Describe the issue
The NetworkPolicyEdgeBuilder used by CKV2_K8S_6 does not consider namespace when connecting a NetworkPolicy to Pod resources. A NetworkPolicy with podSelector: {} in one namespace causes all pods in all namespaces to pass the check, even though Kubernetes NetworkPolicies are namespace-scoped.
This leads to:
- False positives (PASS) in repos that happen to have one NetworkPolicy with an empty podSelector anywhere
- False negatives (FAIL) in identical repos that lack that single NetworkPolicy
Steps to reproduce
Given two directories with identical Deployments across multiple namespaces:
Repo A — has a single NetworkPolicy in namespace namespaceA:
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: allow-policy
namespace: namespaceA
spec:
podSelector: {}
ingress: [...]
egress: [...]Repo B — has no NetworkPolicy at all.
Both repos have the same Deployment in namespace namespaceB:
apiVersion: apps/v1
kind: Deployment
metadata:
name: namespaceB
namespace: namespaceB
Running checkov -d . --check CKV2_K8S_6:
- Repo A: all pods PASS (including namespaceB in namespace namespaceB)
- Repo B: all pods FAIL
Expected behavior
The namespaceB Deployment in namespace namespaceB should FAIL in both repos, because neither repo has a NetworkPolicy in the namespaceB namespace. Kubernetes NetworkPolicies are namespace-scoped — a NetworkPolicy in namespaceA does not protect pods in namespaceB.
Root cause
In [NetworkPolicyEdgeBuilder.find_connections()](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/graph_builder/graph_components/
edge_builders/NetworkPolicyEdgeBuilder.py), when podSelector is empty (no matchLabels), the code connects the NetworkPolicy to every Pod in the graph without checking if they share the same namespace:
# the network policy has a podSelector property with no labels and should apply for all pods
else:
connections.append(potential_pod_index)The fix should add a namespace comparison, e.g.:
else:
if pod.attributes.get("namespace") == network_policy.attributes.get("namespace"):
connections.append(potential_pod_index)This same namespace check should likely also be applied to the matchLabels branch above it.
Version
- checkov: 3.2.510
- Python: 3.14
Describe the issue
The NetworkPolicyEdgeBuilder used by CKV2_K8S_6 does not consider namespace when connecting a NetworkPolicy to Pod resources. A NetworkPolicy with
podSelector: {}in one namespace causes all pods in all namespaces to pass the check, even though Kubernetes NetworkPolicies are namespace-scoped.This leads to:
Steps to reproduce
Given two directories with identical Deployments across multiple namespaces:
Repo A — has a single NetworkPolicy in namespace namespaceA:
Repo B — has no NetworkPolicy at all.
Both repos have the same Deployment in namespace namespaceB:
Running
checkov -d . --check CKV2_K8S_6:Expected behavior
The namespaceB Deployment in namespace namespaceB should FAIL in both repos, because neither repo has a NetworkPolicy in the namespaceB namespace. Kubernetes NetworkPolicies are namespace-scoped — a NetworkPolicy in namespaceA does not protect pods in namespaceB.
Root cause
In [NetworkPolicyEdgeBuilder.find_connections()](https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/graph_builder/graph_components/
edge_builders/NetworkPolicyEdgeBuilder.py), when podSelector is empty (no matchLabels), the code connects the NetworkPolicy to every Pod in the graph without checking if they share the same namespace:
The fix should add a namespace comparison, e.g.:
This same namespace check should likely also be applied to the matchLabels branch above it.
Version