UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Kubernetes must separate user functionality.


Overview

Finding ID Version Rule ID IA Controls Severity
V-242417 CNTR-K8-001360 SV-242417r879631_rule Medium
Description
Separating user functionality from management functionality is a requirement for all the components within the Kubernetes Control Plane. Without the separation, users may have access to management functions that can degrade the Kubernetes architecture and the services being offered, and can offer a method to bypass testing and validation of functions before introduced into a production environment.
STIG Date
Kubernetes Security Technical Implementation Guide 2023-02-27

Details

Check Text ( C-45692r863840_chk )
On the Control Plane, run the command:
kubectl get pods --all-namespaces

Review the namespaces and pods that are returned. Kubernetes system namespaces are kube-node-lease, kube-public, and kube-system.

If any user pods are present in the Kubernetes system namespaces, this is a finding.
Fix Text (F-45650r712606_fix)
Move any user pods that are present in the Kubernetes system namespaces to user specific namespaces.