Title

User-managed resources must be created in dedicated namespaces. (Cat I impact)

Discussion

Creating namespaces for user-managed resources is important when implementing Role-Based Access Controls (RBAC). RBAC allows for the authorization of users and helps support proper API server permissions separation and network micro segmentation. If user-managed resources are placed within the default namespaces, it becomes impossible to implement policies for RBAC permission, service account usage, network policies, and more.

Check Content

To view the available namespaces, run the command: kubectl get namespaces The default namespaces to be validated are default, kube-public, and kube-node-lease if it is created. For the default namespace, execute the commands: kubectl config set-context --current --namespace=default kubectl get all For the kube-public namespace, execute the commands: kubectl config set-context --current --namespace=kube-public kubectl get all For the kube-node-lease namespace, execute the commands: kubectl config set-context --current --namespace=kube-node-lease kubectl get all The only valid return values are the kubernetes service (i.e., service/kubernetes) and nothing at all. If a return value is returned from the "kubectl get all" command and it is not the kubernetes service (i.e., service/kubernetes), this is a finding.

Fix Text

Move any user-managed resources from the default, kube-public, and kube-node-lease namespaces to user namespaces.

Additional Identifiers

Rule ID: SV-242383r879533_rule

Vulnerability ID: V-242383

Group Title: SRG-APP-000038-CTR-000105

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.