Ensure that the default namespace is not used
Kubernetes provides a default namespace, where objects are placed if no namespace is specified for them. Placing objects in this namespace makes application of RBAC and other controls more difficult.
Risk Level: Informational
Cloud Entity: Pods
CloudGuard Rule ID: D9.K8S.IAM.31
Covered by Spectral: Yes
Category: Compute
GSL LOGIC
KubernetesPod should not have namespace='default'
REMEDIATION
Ensure that namespaces are created to allow for appropriate segregation of Kubernetes resources.
All new resources should be created in a specific namespace.
From Command Line
Run following kubectl commands:
kubectl delete deployment DEPLOYMENT_TO_BE_DELETED
kubectl create namespace NAMESPACE_NAME
kubectl -n NAMESPACE_NAME apply -f DEPLOYMENT_FILE.yaml
References
- https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
- https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-organizing-with-namespaces
Pods
Pods are the smallest deployable units of computing that can be created and managed in Kubernetes.A Pod is a group of one or more containers (such as Docker containers), with shared storage/network, and a specification for how to run the containers.
Compliance Frameworks
- CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1
- CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.1.0
- CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.3.0
- CIS Google Kubernetes Engine (GKE) Benchmark v1.2.0
- CIS Google Kubernetes Engine (GKE) Benchmark v1.4.0
- CIS Kubernetes Benchmark v1.20
- CIS Kubernetes Benchmark v1.23
- CIS Kubernetes Benchmark v1.24
- CIS Kubernetes Benchmark v1.5.1
- CIS Kubernetes Benchmark v1.6.1
- CIS Microsoft Kubernetes Engine (AKS) Benchmark v1.1.0
- CIS Microsoft Kubernetes Engine (AKS) Benchmark v1.3.0
- CIS OpenShift Container Platform v4 Benchmark v1.1.0
- CIS OpenShift Container Platform v4 Benchmark v1.4.0
- Kubernetes NIST.SP.800-190
- Kubernetes v.1.13 CloudGuard Best Practices
- Kubernetes v.1.14 CloudGuard Best Practices
Updated over 1 year ago