Kubernetes must separate user functionality. (Cat II impact)
Separating user functionality from management functionality is a requirement for all the components within the Kubernetes Control Plane. Without the separation, users may have access to management functions that can degrade the Kubernetes architecture and the services being offered, and can offer a method to bypass testing and validation of functions before introduced into a production environment.
On the Master node, run the command: kubectl get pods --all-namespaces Review the namespaces and pods that are returned. Kubernetes system namespaces are kube-node-lease, kube-public, and kube-system. If any user pods are present in the Kubernetes system namespaces, this is a finding.
Move any user pods that are present in the Kubernetes system namespaces to user specific namespaces.
Rule ID: SV-242417r712607_rule
Vulnerability ID: V-242417
Group Title: SRG-APP-000211-CTR-000530
The information system separates user functionality (including user interface services) from information system management functionality.