Title

Kubernetes must separate user functionality. (Cat II impact)

Discussion

Separating user functionality from management functionality is a requirement for all the components within the Kubernetes Control Plane. Without the separation, users may have access to management functions that can degrade the Kubernetes architecture and the services being offered, and can offer a method to bypass testing and validation of functions before introduced into a production environment.

Check Content

On the Control Plane, run the command: kubectl get pods --all-namespaces Review the namespaces and pods that are returned. Kubernetes system namespaces are kube-node-lease, kube-public, and kube-system. If any user pods are present in the Kubernetes system namespaces, this is a finding.

Fix Text

Move any user pods that are present in the Kubernetes system namespaces to user specific namespaces.

Additional Identifiers

Rule ID: SV-242417r879631_rule

Vulnerability ID: V-242417

Group Title: SRG-APP-000211-CTR-000530

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.