UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The container platform runtime must maintain separate execution domains for each container by assigning each container a separate address space.


Overview

Finding ID Version Rule ID IA Controls Severity
V-233221 SRG-APP-000431-CTR-001065 SV-233221r879802_rule Medium
Description
Container namespace access is limited upon runtime execution. Each container is a distinct process so that communication between containers is performed in a manner controlled through security policies that limits the communication so one container cannot modify another container. Different groups of containers with different security needs should be deployed in separate namespaces as a first level of isolation. Namespaces are a key boundary for network policies, orchestrator access control restrictions, and other important security controls. Separating workloads into namespaces can help contain attacks and limit the impact of mistakes or destructive actions by authorized users.
STIG Date
Container Platform Security Requirements Guide 2023-06-05

Details

Check Text ( C-36157r601813_chk )
Review container platform runtime documentation and configuration is maintaining a separate execution domain for each executing process. Different groups of applications, and services with different security needs, should be deployed in separate namespaces as a first level of isolation.

If container platform runtime is not configured to execute processes in separate domains and namespaces, this is a finding.

If namespaces use defaults, this is a finding.
Fix Text (F-36125r601151_fix)
Deploy a container platform runtime capable of maintaining a separate execution domain and namespace for each executing process. Create a namespace for each containers, defining them as logical groups.