Ensure that the default namespace is not used

Kubernetes provides a default namespace, where objects are placed if no namespace is specified for them. Placing objects in this namespace makes application of RBAC and other controls more difficult.

Suggest Edits

Risk Level: Informational
Cloud Entity: Pods
CloudGuard Rule ID: D9.K8S.IAM.31
Covered by Spectral: Yes
Category: Compute

GSL LOGIC

KubernetesPod should not have namespace='default'

REMEDIATION

Ensure that namespaces are created to allow for appropriate segregation of Kubernetes resources.
All new resources should be created in a specific namespace.

From Command Line
Run following kubectl commands:

kubectl delete deployment DEPLOYMENT_TO_BE_DELETED
kubectl create namespace NAMESPACE_NAME
kubectl -n NAMESPACE_NAME apply -f DEPLOYMENT_FILE.yaml

References

Pods

Pods are the smallest deployable units of computing that can be created and managed in Kubernetes.A Pod is a group of one or more containers (such as Docker containers), with shared storage/network, and a specification for how to run the containers.

Compliance Frameworks

CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1
CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.1.0
CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.3.0
CIS Google Kubernetes Engine (GKE) Benchmark v1.2.0
CIS Google Kubernetes Engine (GKE) Benchmark v1.4.0
CIS Kubernetes Benchmark v1.20
CIS Kubernetes Benchmark v1.23
CIS Kubernetes Benchmark v1.24
CIS Kubernetes Benchmark v1.5.1
CIS Kubernetes Benchmark v1.6.1
CIS Microsoft Kubernetes Engine (AKS) Benchmark v1.1.0
CIS Microsoft Kubernetes Engine (AKS) Benchmark v1.3.0
CIS OpenShift Container Platform v4 Benchmark v1.1.0
CIS OpenShift Container Platform v4 Benchmark v1.4.0
Kubernetes NIST.SP.800-190
Kubernetes v.1.13 CloudGuard Best Practices
Kubernetes v.1.14 CloudGuard Best Practices

Updated about 1 year ago