Prisma Cloud Compute must run within a defined/separate namespace (e.g., Twistlock).
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-253547 | CNTR-PC-001380 | SV-253547r840479_rule | Medium |
| Description |
|---|
| Namespaces are a key boundary for network policies, orchestrator access control restrictions, and other important security controls. Prisma Cloud Compute containers running within a separate and exclusive namespace will inherit the namespace's security features. Separating workloads into namespaces can help contain attacks and limit the impact of mistakes or destructive actions by authorized users. |
| STIG | Date |
|---|---|
| Palo Alto Networks Prisma Cloud Compute Security Technical Implementation Guide | 2022-08-24 |
Details
| Check Text ( C-56999r840477_chk ) |
|---|
| Inspect the Kubernetes namespace in which Prisma Cloud Compute is deployed: $ kubectl get pods -n twistlock NAME READY STATUS RESTARTS AGE twistlock-console-855744b66b-xs9cm 1/1 Running 0 4d6h twistlock-defender-ds-99zj7 1/1 Running 0 58d twistlock-defender-ds-drsh8 1/1 Running 0 58d Inspect the list of pods. If a non-Prisma Cloud Compute (does not start with "twistlock") pod is running in the same namespace, this is a finding. |
| Fix Text (F-56950r840478_fix) |
|---|
| Deploy the Prisma Cloud Compute Console and Defender containers within a distinct namespace. |