CME-206

Network Policy (Kubernetes)

Isolate Network High Confidence

Description

Kubernetes NetworkPolicy resources that restrict pod-to-pod and pod-to-external communication. Default-deny ingress/egress with explicit allowlists.

CVSS Vector Impacts

Metric Transition Rationale
Attack Vector (AV) N A Pod only reachable from explicitly allowed sources
Scope (S) C U Compromised pod cannot reach arbitrary cluster services

CWE Relationships

CWE-284 CWE-668

Verification

Check for default-deny NetworkPolicy in namespace

$ kubectl get networkpolicy -n <namespace> -o name | head -5
# Expected: networkpolicy.networking.k8s.io/default-deny
Platform: kubernetes
← CME-205: Service Binding to Localhost CME-207: DNS Rebinding Protection →