Home / BeaverDeck / Docs / Insights Guide / Security Insights / NetworkPolicy Coverage

NetworkPolicy Coverage

BeaverDeck uses this check to identify a specific security condition that may need operator review.

Permissions: viewing checks requires insights: view. Opening a linked object or logs requires the corresponding resource permission, and the BeaverDeck ServiceAccount must be allowed to read the Kubernetes resources used by the check. Suppressing a finding requires insights: edit and affects all users.

Check type	`network-policy-coverage`
Insights section	Security Insights
Alert severity	Warning

When It Reports A Finding

A selected namespace has active Pods but contains no NetworkPolicy objects.

Why This Is A Problem

Without network policy, pod traffic is usually unrestricted by Kubernetes policy, increasing lateral-movement and accidental-exposure risk.

Recommended Response

Confirm that the cluster CNI enforces Kubernetes NetworkPolicy.
Introduce tested default-deny ingress and egress policies, then add explicit allowances for required traffic.
Roll out policies incrementally and verify DNS, monitoring, control-plane, and application dependencies.

Scope And Limitations

The check tests only whether any NetworkPolicy exists. A passing result does not prove that every pod is selected, that egress is restricted, or that the policy provides effective isolation.

After remediation: refresh Security Insights and verify the underlying resource or metric. Suppress the finding only when the condition is intentional and its risk is accepted.