Network Policy Disabled on Production GKE Clusters #8948
Description
Files Affected: infra/gcp/terraform/modules/gke-cluster/main.tf:156-158
Impact: Zero network segmentation between workloads
Issue:
Network policies are explicitly disabled in the GKE cluster module despite the addon being available:
network_policy {
enabled = false
}However, the network_policy_config addon is enabled, creating a configuration mismatch.
Security Implications:
- Any compromised pod can communicate with all other pods in the cluster
- No defense-in-depth against lateral movement attacks
- Compliance violations (PCI-DSS, SOC2 require network segmentation)
- Secrets accessible from any compromised workload
Attack Vector:
If an attacker compromises any application pod (e.g., via vulnerable dependency), they can:
- Scan the entire cluster network
- Access internal services not intended to be exposed
- Exfiltrate data from database pods
- Pivot to cloud metadata services
Recommendation:
- Immediate: Enable network policies on GKE clusters
- Deploy: Default-deny NetworkPolicy resources
- Implement: Least-privilege network segmentation per namespace
- Monitor: Network flow logs for anomaly detection