Skip to content

Improve segmentation effective policy decision gates #1397

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
MAUROCERON wants to merge 1 commit into
base: main
Choose a base branch
from
+266 −0
Open

Improve segmentation effective policy decision gates #1397

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
86 changes: 86 additions & 0 deletions skills/network/segmentation/SKILL.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,10 @@ Use Glob and Grep to locate network configuration files, diagrams-as-code, and i
**/network-policy*
**/calico*
**/cilium*
**/GlobalNetworkPolicy*
**/CiliumNetworkPolicy*
**/CiliumClusterwideNetworkPolicy*
**/AuthorizationPolicy*

# Cloud-native
**/firewall-rule*
Expand Down Expand Up @@ -208,6 +212,77 @@ Evaluate the environment's readiness for workload-level segmentation:

---

#### 3.3 Effective Policy Decision and Shadowing Evidence Gate

Do not treat the presence of a NetworkPolicy, Calico policy, Cilium policy, service mesh policy, or cloud security rule as proof that the flow is denied. The review must establish the effective allow/deny decision after selectors, runtime labels, policy order, tiers, default actions, pass actions, deny precedence, and enforcement mode are resolved.

For every critical east-west or cross-zone flow, require the following evidence:

- **Policy engine inventory:** Kubernetes NetworkPolicy, Calico NetworkPolicy or GlobalNetworkPolicy, CiliumNetworkPolicy or CiliumClusterwideNetworkPolicy, service mesh AuthorizationPolicy, cloud security group/NSG/NACL, host firewall, or other enforcement point.
- **Runtime workload identity:** namespace, pod or workload name, service account, labels, node placement, hostNetwork status, sidecar enrollment, and workload IPs at the time of the test.
- **Selector resolution:** which sources and destinations match each `podSelector`, `namespaceSelector`, `endpointSelector`, Calico `selector`, service account selector, or cloud resource selector.
- **Ordering and fallthrough:** Calico tier/order/action/defaultAction/`Pass` behavior, Cilium deny-vs-allow overlap, Kubernetes ingress/egress isolation status, service mesh deny/allow precedence, and cloud rule priority.
- **Enforcement mode:** CNI policy enforcement enabled for the namespace/workload, Cilium `enable-policy` behavior, Calico enforcement vs staged policy, service mesh permissive/audit mode, and cloud rule attachment state.
- **Expected vs observed result:** source, destination, protocol, port, expected decision, observed packet/flow result, deciding policy/rule/tier, and timestamp.

Classify a flow as **Not Evaluable** when runtime labels, selector resolution, enforcement mode, or observed flow evidence is missing. Escalate to **High** when available evidence shows that a broad allow, `Pass` fallthrough, disabled enforcement mode, or missing deny precedence can permit a restricted flow.

**Shadowing and effective decision examples:**

| Evidence condition | Review result |
|--------------------|---------------|
| Default-deny policy exists, but a later broad allow matches the same destination and the report only lists policy names | Not Evaluable until the effective decision and negative test are shown |
| Calico tier/order/defaultAction are omitted and a policy uses `Pass` | Not Evaluable; High if lower-tier policy or profile permits the restricted flow |
| Cilium deny and allow policies overlap, but no endpoint policy trace or Hubble/flow evidence confirms deny precedence | Not Evaluable |
| Runtime labels are not captured, so selectors cannot be mapped to the tested workloads | Not Evaluable |
| Policy engine is deployed in audit, staged, monitor, or disabled mode while the report claims enforcement | Medium; High for production restricted flows |
| Expected-vs-observed matrix proves restricted flows are denied and permitted flows still work | Pass |

**Patterns to check:**

```yaml
# Kubernetes NetworkPolicy selector and policyTypes resolution
kind: NetworkPolicy
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
ingress:
- from:
- namespaceSelector: {}

# Calico tier/order/action/defaultAction/Pass resolution
kind: GlobalNetworkPolicy
spec:
tier: security
order: 100
selector: app == "payments"
ingress:
- action: Pass
source:
selector: role == "frontend"

# Cilium allow/deny overlap and endpoint selector resolution
kind: CiliumNetworkPolicy
spec:
endpointSelector:
matchLabels:
app: payments
ingressDeny:
- fromEndpoints:
- matchLabels:
zone: untrusted
```

Document the effective decision in the report:

| Source | Destination | Selector Match | Policy Engine | Deciding Rule/Tier | Expected | Observed | Status |
|--------|-------------|----------------|---------------|--------------------|----------|----------|--------|
| frontend/api | payments/db | `role=frontend` to `app=payments` | Calico | `security` tier order 100 `Pass` to lower allow | Deny | Allowed | High |

---

### Step 4: DMZ Architecture Review (NIST SP 800-41, Section 4.1; CIS Control 12.2)

If a DMZ is present, evaluate its architectural soundness:
Expand Down Expand Up @@ -301,6 +376,12 @@ Document or verify the existence of a segmentation testing process:
- Automation: <Ready / Partial / Not Ready>
- **Overall Readiness:** <Ready / Partial / Not Ready>

### Effective Policy Decision Matrix

| Source | Destination | Selector Match | Policy Engine | Deciding Rule/Tier | Expected | Observed | Status |
|--------|-------------|----------------|---------------|--------------------|----------|----------|--------|
| <workload> | <workload> | <labels/selectors resolved> | <engine> | <rule/tier/default action> | <allow/deny> | <allow/deny/no evidence> | <Pass/Finding/Not Evaluable> |

### Prioritized Remediation Plan
1. **[Critical]** <action item with control reference>
2. **[High]** <action item with control reference>
Expand Down Expand Up @@ -345,6 +426,8 @@ Document or verify the existence of a segmentation testing process:

5. **Assuming Kubernetes namespaces provide network isolation.** Namespaces are a logical organizational boundary. Without a NetworkPolicy or CNI-level enforcement (Calico, Cilium), all pods across all namespaces can communicate freely by default.

6. **Confusing policy presence with effective denial.** A default-deny object, broad allow, Calico `Pass`, staged policy, disabled CNI enforcement, or Cilium allow/deny overlap can change the actual decision. Always prove selector resolution, tier/order/default action, deny precedence, and expected vs observed flow results.

---

## Prompt Injection Safety Notice
Expand All @@ -366,7 +449,10 @@ This skill processes network configurations that may contain user-supplied comme
- CIS Control 12 -- Network Infrastructure Management: https://www.cisecurity.org/controls/network-infrastructure-management
- PCI DSS v4.0 Requirement 1 -- Install and Maintain Network Security Controls: https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Standard/PCI-DSS-v4_0.pdf
- Kubernetes Network Policies: https://kubernetes.io/docs/concepts/services-networking/network-policies/
- Kubernetes NetworkPolicy API Reference: https://kubernetes.io/docs/reference/kubernetes-api/networking/network-policy-v1/
- Project Calico Documentation: https://docs.tigera.io/calico/latest/about/
- Calico tiered policy: https://docs.tigera.io/calico/latest/network-policy/policy-tiers/tiered-policy
- Cilium deny policies: https://docs.cilium.io/en/stable/security/policy/language/#deny-policies

---

Expand Down
180 changes: 180 additions & 0 deletions skills/network/segmentation/tests/effective-policy-decision-edge-cases.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,180 @@
# Segmentation Effective Policy Decision Edge Cases

Use these fixtures to test whether the segmentation skill distinguishes policy presence from the effective allow/deny decision. Each case requires selector resolution, runtime labels, enforcement mode, tier/order/default action or deny precedence, and expected vs observed flow evidence.

---

## Case 1: Broad Kubernetes Allow Shadows Default Deny

**Input evidence:**

```yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny
namespace: payments
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-all-namespaces-to-api
namespace: payments
spec:
podSelector:
matchLabels:
app: api
ingress:
- from:
- namespaceSelector: {}
```

**Runtime labels:** Not provided.

**Expected classification:** Not Evaluable until runtime labels and observed flow tests are provided. Escalate to High if restricted namespaces can reach `payments/api` because the broad `namespaceSelector: {}` allow matches them.

**Required output markers:**

- selector resolution missing
- expected vs observed matrix missing
- broad allow can shadow default-deny assumptions

---

## Case 2: Calico Pass Falls Through to Lower Allow

**Input evidence:**

```yaml
apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
name: security-tier-payments
spec:
tier: security
order: 100
selector: app == "payments"
types:
- Ingress
ingress:
- action: Pass
source:
selector: role == "frontend"
---
apiVersion: projectcalico.org/v3
kind: GlobalNetworkPolicy
metadata:
name: application-tier-allow
spec:
tier: application
order: 10
selector: app == "payments"
ingress:
- action: Allow
source:
selector: role in {"frontend", "batch"}
```

**Observed flow:** `batch` to `payments` was allowed, but the report only lists the first policy.

**Expected classification:** High when the intended restricted flow is allowed through `Pass` fallthrough or a lower-tier allow. Not Evaluable if tier order, default action, and observed flow evidence are absent.

**Required output markers:**

- Calico Pass
- tier/order/default action
- deciding policy/rule/tier

---

## Case 3: Cilium Deny/Allow Overlap Without Endpoint Decision Evidence

**Input evidence:**

```yaml
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: deny-untrusted-to-api
namespace: payments
spec:
endpointSelector:
matchLabels:
app: api
ingressDeny:
- fromEndpoints:
- matchLabels:
zone: untrusted
---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-frontend-to-api
namespace: payments
spec:
endpointSelector:
matchLabels:
app: api
ingress:
- fromEndpoints:
- matchLabels:
role: frontend
```

**Runtime labels:** A workload has both `zone=untrusted` and `role=frontend`.

**Observed flow:** No Hubble, endpoint policy, or packet result attached.

**Expected classification:** Not Evaluable because deny precedence and endpoint selector resolution are not proven by runtime evidence.

**Required output markers:**

- Cilium deny
- deny precedence
- endpoint selector resolution

---

## Case 4: Complete Effective Decision Matrix

**Input evidence:**

| Source | Destination | Runtime Labels | Policy Engine | Deciding Rule/Tier | Expected | Observed |
|--------|-------------|----------------|---------------|--------------------|----------|----------|
| `frontend/api` | `payments/db` | `role=frontend` to `app=db` | Calico | `security` tier order 50 deny | Deny | Denied |
| `payments/api` | `payments/db` | `app=api` to `app=db` | Calico | `application` tier order 10 allow | Allow | Allowed |
| `batch/job` | `payments/db` | `role=batch` to `app=db` | Calico | default action deny | Deny | Denied |

**Expected classification:** Pass when the report includes runtime labels, selector resolution, enforcement mode, deciding rule/tier, and expected vs observed results.

**Required output markers:**

- effective decision matrix
- selector resolution complete
- expected vs observed complete

---

## Case 5: Policy Manifests Only, No Runtime Enforcement State

**Input evidence:** Kubernetes, Calico, or Cilium manifests from a repository.

**Missing evidence:**

- No namespace labels or pod labels from the target runtime.
- No CNI enforcement mode.
- No policy attachment or endpoint decision output.
- No flow logs, Hubble output, calicoctl output, or connectivity test timestamp.

**Expected classification:** Not Evaluable. Do not mark the restricted flow as Pass based only on manifests.

**Required output markers:**

- Not Evaluable
- enforcement mode missing
- runtime labels missing