CIS-5.7.4 - The default namespace should not be used

The default namespace should not be used

Framework

CIS

Severity

Medium

Description of the the issue

Resources in a Kubernetes cluster should be segregated by namespace, to allow for security controls to be applied at that level and to make it easier to manage resources.

Related resources

CSIStorageCapacity, ConfigMap, ControllerRevision, CronJob, DaemonSet, Deployment, EndpointSlice, Endpoints, Event, HorizontalPodAutoscaler, Ingress, Job, Lease, LimitRange, NetworkPolicy, PersistentVolumeClaim, Pod, PodDisruptionBudget, PodTemplate, ReplicaSet, ReplicationController, ResourceQuota, Role, RoleBinding, Secret, Service, ServiceAccount, StatefulSet

What does this control test

Lists all resources in default namespace for user to review and approve.

How to check it manually

Run this command to list objects in default namespace

kubectl get $(kubectl api-resources --verbs=list --namespaced=true -o name | paste -sd, -) --ignore-not-found -n default

The only entries there should be system managed resources such as the kubernetes service

Remediation

Ensure that namespaces are created to allow for appropriate segregation of Kubernetes resources and that all new resources are created in a specific namespace.

Impact Statement

None

Default Value

Unless a namespace is specific on object creation, the default namespace will be used

Example

No example