azure-aks-networkpolicy¶
Ensure AKS cluster has a Network Policy configured in order to restrict traffic flows. By default, communication between pods in a cluster is unrestricted which may allow an attacker access to internal APIs or services that might otherwise have been considered secure.
To improve security, a network policy should be configured with rules that define access policies for communication between Pods, effectively both documenting inter-pod communication flows as well as ensuring that pods are only ever accessible by the services that require them.
Examples¶
Insecure Example
resource "azurerm_kubernetes_cluster" "example" {
name = "example-aks1"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
dns_prefix = "exampleaks1"
default_node_pool {
name = "default"
node_count = 1
vm_size = "Standard_D2_v2"
}
identity {
type = "SystemAssigned"
}
}
Secure Example
resource "azurerm_kubernetes_cluster" "example" {
name = "example-aks1"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
dns_prefix = "exampleaks1"
default_node_pool {
name = "default"
node_count = 1
vm_size = "Standard_D2_v2"
}
identity {
type = "SystemAssigned"
}
network_profile {
network_plugin = "azure"
load_balancer_sku = "standard"
network_policy = "calico" # calico or azure
}
}