Skip to content

Network segmentation

Info

ID: MS-M9014
MITRE mitigation: M1030

Restrict inbound and outbound network traffic of the pods in the cluster. This includes inner-cluster communication as well as ingress\egress traffic to\from the cluster. Network Policies are a native K8s solution for networking restrictions in the cluster.

Techniques Addressed by Mitigation

ID Name Use
MS-TA9009 Application exploit (RCE) Limit network access to containers
MS-TA9010 SSH server running inside container Limit network access to containers
MS-TA9024 Connect from proxy server Limit network access from known proxy networks.
MS-TA9030 Access Kubelet API Restrict access of pods to the Kubelet API using Network Policy, blocking pod traffic to the ports 10250 and 10255.
MS-TA9031 Network segmentation Restrict network between pods using network policies
MS-TA9005 Exposed sensitive interfaces Restrict network access to the sensitive interfaces.
MS-TA9034 Cluster internal networking Provision pod network policies to restrict the traffic between pods