User-managed resources must be created in dedicated namespaces.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-242383 | CNTR-K8-000290 | SV-242383r960801_rule | CCI-000366 | high |
| Description | ||||
| Creating namespaces for user-managed resources is important when implementing Role-Based Access Controls (RBAC). RBAC allows for the authorization of users and helps support proper API server permissions separation and network micro segmentation. If user-managed resources are placed within the default namespaces, it becomes impossible to implement policies for RBAC permission, service account usage, network policies, and more. | ||||
| STIG | Date | |||
| Kubernetes Security Technical Implementation Guide | 2025-05-16 | |||
Details
Check Text (C-242383r960801_chk)
To view the available namespaces, run the command:
kubectl get namespaces
The default namespaces to be validated are default, kube-public, and kube-node-lease if it is created.
For the default namespace, execute the commands:
kubectl config set-context --current --namespace=default
kubectl get all
For the kube-public namespace, execute the commands:
kubectl config set-context --current --namespace=kube-public
kubectl get all
For the kube-node-lease namespace, execute the commands:
kubectl config set-context --current --namespace=kube-node-lease
kubectl get all
The only valid return values are the kubernetes service (i.e., service/kubernetes) and nothing at all.
If a return value is returned from the "kubectl get all" command and it is not the kubernetes service (i.e., service/kubernetes), this is a finding.
Fix Text (F-45616r863753_fix)
Move any user-managed resources from the default, kube-public, and kube-node-lease namespaces to user namespaces.