漏洞描述
Checks if Kubernetes network policies define specific ingress rules, which can help secure network communication within the cluster.
k8s-network-ingress-rules: Define network ingress rules
PoC代码[已公开]
id: k8s-network-ingress-rules
info:
name: Define network ingress rules
author: princechaddha
severity: medium
description: Checks if Kubernetes network policies define specific ingress rules, which can help secure network communication within the cluster.
impact: |
Without specific ingress rules defined in network policies, unintended traffic may access pods within the Kubernetes cluster, increasing the risk of malicious activity.
remediation: |
Define specific ingress rules in all network policies to control the flow of inbound traffic to pods, ensuring only authorized traffic can access cluster resources.
reference:
- https://kubernetes.io/docs/concepts/services-networking/network-policies/
tags: cloud,devops,kubernetes,security,k8s,k8s-cluster-security
flow: |
code(1);
for (let policy of template.items) {
set("policy", policy)
javascript(1);
}
self-contained: true
code:
- engine:
- sh
- bash
source: kubectl get networkpolicies --all-namespaces --output=json
extractors:
- type: json
name: items
internal: true
json:
- '.items[] | {policy: .metadata.name, ingress: .spec.ingress}'
javascript:
- code: |
let policyData = JSON.parse(template.policy);
if (!policyData.ingress || policyData.ingress.length === 0) {
let result = `Network policy '${policyData.policy}' does not define any ingress rules.`;
Export(result);
}
extractors:
- type: dsl
dsl:
- response
# digest: 4a0a004730450220265aa21f7ef7f2b8fe96be393340482e13148421e00ace791bb7574b97afb1ea022100a477f1ddef5daa295b6dc550c30999aad3d96184cf9692a15eb78e9acf8a4984:922c64590222798bb761d5b6d8e72950