User-managed resources must be created in dedicated namespaces.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-242383 | CNTR-K8-000290 | SV-242383r960801_rule | CCI-000366 | high |
| Description | ||||
| Creating namespaces for user-managed resources is important when implementing Role-Based Access Controls (RBAC). RBAC allows for the authorization of users and helps support proper API server permissions separation and network micro segmentation. If user-managed resources are placed within the default namespaces, it becomes impossible to implement policies for RBAC permission, service account usage, network policies, and more. | ||||
| STIG | Date | |||
| Kubernetes Security Technical Implementation Guide | 2025-05-16 | |||
Related Frameworks
4 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
CM-6
1.00
- DISA · 2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1712 mappings
3.4.1
1.00
- DISA · 2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
3.4.2
1.00
- DISA · 2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-000366
1.00
- DISA · 2 · disa_xccdf · related
Details
Check Text (C-242383r960801_chk)
To view the available namespaces, run the command:
kubectl get namespaces
The default namespaces to be validated are default, kube-public, and kube-node-lease if it is created.
For the default namespace, execute the commands:
kubectl config set-context --current --namespace=default
kubectl get all
For the kube-public namespace, execute the commands:
kubectl config set-context --current --namespace=kube-public
kubectl get all
For the kube-node-lease namespace, execute the commands:
kubectl config set-context --current --namespace=kube-node-lease
kubectl get all
The only valid return values are the kubernetes service (i.e., service/kubernetes) and nothing at all.
If a return value is returned from the "kubectl get all" command and it is not the kubernetes service (i.e., service/kubernetes), this is a finding.
Fix Text (F-45616r863753_fix)
Move any user-managed resources from the default, kube-public, and kube-node-lease namespaces to user namespaces.