Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI
Use the Knowledge Base AI to help improve your Cloud Posture

Enable Support for Network Policy

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that network policy support is enabled for your OCI Kubernetes Engine (OKE) clusters in order to implement secure policy-based access control in order to segment and isolate traffic. The OCI VCN-Native Pod Networking CNI is the recommended CNI for OCI Kubernetes Engine (OKE) and comes fully integrated with network policy enforcement via Calico. The Flannel Overlay CNI does not natively support enabling network policies.

Security

A network policy is a Kubernetes resource that allows you to control the traffic between pods and services within an OKE cluster. Network policies are useful for enforcing security policies, isolating applications, and debugging network connectivity issues. By default, pods are not isolated, meaning they accept traffic from any source. Isolation is achieved by applying a network policy to select pods. Once a network policy is in place for a namespace, specifying a particular pod, that pod will reject any connections not permitted by the applied network policy. Network policies enforce Zero Trust micro-segmentation between pods, and the VCN-Native Pod Networking CNI is the only officially supported CNI in OCI Kubernetes Engine (OKE) that allows this vital least-privilege security model to be implemented via a policy engine like Calico.

Audit

To determine if network policy support is enabled for your OCI Kubernetes Engine (OKE) clusters, perform the following operations:

Using OCI Console

  1. Sign in to your Oracle Cloud Infrastructure (OCI) account.

  2. Navigate to Kubernetes Clusters (OKE) console available at https://cloud.oracle.com/containers/clusters.

  3. For Applied filters, choose an OCI compartment from the Compartment dropdown menu, to list the OCI Kubernetes Engine (OKE) clusters provisioned in the selected compartment.

  4. Click on the name (link) of the OCI Kubernetes Engine (OKE) cluster that you want to examine, listed in the Name column.

  5. Select the Cluster details tab and check the Network type attribute value, listed in the Network information section. If Network type is set to FLANNEL_OVERLAY, the cluster uses the Flannel Overlay CNI instead of VCN-Native Pod Networking CNI and network policy support is not enabled for the selected OCI Kubernetes Engine (OKE) cluster.

  6. Repeat steps no. 4 and 5 for each OKE cluster provisioned within the selected OCI compartment.

  7. Repeat steps no. 3 – 6 for each OCI compartment available in your Oracle Cloud Infrastructure (OCI) account.

Using OCI CLI

  1. Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account:

    oci iam compartment list
	--all
	--include-root
	--query 'data[]."id"'

  2. The command output should return the requested OCI compartment identifiers (OCIDs):

    [
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

  3. Run ce cluster list command (Windows/macOS/Linux) with the ID of the OCI compartment that you want to examine as the identifier parameter, to list the ID of each OCI Kubernetes Engine (OKE) cluster available in the selected OCI compartment:e ID of the OCI compartment that you want to examine as the identifier parameter, to list the ID of each OCI Kubernetes Engine (OKE) cluster available in the selected OCI compartment:

    oci ce cluster list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--all
	--query 'data[]."id"'

  4. The command output should return the requested OKE cluster IDs:

    [
	"ocid1.cluster.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.cluster.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

  5. Run ce cluster get command (Windows/macOS/Linux) with the ID of the OKE cluster that you want to examine as the identifier parameter, to determine if network policy support is enabled for the selected OKE cluster:

    oci ce cluster get
	--cluster-id 'ocid1.cluster.oc1.ap-sydney-1.aaaaaaaapggasqexzzjircfv5pszkid6jqdajjwt7rccstbgcc2ucipquhjq'
	--query 'data."cluster-pod-network-options"'

  6. The command output should return the Container Network Interface (CNI) type:

    [
	{
		"cni-type": "FLANNEL_OVERLAY"
	}
]

    Check the ce cluster get command output to determine the Container Network Interface (CNI) type configured for the selected cluster. If "cni-type" is set to "FLANNEL_OVERLAY", as shown in the example above, the cluster uses the Flannel Overlay CNI instead of VCN-Native Pod Networking CNI and network policy support is not enabled for the selected OCI Kubernetes Engine (OKE) cluster.

Remediation / Resolution

To enable network policy support for your OCI Kubernetes Engine (OKE) cluster, you have to re-create your cluster with the required networking configuration, by performing the following operations:

Using OCI Console

  1. Sign in to your Oracle Cloud Infrastructure (OCI) account.

  2. Navigate to Kubernetes Clusters (OKE) console available at https://cloud.oracle.com/containers/clusters.

  3. For Applied filters, choose an OCI compartment from the Compartment dropdown menu, to list the OCI Kubernetes Engine (OKE) clusters provisioned in the selected compartment.

  4. Choose Create cluster and perform the following actions to launch a new OCI Kubernetes Engine (OKE) cluster:

    1. Choose Custom create and select Proceed.
    2. For Create cluster, provide the following information:
      1. For Name, provide a unique name for the new cluster.
      2. For Compartment, select the appropriate OCI compartment.
      3. For Kubernetes version, ensure that the latest Kubernetes version is selected.
      4. Choose Next to continue the setup process.
    3. For Network setup, perform the following operations:
      1. For Network type, select VCN-native pod networking as the Container Network Interface (CNI) type. The VCN-Native Pod Networking CNI is the recommended CNI for OCI Kubernetes Engine (OKE) and comes fully integrated with network policy enforcement via Calico.
      2. For Choose network for cluster, select an existing Virtual Cloud Network (VCN) and subnet (must match the network configuration of the source cluster). (Optional) Toggle on the Use security rules in Network Security Group (NSG) button and select the Network Security Group (NSG) that you want to assign to your new cluster.
      3. Choose Next to continue the setup.
    4. For Node pools, configure the node pool settings such as node placement, node shape and image, boot volume size and encryption, and pod communication (must match the node pool configuration of the source cluster). Choose Next to continue the setup process.
    5. For Review and create, review the cluster configuration information, then choose Create cluster to launch your new OCI Kubernetes Engine (OKE) cluster.

  5. (Optional) To deploy Calico as the network policy engine, see Installing Calico and Setting Up Network Policies.

Using OCI CLI

  1. Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account:

    oci iam compartment list
	--all
	--include-root
	--query 'data[]."id"'

  2. The command output should return the requested OCI compartment identifiers (OCIDs):

    [
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

  3. Run ce cluster create command (Windows/macOS/Linux) to create a new, enhanced OCI Kubernetes Engine (OKE) cluster with the VCN-Native Pod Networking CNI as the Container Network Interface (CNI) type. The VCN-Native Pod Networking CNI is the recommended CNI for OCI Kubernetes Engine (OKE) and comes fully integrated with network policy enforcement via Calico:

    oci ce cluster create
	--name 'cc-project5-secure-cluster'
	--type 'ENHANCED_CLUSTER'
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--kubernetes-version 'v1.34.1'
	--vcn-id 'ocid1.vcn.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--cluster-pod-network-options '[{"cniType": "OCI_VCN_IP_NATIVE"}]'

  4. The command output should return the working request ID:

    {
	"opc-work-request-id": "ocid1.clustersworkrequest.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd"
}

  5. (Optional) To deploy Calico as the network policy engine, see Installing Calico and Setting Up Network Policies.

References

Publication date Dec 11, 2025

Related OCI-OKE rules