An error occurred:

Check: CNTR-MK-000580

Mirantis Kubernetes Engine STIG: CNTR-MK-000580 (in version v1 r1)

Title

User-managed resources must be created in dedicated namespaces. (Cat II impact)

Discussion

Dedicated namespaces act as security boundaries, limiting the blast radius in case of security incidents or misconfigurations. If an issue arises within a specific namespace, it is contained within that namespace and does not affect the resources in other namespaces. Kubernetes provides Role-Based Access Control (RBAC) mechanisms, and namespaces are a fundamental unit for access control. Using dedicated namespaces for user-managed resources provides a level of isolation. Each namespace acts as a separate environment, allowing users or teams to deploy their applications and services without interfering with the resources in other namespaces. This isolation helps prevent unintentional conflicts and ensures a more predictable deployment environment.

Check Content

This check only applies when using Kubernetes orchestration. Log in to the MKE web UI and navigate to Kubernetes >> Namespaces. The default namespaces are: "default", "kube-public", and "kube-node-lease". 1. In the top right corner, if "Set context for all namespaces" is not enabled, this is a finding. 2. Navigate to Kubernetes >> Services. Confirm that no service except "kubernetes" has the "default" namespace listed. Confirm that only approved system services have the "kube-system" namespace listed. If "default" has a service other than the "kubernetes" services, this is a finding. If "kube-system" has a service that is not listed in the System Security Plan (SSP), this is a finding.

Fix Text

Log in to the MKE web UI and navigate to Kubernetes >> Namespaces. In the top right corner, enable "Set context for all namespaces". Move any user-managed resources from the default, kube-public and kube-node-lease namespaces, to user namespaces. - Navigate to Kubernetes >> Services. - Select the user-managed service. - Click on the settings wheel in the top right corner to view the .yaml for that service. - Change the "namespace" to a user namespace. - Click "Save".

Additional Identifiers

Rule ID: SV-260905r966072_rule

Vulnerability ID: V-260905

Group Title: SRG-APP-000141-CTR-000315

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000381

The organization configures the information system to provide only essential capabilities.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
CM-7

Least Functionality