C-0209 - Create administrative boundaries between resources using namespaces
Framework
cis-v1.23-t1.0.1, cis-aks-t1.2.0, cis-eks-t1.2.0
Severity
Medium
Description of the the issue
Limiting the scope of user permissions can reduce the impact of mistakes or malicious activities. A Kubernetes namespace allows you to partition created resources into logically named groups. Resources created in one namespace can be hidden from other namespaces. By default, each resource created by a user in Kubernetes cluster runs in a default namespace, called default
. You can create additional namespaces and attach resources and users to them. You can use Kubernetes Authorization plugins to create policies that segregate access to namespace resources between different users.
Related resources
Namespace
What does this control test
Lists all namespaces in cluster for user to review
How to check it manually
Run the below command and review the namespaces created in the cluster.
kubectl get namespaces
Ensure that these namespaces are the ones you need and are adequately administered as per your requirements.
Remediation
Follow the documentation and create namespaces for objects in your deployment as you need them.
Impact Statement
You need to switch between namespaces for administration.
Default Value
By default, Kubernetes starts with two initial namespaces: 1. default
- The default namespace for objects with no other namespace2. kube-system
- The namespace for objects created by the Kubernetes system3. kube-node-lease
- Namespace used for node heartbeats4. kube-public
- Namespace used for public information in a cluster
Example
No example
Updated 11 days ago