How does EchelonGraph detect CIS Kubernetes 5.3.2 violations?

EchelonGraph automatically detects CIS Kubernetes 5.3.2 violations using scanner rule K8S-NP-001. The scanner checks cloud infrastructure configurations in real-time and flags non-compliant resources.

☸️CIS Kubernetes 5.3.2Rule: K8S-NP-001high

NetworkPolicy on every namespace

Description

Every namespace should have at least one NetworkPolicy. EchelonGraph correlates the live K8S_NAMESPACE inventory with K8S_NETWORKPOLICY assets per namespace and flags namespaces without coverage.

⚠️ Risk Impact

Namespaces without NetworkPolicy default to allow-all pod-to-pod traffic. A compromised Pod in one namespace can reach every other Pod in the cluster.

🔍 How EchelonGraph Detects This

K8S-NP-001Automated scanner rule

EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected cloud accounts. Violations are flagged as high-severity findings with remediation guidance.

🔧 Remediation

Apply default-deny-all NetworkPolicy per namespace, then allow-list specific traffic.

🔗 Cross-Framework References

NIST-SC-7PCI-1.3

Automate CIS Kubernetes 5.3.2 compliance

EchelonGraph continuously monitors this control across all your cloud accounts.

Start Free →