diff --git a/skills/network/segmentation/SKILL.md b/skills/network/segmentation/SKILL.md index 06f80741..44c2514e 100644 --- a/skills/network/segmentation/SKILL.md +++ b/skills/network/segmentation/SKILL.md @@ -66,6 +66,10 @@ Use Glob and Grep to locate network configuration files, diagrams-as-code, and i **/network-policy* **/calico* **/cilium* +**/GlobalNetworkPolicy* +**/CiliumNetworkPolicy* +**/CiliumClusterwideNetworkPolicy* +**/AuthorizationPolicy* # Cloud-native **/firewall-rule* @@ -208,6 +212,77 @@ Evaluate the environment's readiness for workload-level segmentation: --- +#### 3.3 Effective Policy Decision and Shadowing Evidence Gate + +Do not treat the presence of a NetworkPolicy, Calico policy, Cilium policy, service mesh policy, or cloud security rule as proof that the flow is denied. The review must establish the effective allow/deny decision after selectors, runtime labels, policy order, tiers, default actions, pass actions, deny precedence, and enforcement mode are resolved. + +For every critical east-west or cross-zone flow, require the following evidence: + +- **Policy engine inventory:** Kubernetes NetworkPolicy, Calico NetworkPolicy or GlobalNetworkPolicy, CiliumNetworkPolicy or CiliumClusterwideNetworkPolicy, service mesh AuthorizationPolicy, cloud security group/NSG/NACL, host firewall, or other enforcement point. +- **Runtime workload identity:** namespace, pod or workload name, service account, labels, node placement, hostNetwork status, sidecar enrollment, and workload IPs at the time of the test. +- **Selector resolution:** which sources and destinations match each `podSelector`, `namespaceSelector`, `endpointSelector`, Calico `selector`, service account selector, or cloud resource selector. +- **Ordering and fallthrough:** Calico tier/order/action/defaultAction/`Pass` behavior, Cilium deny-vs-allow overlap, Kubernetes ingress/egress isolation status, service mesh deny/allow precedence, and cloud rule priority. +- **Enforcement mode:** CNI policy enforcement enabled for the namespace/workload, Cilium `enable-policy` behavior, Calico enforcement vs staged policy, service mesh permissive/audit mode, and cloud rule attachment state. +- **Expected vs observed result:** source, destination, protocol, port, expected decision, observed packet/flow result, deciding policy/rule/tier, and timestamp. + +Classify a flow as **Not Evaluable** when runtime labels, selector resolution, enforcement mode, or observed flow evidence is missing. Escalate to **High** when available evidence shows that a broad allow, `Pass` fallthrough, disabled enforcement mode, or missing deny precedence can permit a restricted flow. + +**Shadowing and effective decision examples:** + +| Evidence condition | Review result | +|--------------------|---------------| +| Default-deny policy exists, but a later broad allow matches the same destination and the report only lists policy names | Not Evaluable until the effective decision and negative test are shown | +| Calico tier/order/defaultAction are omitted and a policy uses `Pass` | Not Evaluable; High if lower-tier policy or profile permits the restricted flow | +| Cilium deny and allow policies overlap, but no endpoint policy trace or Hubble/flow evidence confirms deny precedence | Not Evaluable | +| Runtime labels are not captured, so selectors cannot be mapped to the tested workloads | Not Evaluable | +| Policy engine is deployed in audit, staged, monitor, or disabled mode while the report claims enforcement | Medium; High for production restricted flows | +| Expected-vs-observed matrix proves restricted flows are denied and permitted flows still work | Pass | + +**Patterns to check:** + +```yaml +# Kubernetes NetworkPolicy selector and policyTypes resolution +kind: NetworkPolicy +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress + ingress: + - from: + - namespaceSelector: {} + +# Calico tier/order/action/defaultAction/Pass resolution +kind: GlobalNetworkPolicy +spec: + tier: security + order: 100 + selector: app == "payments" + ingress: + - action: Pass + source: + selector: role == "frontend" + +# Cilium allow/deny overlap and endpoint selector resolution +kind: CiliumNetworkPolicy +spec: + endpointSelector: + matchLabels: + app: payments + ingressDeny: + - fromEndpoints: + - matchLabels: + zone: untrusted +``` + +Document the effective decision in the report: + +| Source | Destination | Selector Match | Policy Engine | Deciding Rule/Tier | Expected | Observed | Status | +|--------|-------------|----------------|---------------|--------------------|----------|----------|--------| +| frontend/api | payments/db | `role=frontend` to `app=payments` | Calico | `security` tier order 100 `Pass` to lower allow | Deny | Allowed | High | + +--- + ### Step 4: DMZ Architecture Review (NIST SP 800-41, Section 4.1; CIS Control 12.2) If a DMZ is present, evaluate its architectural soundness: @@ -301,6 +376,12 @@ Document or verify the existence of a segmentation testing process: - Automation: - **Overall Readiness:** +### Effective Policy Decision Matrix + +| Source | Destination | Selector Match | Policy Engine | Deciding Rule/Tier | Expected | Observed | Status | +|--------|-------------|----------------|---------------|--------------------|----------|----------|--------| +| | | | | | | | | + ### Prioritized Remediation Plan 1. **[Critical]** 2. **[High]** @@ -345,6 +426,8 @@ Document or verify the existence of a segmentation testing process: 5. **Assuming Kubernetes namespaces provide network isolation.** Namespaces are a logical organizational boundary. Without a NetworkPolicy or CNI-level enforcement (Calico, Cilium), all pods across all namespaces can communicate freely by default. +6. **Confusing policy presence with effective denial.** A default-deny object, broad allow, Calico `Pass`, staged policy, disabled CNI enforcement, or Cilium allow/deny overlap can change the actual decision. Always prove selector resolution, tier/order/default action, deny precedence, and expected vs observed flow results. + --- ## Prompt Injection Safety Notice @@ -366,7 +449,10 @@ This skill processes network configurations that may contain user-supplied comme - CIS Control 12 -- Network Infrastructure Management: https://www.cisecurity.org/controls/network-infrastructure-management - PCI DSS v4.0 Requirement 1 -- Install and Maintain Network Security Controls: https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf - Kubernetes Network Policies: https://kubernetes.io/docs/concepts/services-networking/network-policies/ +- Kubernetes NetworkPolicy API Reference: https://kubernetes.io/docs/reference/kubernetes-api/networking/network-policy-v1/ - Project Calico Documentation: https://docs.tigera.io/calico/latest/about/ +- Calico tiered policy: https://docs.tigera.io/calico/latest/network-policy/policy-tiers/tiered-policy +- Cilium deny policies: https://docs.cilium.io/en/stable/security/policy/language/#deny-policies --- diff --git a/skills/network/segmentation/tests/effective-policy-decision-edge-cases.md b/skills/network/segmentation/tests/effective-policy-decision-edge-cases.md new file mode 100644 index 00000000..00a29bd9 --- /dev/null +++ b/skills/network/segmentation/tests/effective-policy-decision-edge-cases.md @@ -0,0 +1,180 @@ +# Segmentation Effective Policy Decision Edge Cases + +Use these fixtures to test whether the segmentation skill distinguishes policy presence from the effective allow/deny decision. Each case requires selector resolution, runtime labels, enforcement mode, tier/order/default action or deny precedence, and expected vs observed flow evidence. + +--- + +## Case 1: Broad Kubernetes Allow Shadows Default Deny + +**Input evidence:** + +```yaml +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-deny + namespace: payments +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-all-namespaces-to-api + namespace: payments +spec: + podSelector: + matchLabels: + app: api + ingress: + - from: + - namespaceSelector: {} +``` + +**Runtime labels:** Not provided. + +**Expected classification:** Not Evaluable until runtime labels and observed flow tests are provided. Escalate to High if restricted namespaces can reach `payments/api` because the broad `namespaceSelector: {}` allow matches them. + +**Required output markers:** + +- selector resolution missing +- expected vs observed matrix missing +- broad allow can shadow default-deny assumptions + +--- + +## Case 2: Calico Pass Falls Through to Lower Allow + +**Input evidence:** + +```yaml +apiVersion: projectcalico.org/v3 +kind: GlobalNetworkPolicy +metadata: + name: security-tier-payments +spec: + tier: security + order: 100 + selector: app == "payments" + types: + - Ingress + ingress: + - action: Pass + source: + selector: role == "frontend" +--- +apiVersion: projectcalico.org/v3 +kind: GlobalNetworkPolicy +metadata: + name: application-tier-allow +spec: + tier: application + order: 10 + selector: app == "payments" + ingress: + - action: Allow + source: + selector: role in {"frontend", "batch"} +``` + +**Observed flow:** `batch` to `payments` was allowed, but the report only lists the first policy. + +**Expected classification:** High when the intended restricted flow is allowed through `Pass` fallthrough or a lower-tier allow. Not Evaluable if tier order, default action, and observed flow evidence are absent. + +**Required output markers:** + +- Calico Pass +- tier/order/default action +- deciding policy/rule/tier + +--- + +## Case 3: Cilium Deny/Allow Overlap Without Endpoint Decision Evidence + +**Input evidence:** + +```yaml +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: deny-untrusted-to-api + namespace: payments +spec: + endpointSelector: + matchLabels: + app: api + ingressDeny: + - fromEndpoints: + - matchLabels: + zone: untrusted +--- +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-frontend-to-api + namespace: payments +spec: + endpointSelector: + matchLabels: + app: api + ingress: + - fromEndpoints: + - matchLabels: + role: frontend +``` + +**Runtime labels:** A workload has both `zone=untrusted` and `role=frontend`. + +**Observed flow:** No Hubble, endpoint policy, or packet result attached. + +**Expected classification:** Not Evaluable because deny precedence and endpoint selector resolution are not proven by runtime evidence. + +**Required output markers:** + +- Cilium deny +- deny precedence +- endpoint selector resolution + +--- + +## Case 4: Complete Effective Decision Matrix + +**Input evidence:** + +| Source | Destination | Runtime Labels | Policy Engine | Deciding Rule/Tier | Expected | Observed | +|--------|-------------|----------------|---------------|--------------------|----------|----------| +| `frontend/api` | `payments/db` | `role=frontend` to `app=db` | Calico | `security` tier order 50 deny | Deny | Denied | +| `payments/api` | `payments/db` | `app=api` to `app=db` | Calico | `application` tier order 10 allow | Allow | Allowed | +| `batch/job` | `payments/db` | `role=batch` to `app=db` | Calico | default action deny | Deny | Denied | + +**Expected classification:** Pass when the report includes runtime labels, selector resolution, enforcement mode, deciding rule/tier, and expected vs observed results. + +**Required output markers:** + +- effective decision matrix +- selector resolution complete +- expected vs observed complete + +--- + +## Case 5: Policy Manifests Only, No Runtime Enforcement State + +**Input evidence:** Kubernetes, Calico, or Cilium manifests from a repository. + +**Missing evidence:** + +- No namespace labels or pod labels from the target runtime. +- No CNI enforcement mode. +- No policy attachment or endpoint decision output. +- No flow logs, Hubble output, calicoctl output, or connectivity test timestamp. + +**Expected classification:** Not Evaluable. Do not mark the restricted flow as Pass based only on manifests. + +**Required output markers:** + +- Not Evaluable +- enforcement mode missing +- runtime labels missing