Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-253547 | CNTR-PC-001380 | SV-253547r840479_rule | Medium |
Description |
---|
Namespaces are a key boundary for network policies, orchestrator access control restrictions, and other important security controls. Prisma Cloud Compute containers running within a separate and exclusive namespace will inherit the namespace's security features. Separating workloads into namespaces can help contain attacks and limit the impact of mistakes or destructive actions by authorized users. |
STIG | Date |
---|---|
Palo Alto Networks Prisma Cloud Compute Security Technical Implementation Guide | 2022-08-24 |
Check Text ( C-56999r840477_chk ) |
---|
Inspect the Kubernetes namespace in which Prisma Cloud Compute is deployed: $ kubectl get pods -n twistlock NAME READY STATUS RESTARTS AGE twistlock-console-855744b66b-xs9cm 1/1 Running 0 4d6h twistlock-defender-ds-99zj7 1/1 Running 0 58d twistlock-defender-ds-drsh8 1/1 Running 0 58d Inspect the list of pods. If a non-Prisma Cloud Compute (does not start with "twistlock") pod is running in the same namespace, this is a finding. |
Fix Text (F-56950r840478_fix) |
---|
Deploy the Prisma Cloud Compute Console and Defender containers within a distinct namespace. |