Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI
Use the Knowledge Base AI to help improve your Cloud Posture

Check for CNI Plugin Version

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that your OCI Kubernetes Engine (OKE) cluster uses a Container Network Interface (CNI) plugin that supports network policies. Using a compliant CNI plugin is vital for controlling inter-pod communication and enforcing segmentation.

Security

Kubernetes relies on the Container Network Interface (CNI) plugin to enforce network policies. If the CNI plugin in use does not natively support network policies, the ability to effectively restrict and segment cluster traffic is lost. Therefore, using the latest CNI plugin version is vital for maintaining compatibility with modern Kubernetes features, ensuring patches for critical networking vulnerabilities are applied, and guaranteeing robust enforcement of network policy rules.

Audit

To determine if the CNI plugin used by the OCI Kubernetes Engine (OKE) cluster supports network policies, perform the following operations:

Using OCI CLI

  1. Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account:

    oci iam compartment list
	--all
	--include-root
	--query 'data[]."id"'

  2. The command output should return the requested OCI compartment identifiers (OCIDs):

    [
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

  3. Run ce cluster list command (Windows/macOS/Linux) with the ID of the OCI compartment that you want to examine as the identifier parameter, to list the ID of each OCI Kubernetes Engine (OKE) cluster available in the selected OCI compartment:

    oci ce cluster list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--all
	--query 'data[]."id"'

  4. The command output should return the requested OKE cluster IDs:

    [
	"ocid1.cluster.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.cluster.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

  5. Run ce cluster create-kubeconfig command (Windows/macOS/Linux) with the ID of the OCI Kubernetes Engine (OKE) cluster that you want to access as the identifier parameter, to generate and configure the Kubernetes configuration file (kubeconfig) that the kubectl tool needs to securely communicate with and manage the selected OKE cluster:

    oci ce cluster create-kubeconfig
	--cluster-id 'ocid1.cluster.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--file $HOME/.kube/config
	--kube-endpoint PUBLIC_ENDPOINT
	--region 'ap-sydney-1'
	--token-version 2.0.0

  6. The command output should return the path to the new Kubeconfig file:

    New config written to the Kubeconfig file /home/user/.kube/config

  7. Run the kubectl get daemonset command to list the DaemonSets within the core system namespace in order to reveal the CNI provider (e.g., calico, flannel, cilium, or OCI OKE's default CNI):

    kubectl get daemonset -n kube-system -o custom-columns=NAME:.metadata.name,IMAGE:.spec.template.spec.containers[0].image

  8. The command output should return the DaemonSets and the container images they run:

    NAME                     IMAGE
kube-dns                 k8s.gcr.io/coredns:1.6.9
kube-proxy               k8s.gcr.io/kube-proxy:v1.28.3
flannel-v2-daemonset     quay.io/coreos/flannel:v0.10.0-amd64

    Check the kubectl get daemonset command output to identify the CNI plugin details (name, version, etc.). Verify the Kubernetes Networking and Network Policy documentation to verify the CNI plugin's capabilities against the installed version on your OKE cluster and confirm compliance with ingress and egress network policy enforcement.

  9. If the DaemonSet name is generic, you can inspect its configuration for details about its network setup or CNI version. Run the kubectl describe daemonset command to describe the configuration of the specified DaemonSet. Replace \<daemonset-name\> with the name of the DaemonSet that you want to examine:

    kubectl describe daemonset <daemonset-name> -n kube-system

  10. The command output should return the DaemonSet configuration:

    Name:              flannel-daemonset

...

Containers:
	kube-flannel:
	Image:         quay.io/coreos/flannel:v0.7.1-amd64

	...

    Check the command output to identify the CNI plugin details (name, version, etc.). Verify the Kubernetes Networking and Network Policy documentation to verify the CNI plugin's capabilities against the installed version on your OKE cluster and confirm compliance with ingress and egress network policy enforcement.

Remediation / Resolution

To implement the Principle of Least Privilege (POLP), replace all uses of the wildcard (∗) in Roles and ClusterRoles with explicitly defined resources, verbs, and apiGroups. This will ensure that principals only possess the exact permissions necessary to perform their specific functions, thus preventing accidental or malicious privilege escalation.

References

Publication date Dec 11, 2025

Related OCI-OKE rules