Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-242383 | CNTR-K8-000290 | SV-242383r863959_rule | High |
Description |
---|
Creating namespaces for user-managed resources is important when implementing Role-Based Access Controls (RBAC). RBAC allows for the authorization of users and helps support proper API server permissions separation and network micro segmentation. If user-managed resources are placed within the default namespaces, it becomes impossible to implement policies for RBAC permission, service account usage, network policies, and more. |
STIG | Date |
---|---|
Kubernetes Security Technical Implementation Guide | 2022-09-13 |
Check Text ( C-45658r863752_chk ) |
---|
To view the available namespaces, run the command: kubectl get namespaces The default namespaces to be validated are default, kube-public, and kube-node-lease if it is created. For the default namespace, execute the commands: kubectl config set-context --current --namespace=default kubectl get all For the kube-public namespace, execute the commands: kubectl config set-context --current --namespace=kube-public kubectl get all For the kube-node-lease namespace, execute the commands: kubectl config set-context --current --namespace=kube-node-lease kubectl get all The only valid return values are the kubernetes service (i.e., service/kubernetes) and nothing at all. If a return value is returned from the "kubectl get all" command and it is not the kubernetes service (i.e., service/kubernetes), this is a finding. |
Fix Text (F-45616r863753_fix) |
---|
Move any user-managed resources from the default, kube-public, and kube-node-lease namespaces to user namespaces. |