5.4.4 Ensure Network Policy is Enabled and set as appropriate (Automated)

Profile applicability: Level 1 - Cluster / Control Plane

Ensure that Network Policy is enabled and set appropriately when creating an Amazon EKS cluster, as the network policy option selected at creation cannot be changed later. Amazon EKS supports Calico Network Policies, an open-source solution that uses Linux IPTables to enforce network security policies. These policies are translated into rules that allow or disallow traffic between IP pairs, effectively acting as a pod-level firewall that restricts traffic between sources within a cluster. By default, pod-to-pod traffic is unrestricted within a cluster unless a Network Policy that uses labels to select specific pods is implemented.

Once a policy is applied to a pod, it will block any connections not explicitly allowed by the policy, while pods not selected by any Network Policy will continue to accept all traffic. Network Policies are managed via the Kubernetes Network Policy API and must be enforced by a compatible network plugin; without this, creating the resource alone will have no effect. Enabling Network Policy requires the Network Policy add-on, which is automatically included when a new cluster is set up with Network Policy but must be added manually to existing clusters. The process of enabling or disabling Network Policy triggers a rolling update of all cluster nodes, a long operation that blocks other cluster operations until complete. Additionally, enforcing Network Policy consumes extra node resources, increasing the memory footprint of the kube-system process by approximately 128MB and requiring about 300 millicores of CPU.

    export CLUSTER_NAME=<your cluster name>
    aws eks describe-cluster --name ${CLUSTER_NAME} --query "cluster.resourcesVpcConfig.clusterSecurityGroupId"