CNI supports NetworkPolicy
Description
K8s CNI plugin must support NetworkPolicy (Calico, Cilium, Weave Net, AWS VPC CNI 1.14+, GKE Dataplane V2).
⚠️ Risk Impact
Without NetworkPolicy support, you cannot enforce pod-to-pod network restrictions. Flat pod network = lateral movement is trivial.
🔍 How EchelonGraph Detects This
EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected cloud accounts. Violations are flagged as high-severity findings with remediation guidance.
🔧 Remediation
Verify CNI choice. For EKS: enable VPC CNI 1.14+ Network Policy support. For GKE: enable Dataplane V2. For self-managed: Calico/Cilium.
💀 Real-World Attack Scenario
An EKS cluster used default VPC CNI without NetworkPolicy support. Compromised application pod had unrestricted access to every other pod including the production database. NetworkPolicy would have prevented this lateral path.
💰 Cost of Non-Compliance
Flat pod network breaches: avg 3-4× scope vs segmented (Aqua 2024).
📋 Audit Questions
- 1.CNI in use?
- 2.NetworkPolicy supported?
- 3.VPC CNI version (EKS)?
🎯 MITRE ATT&CK Mapping
⚡ Common Pitfalls
- ⛔Default CNI without NetworkPolicy support
- ⛔VPC CNI 1.13 or earlier on EKS
- ⛔NetworkPolicy applied but CNI doesn't enforce
📈 Business Value
NetworkPolicy support is foundational to K8s network segmentation.
⏱️ Effort Estimate
CNI migration if needed
EchelonGraph identifies CNI + NetworkPolicy posture
🔗 Cross-Framework References
Automate CIS Kubernetes 5.3.1 compliance
EchelonGraph continuously monitors this control across all your cloud accounts.
Start Free →