Ensure that the default namespace is not used

Kubernetes provides a default namespace, where objects are placed if no namespace is specified for them. Placing objects in this namespace makes application of RBAC and other controls more difficult.

Risk Level: Informational
Cloud Entity: Pods
CloudGuard Rule ID: D9.K8S.IAM.31
Covered by Spectral: Yes
Category: Compute

GSL LOGIC

KubernetesPod should not have namespace='default'

REMEDIATION

Ensure that namespaces are created to allow for appropriate segregation of Kubernetes resources.
All new resources should be created in a specific namespace.

From Command Line
Run following kubectl commands:

kubectl delete deployment DEPLOYMENT_TO_BE_DELETED
kubectl create namespace NAMESPACE_NAME
kubectl -n NAMESPACE_NAME apply -f DEPLOYMENT_FILE.yaml

References

  1. https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
  2. https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-organizing-with-namespaces

Pods

Pods are the smallest deployable units of computing that can be created and managed in Kubernetes.A Pod is a group of one or more containers (such as Docker containers), with shared storage/network, and a specification for how to run the containers.

Compliance Frameworks

  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.0.1
  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.1.0
  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.3.0
  • CIS Google Kubernetes Engine (GKE) Benchmark v1.2.0
  • CIS Google Kubernetes Engine (GKE) Benchmark v1.4.0
  • CIS Kubernetes Benchmark v1.20
  • CIS Kubernetes Benchmark v1.23
  • CIS Kubernetes Benchmark v1.24
  • CIS Kubernetes Benchmark v1.5.1
  • CIS Kubernetes Benchmark v1.6.1
  • CIS Microsoft Kubernetes Engine (AKS) Benchmark v1.1.0
  • CIS Microsoft Kubernetes Engine (AKS) Benchmark v1.3.0
  • CIS OpenShift Container Platform v4 Benchmark v1.1.0
  • CIS OpenShift Container Platform v4 Benchmark v1.4.0
  • Kubernetes NIST.SP.800-190
  • Kubernetes v.1.13 CloudGuard Best Practices
  • Kubernetes v.1.14 CloudGuard Best Practices