Skip to content

AKS cluster network policies are not enforced

Description

Network policy options in AKS include two ways to implement a network policy. You can choose between Azure Network Policies or Calico Network Policies. In both cases, the underlying controlling layer is based on Linux IPTables to enforce the specified policies. Policies are translated into sets of allowed and disallowed IP pairs. These pairs are then programmed as IPTable rules.

The principle of least privilege should be applied to how traffic can flow between pods in an AKS cluster. We recommend you select a preferred network policy framework and enforce granular usage-based policies on the architecture and business logic of you applications.

Fix - Buildtime

Terraform

Resource: azurerm_kubernetes_cluster
Argument: network_plugin

go azurerm_kubernetes_cluster.pike.tf resource "azurerm_kubernetes_cluster" "pike" { ... network_profile { network_plugin="azure" } ... }