UCF STIG Viewer Logo

User-managed resources must be created in dedicated namespaces.


Overview

Finding ID Version Rule ID IA Controls Severity
V-242383 CNTR-K8-000290 SV-242383r712505_rule High
Description
Creating namespaces for user-managed resources is important when implementing Role-Based Access Controls (RBAC). RBAC allows for the authorization of users and helps support proper API server permissions separation and network micro segmentation. If user-managed resources are placed within the default namespaces, it becomes impossible to implement policies for RBAC permission, service account usage, network policies, and more.
STIG Date
Kubernetes Security Technical Implementation Guide 2021-04-14

Details

Check Text ( C-45658r712503_chk )
To view the available namespaces, run the command:

kubectl get namespaces

The default namespaces to be validated are default, kube-public and kube-node-lease if it is created.

For the default namespace, execute the commands:

kubectl config set-context --current --namespace=default
kubectl get all

For the kube-public namespace, execute the commands:

kubectl config set-context --current --namespace=kube-public
kubectl get all

For the kube-node-lease namespace, execute the commands:

kubectl config set-context --current --namespace=kube-node-lease
kubectl get all

The only valid return values are the kubernetes service (i.e., service/kubernetes) and nothing at all.

If a return value is returned from the "kubectl get all" command and it is not the kubernetes service (i.e., service/kubernetes), this is a finding.
Fix Text (F-45616r712504_fix)
Move any user-managed resources from the default, kube-public and kube-node-lease namespaces, to user namespaces.