C-0212 - The default namespace should not be used
Framework
cis-eks-t1.2.0, cis-v1.23-t1.0.1, cis-aks-t1.2.0
Severity
Medium
Description of the the issue
Resources in a Kubernetes cluster should be segregated by namespace, to allow for security controls to be applied at that level and to make it easier to manage resources.
Related resources
CSIStorageCapacity, ConfigMap, CronJob, DaemonSet, Deployment, EndpointSlice, Endpoints, HorizontalPodAutoscaler, Ingress, Job, Lease, PersistentVolumeClaim, Pod, PodDisruptionBudget, PodTemplate, ReplicaSet, ReplicationController, Role, RoleBinding, Secret, Service, ServiceAccount, StatefulSet
What does this control test
Lists all resources in default namespace for user to review and approve.
How to check it manually
Run this command to list objects in default namespace
kubectl get $(kubectl api-resources --verbs=list --namespaced=true -o name | paste -sd, -) --ignore-not-found -n default
The only entries there should be system managed resources such as the kubernetes
service
Remediation
Ensure that namespaces are created to allow for appropriate segregation of Kubernetes resources and that all new resources are created in a specific namespace.
Impact Statement
None
Default Value
Unless a namespace is specific on object creation, the default
namespace will be used
Example
No example
Updated about 2 months ago