Network segmentation
Info
ID: MS-M9014
MITRE mitigation: M1030
Restrict inbound and outbound network traffic of the pods in the cluster. This includes inner-cluster communication as well as ingress\egress traffic to\from the cluster. Network Policies are a native K8s solution for networking restrictions in the cluster.
Techniques Addressed by Mitigation
| ID | Name | Use |
|---|---|---|
| MS-TA9009 | Application exploit (RCE) | Limit network access to containers |
| MS-TA9010 | SSH server running inside container | Limit network access to containers |
| MS-TA9024 | Connect from proxy server | Limit network access from known proxy networks. |
| MS-TA9030 | Access Kubelet API | Restrict access of pods to the Kubelet API using Network Policy, blocking pod traffic to the ports 10250 and 10255. |
| MS-TA9031 | Network segmentation | Restrict network between pods using network policies |
| MS-TA9005 | Exposed sensitive interfaces | Restrict network access to the sensitive interfaces. |
| MS-TA9034 | Cluster internal networking | Provision pod network policies to restrict the traffic between pods |