_config['networkPolicy']['enabled'] = True
        
        # Update the cluster configuration
        update_op = container_api.projects().zones().clusters().update(projectId=project_id, zone=zone, clusterId=cluster_name, body=cluster_config).execute()
        
        print(f"Network policy is enabled for cluster {cluster_name}")

This code will loop through all the clusters in the specified project and zone, and enable network policy for each cluster that does not already have it enabled.

Additional Reading:

https://cloud.google.com/kubernetes-engine/docs/how-to/network-policy

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

Network Policy Should Be Enabled

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: