Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI
Use the Knowledge Base AI to help improve your Cloud Posture

Use Network Policies

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that Kubernetes namespaces have network policies defined to explicitly govern pod-to-pod communication, allowing you to precisely control internal traffic, and ultimately achieve necessary isolation within your OCI Kubernetes Engine (OKE) cluster network.

Security

Network policies provide necessary segmentation, ensuring containers communicate only as intended. These policies define explicit allowed communication paths for selected pods. Significantly, adding a policy to a namespace immediately denies all traffic not explicitly permitted, while having no policies means all traffic remains completely allowed.

Audit

To determine if your Kubernetes namespaces have network policies defined to control traffic, perform the following operations:

Using OCI CLI

  1. Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account:

    oci iam compartment list
	--all
	--include-root
	--query 'data[]."id"'

  2. The command output should return the requested OCI compartment identifiers (OCIDs):

    [
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

  3. Run ce cluster list command (Windows/macOS/Linux) with the ID of the OCI compartment that you want to examine as the identifier parameter, to list the ID of each OCI Kubernetes Engine (OKE) cluster available in the selected OCI compartment:

    oci ce cluster list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--all
	--query 'data[]."id"'

  4. The command output should return the requested OKE cluster IDs:

    [
	"ocid1.cluster.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.cluster.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

  5. Run ce cluster create-kubeconfig command (Windows/macOS/Linux) with the ID of the OCI Kubernetes Engine (OKE) cluster that you want to access as the identifier parameter, to generate and configure the Kubernetes configuration file (kubeconfig) that the kubectl tool needs to securely communicate with and manage the selected OKE cluster:

    oci ce cluster create-kubeconfig
	--cluster-id 'ocid1.cluster.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--file $HOME/.kube/config
	--kube-endpoint PUBLIC_ENDPOINT
	--region 'ap-sydney-1'
	--token-version 2.0.0

  6. The command output should return the path to the new Kubeconfig file:

    New config written to the Kubeconfig file /home/user/.kube/config

  7. Run the kubectl get namespaces command to identify your user-workload Kubernetes namespaces. A Kubernetes user-workload namespace is a logical partition within an OKE cluster intended for hosting applications and services deployed by users or development teams:

    kubectl get namespaces

  8. The command output should return a list with all namespaces. OCI Kubernetes Engine (OKE) clusters come with several default namespaces. Exclude the default OKE system namespaces (i.e., kube-system, kube-public, kube-node-lease, and default) from your check:

    NAME                 STATUS   AGE
default              Active   16d
kube-node-lease      Active   16d
kube-public          Active   16d
kube-system          Active   16d
...
cc-web-dev           Active   16d
cc-staging           Active   16d
cc-web-prod          Active   16d

  9. Run the following command to list the "NetworkPolicy" objects created within your OKE cluster:

    kubectl get networkpolicy --all-namespaces

  10. The command output should return one of the following results:

    1. If the following output is returned: No resources found, there are no network policies defined to control traffic within your OKE cluster network: 
      	No resources found
    2. If the command output returns one or more results, as shown in the example below, network policies are not fully implemented to control traffic within your OKE cluster network, as some user-workload Kubernetes namespaces lack policy definitions: 
      	NAMESPACE     NAME                    AGE
	cc-web-dev    cc-allow-api-on-8080    16d

Remediation / Resolution

To ensure that each user-workload Kubernetes namespace defined in your OKE cluster has at least one network policy, perform the following operations:

Using OCI CLI

  1. Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account:

    oci iam compartment list
	--all
	--include-root
	--query 'data[]."id"'

  2. The command output should return the requested OCI compartment identifiers (OCIDs):

    [
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

  3. Run ce cluster list command (Windows/macOS/Linux) with the ID of the OCI compartment that you want to examine as the identifier parameter, to list the ID of each OCI Kubernetes Engine (OKE) cluster available in the selected OCI compartment:

    oci ce cluster list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--all
	--query 'data[]."id"'

  4. The command output should return the requested OKE cluster IDs:

    [
	"ocid1.cluster.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.cluster.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

  5. Run ce cluster create-kubeconfig command (Windows/macOS/Linux) with the ID of the OCI Kubernetes Engine (OKE) cluster that you want to access as the identifier parameter, to generate and configure the Kubernetes configuration file (kubeconfig) that the kubectl tool needs to securely communicate with and manage the selected OKE cluster:

    oci ce cluster create-kubeconfig
	--cluster-id 'ocid1.cluster.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--file $HOME/.kube/config
	--kube-endpoint PUBLIC_ENDPOINT
	--region 'ap-sydney-1'
	--token-version 2.0.0

  6. The command output should return the path to the new Kubeconfig file:

    New config written to the Kubeconfig file /home/user/.kube/config

  7. Run the kubectl get namespaces command to identify your user-workload Kubernetes namespaces. A Kubernetes user-workload namespace is a logical partition within an OKE cluster intended for hosting applications and services deployed by users or development teams:

    kubectl get namespaces

  8. The command output should return a list with all namespaces. OCI Kubernetes Engine (OKE) clusters come with several default namespaces. Exclude the default OKE system namespaces (i.e., kube-system, kube-public, kube-node-lease, and default) from your implementation:

    NAME                 STATUS   AGE
default              Active   16d
kube-node-lease      Active   16d
kube-public          Active   16d
kube-system          Active   16d
...
cc-web-dev           Active   16d
cc-staging           Active   16d
cc-web-prod          Active   16d

  9. Define the necessary network policy for your user-workload Kubernetes namespace and save the policy document to an YAML file named cc-custom-network-policy.yaml. As an example, the following network policy applies to a user namespace named "cc-web-prod" and denies all outbound traffic by default, but specifically allows communication to the DNS service in kube-system:

    apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
	name: cc-deny-except-dns
	namespace: cc-web-prod #The namespace name
spec:
	podSelector: {}
	policyTypes:
	- Egress
	egress:
	- to:
		- namespaceSelector:
			matchLabels:
			kubernetes.io/metadata.name: kube-system
		ports:
		- protocol: UDP
			port: 53
		- protocol: TCP
			port: 53

  10. Run the kubectl apply command to apply the network policy defined in the previous step (i.e., cc-custom-network-policy.yaml):

    kubectl apply -f cc-custom-network-policy.yaml

  11. The command output should return the name of the new network policy:

    networkpolicy.networking.k8s.io/cc-deny-except-dns created

References

Publication date Dec 11, 2025

Related OCI-OKE rules