漏洞描述
Checks for network policies in Kubernetes that do not define egress rules, which can leave the network exposed to external threats.
k8s-netpol-egress-rules: Network policies define egress rules
PoC代码[已公开]
id: k8s-netpol-egress-rules
info:
name: Network policies define egress rules
author: princechaddha
severity: medium
description: Checks for network policies in Kubernetes that do not define egress rules, which can leave the network exposed to external threats.
impact: |
Lack of egress rules in network policies can result in unrestricted outbound network traffic, which may allow data exfiltration or unauthorized access to external services.
remediation: Define egress rules in all network policies to control outbound traffic from your Kubernetes pods, thereby reducing security risks.
reference:
- https://kubernetes.io/docs/concepts/services-networking/network-policies/
tags: cloud,devops,kubernetes,devsecops,k8s,k8s-cluster-security
flow: |
code(1);
for (let policy of template.items) {
set("policy", policy)
javascript(1);
}
self-contained: true
code:
- engine:
- sh
- bash
source: kubectl get networkpolicies --all-namespaces --output=json
extractors:
- type: json
name: items
internal: true
json:
- '.items[] | {policy: .metadata.name, egress: .spec.egress}'
javascript:
- code: |
let policyData = JSON.parse(template.policy);
if (!policyData.egress || policyData.egress.length === 0) {
let result = (`Network policy '${policyData.policy}' does not define egress rules.`);
Export(result);
}
extractors:
- type: dsl
dsl:
- response
# digest: 4b0a00483046022100f5b66ad83993ac53d96b185fe084956da4f39a3e8eaa67a860d924d34deb96a1022100f5aa41c75f483a4f13165022510835005277bbe223f96774b2740be52a106cc8:922c64590222798bb761d5b6d8e72950