🚀 Join our AI Wargame at Black Hat Asia and our Workshop + Wargame at NDC Sydney .

Lack of Network Restriction

Containers in a pod do not have egress or ingress network restrictions. A compromised container could be exploited for activities such as unauthorised data exfiltration, establishing a reverse shell to maintain access to the cluster, or launching attacks against containers in different namespaces. Kubernetes namespaces, in particular, do not inherently restrict network access. This can allow lateral movement within a cluster.

Remediation

Apply network policy. The following examples restricts all egress traffic from "appspace" namespace.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny
  namespace: appspace
spec:
  podSelector: {}
  policyTypes:
  - Egress

---
apiVersion: v1
kind: Namespace
metadata:
  name: appspace

Metadata

  • Severity: low
  • Slug: lack-of-network-restriction

CWEs

  • 284: Improper Access Control

OWASP

  • A01:2021: Broken Access Control

Available Labs

Open Kubernetes labs in SecDim Play for this vulnerability.

Try it yourself

Find, Hack and Fix Your First Vulnerability

Reading about security bugs is one thing — fixing one is how the skill sticks. Play a free challenge from the wargame, no setup required.