Enable Network Policy for EKS Cluster

Overview

This check verifies that your Amazon EKS cluster has Kubernetes Network Policy enabled and properly configured. Network Policy acts as a "firewall" for your pods, controlling which pods can communicate with each other and with external services.

By default, all pods in a Kubernetes cluster can talk to each other freely. Network Policy lets you restrict this to only the connections your application actually needs.

Risk

When Network Policy is not enabled:

• Lateral movement: If one pod is compromised, an attacker can easily reach other pods and services in your cluster
• Data exfiltration: Malicious code can send data to external services without restriction
• Blast radius: A security incident in one part of your application can quickly spread to others
• Compliance gaps: Many security frameworks require network segmentation for sensitive workloads

Enabling Network Policy gives you control over "east-west" traffic (pod-to-pod communication) and helps contain security incidents.

Remediation Steps

Prerequisites

• An EKS cluster running Kubernetes 1.27 or later
• VPC CNI add-on version 1.14.0 or later (version 1.21.0+ recommended)
• EC2 Linux nodes (Network Policy is not supported on Fargate or Windows nodes)

Check your current versions

Check Kubernetes version:

aws eks describe-cluster \
  --name <YOUR_CLUSTER_NAME> \
  --query 'cluster.version' \
  --output text \
  --region us-east-1

Check VPC CNI version:

kubectl describe daemonset aws-node --namespace kube-system | grep amazon-k8s-cni: | cut -d : -f 3

Check Linux kernel version (must be 5.10+):

kubectl get nodes -o wide
# Then SSH to a node and run: uname -r

Required IAM permissions

To update the VPC CNI add-on, you need:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "eks:UpdateAddon",
        "eks:DescribeAddon",
        "eks:DescribeCluster"
      ],
      "Resource": [
        "arn:aws:eks:*:*:cluster/*",
        "arn:aws:eks:*:*:addon/*/*/*"
      ]
    }
  ]
}

AWS Console Method

1. Open the EKS Console at https://console.aws.amazon.com/eks
2. Ensure you are in the us-east-1 region (top-right corner)
3. Click Clusters in the left sidebar
4. Click on your cluster name
5. Select the Add-ons tab
6. Find Amazon VPC CNI and click the checkbox, then click Edit
7. In the Version dropdown, select v1.21.0-eksbuild.1 or later
8. Expand Optional configuration settings
9. In the Configuration values field, enter:

   {"enableNetworkPolicy": "true"}

10. For Conflict resolution method, select Override
11. Click Save changes

The update takes a few minutes. Once complete, the aws-node pods will restart with Network Policy support enabled.

AWS CLI (optional)

Enable Network Policy via the VPC CNI add-on

aws eks update-addon \
  --cluster-name <YOUR_CLUSTER_NAME> \
  --addon-name vpc-cni \
  --addon-version v1.21.0-eksbuild.1 \
  --resolve-conflicts OVERWRITE \
  --configuration-values '{"enableNetworkPolicy": "true"}' \
  --region us-east-1

Replace <YOUR_CLUSTER_NAME> with your actual cluster name.

Example output

{
    "update": {
        "id": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
        "status": "InProgress",
        "type": "AddonUpdate",
        "createdAt": "2024-01-15T10:30:00.000Z"
    }
}

Check update status

aws eks describe-addon \
  --cluster-name <YOUR_CLUSTER_NAME> \
  --addon-name vpc-cni \
  --query 'addon.{Status:status,Version:addonVersion}' \
  --region us-east-1

Enable strict mode (optional)

For maximum security, you can enable strict mode where pods start with a deny-all policy:

aws eks update-addon \
  --cluster-name <YOUR_CLUSTER_NAME> \
  --addon-name vpc-cni \
  --resolve-conflicts OVERWRITE \
  --configuration-values '{"enableNetworkPolicy": "true", "env": {"NETWORK_POLICY_ENFORCING_MODE": "strict"}}' \
  --region us-east-1

Warning: In strict mode, you must create Network Policies for all pod communication, including access to CoreDNS. Enable strict mode only if you have a comprehensive set of Network Policies ready.

CloudFormation (optional)

If you manage your EKS add-ons via CloudFormation, add the VPC CNI add-on with Network Policy enabled:

AWSTemplateFormatVersion: '2010-09-09'
Description: EKS VPC CNI add-on with Network Policy enabled

Parameters:
  ClusterName:
    Type: String
    Description: Name of the EKS cluster
  VpcCniVersion:
    Type: String
    Default: 'v1.21.0-eksbuild.1'
    Description: VPC CNI add-on version (must be v1.14.0 or later)

Resources:
  VpcCniAddon:
    Type: AWS::EKS::Addon
    Properties:
      AddonName: vpc-cni
      AddonVersion: !Ref VpcCniVersion
      ClusterName: !Ref ClusterName
      ConfigurationValues: '{"enableNetworkPolicy": "true"}'
      ResolveConflicts: OVERWRITE

Outputs:
  AddonName:
    Description: VPC CNI addon name
    Value: !Ref VpcCniAddon

Deploy with:

aws cloudformation deploy \
  --template-file eks-vpc-cni-addon.yaml \
  --stack-name eks-vpc-cni-network-policy \
  --parameter-overrides ClusterName=<YOUR_CLUSTER_NAME> \
  --region us-east-1

Terraform (optional)

Enable Network Policy via Terraform

variable "cluster_name" {
  description = "Name of the EKS cluster"
  type        = string
}

variable "vpc_cni_version" {
  description = "VPC CNI add-on version (must be v1.14.0 or later)"
  type        = string
  default     = "v1.21.0-eksbuild.1"
}

resource "aws_eks_addon" "vpc_cni" {
  cluster_name                = var.cluster_name
  addon_name                  = "vpc-cni"
  addon_version               = var.vpc_cni_version
  resolve_conflicts_on_update = "OVERWRITE"

  configuration_values = jsonencode({
    enableNetworkPolicy = "true"
  })
}

output "addon_id" {
  description = "VPC CNI addon ID"
  value       = aws_eks_addon.vpc_cni.id
}

Deploy with:

terraform init
terraform plan -var="cluster_name=<YOUR_CLUSTER_NAME>"
terraform apply

With strict mode

resource "aws_eks_addon" "vpc_cni" {
  cluster_name                = var.cluster_name
  addon_name                  = "vpc-cni"
  addon_version               = var.vpc_cni_version
  resolve_conflicts_on_update = "OVERWRITE"

  configuration_values = jsonencode({
    enableNetworkPolicy = "true"
    env = {
      NETWORK_POLICY_ENFORCING_MODE = "strict"
    }
  })
}

Using Helm (optional)

If you manage the VPC CNI via Helm instead of the EKS add-on:

helm upgrade aws-vpc-cni eks/aws-vpc-cni \
  --namespace kube-system \
  --set enableNetworkPolicy=true \
  --set nodeAgent.metricsBindAddr=8162 \
  --set nodeAgent.healthProbeBindAddr=8163

Verification

After enabling Network Policy, verify it is working:

1. Open the EKS Console at https://console.aws.amazon.com/eks
2. Click on your cluster name
3. Select the Add-ons tab
4. Click on Amazon VPC CNI
5. Confirm the Configuration shows enableNetworkPolicy: true

Also check that the aws-node pods show 2/2 containers running (the second container is the network policy agent):

kubectl get pods -n kube-system -l k8s-app=aws-node

Expected output:

NAME             READY   STATUS    RESTARTS   AGE
aws-node-abc12   2/2     Running   0          5m
aws-node-def34   2/2     Running   0          5m

Verify with AWS CLI

aws eks describe-addon \
  --cluster-name <YOUR_CLUSTER_NAME> \
  --addon-name vpc-cni \
  --query 'addon.configurationValues' \
  --output text \
  --region us-east-1

The output should include "enableNetworkPolicy": "true".

Check the network policy controller is running

kubectl get pods -n kube-system -l k8s-app=aws-node -o wide

Each aws-node pod should show 2/2 in the READY column.

Test with a sample Network Policy

Create a test namespace and apply a deny-all policy:

kubectl create namespace network-policy-test

cat <<EOF | kubectl apply -f -
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-all
  namespace: network-policy-test
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress
EOF

Verify the policy was created:

kubectl get networkpolicy -n network-policy-test

Clean up:

kubectl delete namespace network-policy-test

Additional Resources

• AWS Documentation: Kubernetes Network Policies with Amazon VPC CNI
• AWS Documentation: Configure Network Policies
• AWS Blog: Amazon VPC CNI now supports Kubernetes Network Policies
• EKS Best Practices: Network Security
• Kubernetes Documentation: Network Policies

Notes

• Enabling is just the first step: Enabling Network Policy support only gives you the capability to enforce policies. You must also create actual NetworkPolicy resources to restrict traffic. Without policies, all traffic is still allowed.

• Start with observability: Before enforcing strict policies, consider monitoring your pod traffic patterns using tools like VPC Flow Logs or service mesh observability to understand what policies you need.

• CoreDNS access: If you enable strict mode, remember that pods need Network Policies allowing egress to CoreDNS (typically port 53 to pods with label k8s-app: kube-dns in the kube-system namespace).

• EC2 nodes only: Network Policy enforcement works only on EC2 Linux nodes. Fargate and Windows nodes do not support this feature.

• Performance: The VPC CNI uses eBPF (Extended Berkeley Packet Filter) for policy enforcement, which is more efficient than traditional iptables-based implementations.

• Pod requirements: Network Policies only apply to pods that are part of a Deployment, ReplicaSet, or other controller. Standalone pods without metadata.ownerReferences are not affected.

• Default-deny approach: For production workloads, consider implementing a default-deny policy for each namespace, then explicitly allow required traffic. This follows the principle of least privilege.