Kubernetes must separate user functionality.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-242417 | CNTR-K8-001360 | SV-242417r961095_rule | CCI-001082 | medium |
| Description | ||||
| Separating user functionality from management functionality is a requirement for all the components within the Kubernetes Control Plane. Without the separation, users may have access to management functions that can degrade the Kubernetes architecture and the services being offered, and can offer a method to bypass testing and validation of functions before introduced into a production environment. | ||||
| STIG | Date | |||
| Kubernetes Security Technical Implementation Guide | 2025-05-16 | |||
Related Frameworks
3 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
SC-2
1.00
- DISA · 2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1711 mapping
3.13.3
1.00
- DISA · 2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-001082
1.00
- DISA · 2 · disa_xccdf · related
Details
Check Text (C-242417r961095_chk)
On the Control Plane, run the command:
kubectl get pods --all-namespaces
Review the namespaces and pods that are returned. Kubernetes system namespaces are kube-node-lease, kube-public, and kube-system.
If any user pods are present in the Kubernetes system namespaces, this is a finding.
Fix Text (F-45650r712606_fix)
Move any user pods that are present in the Kubernetes system namespaces to user specific namespaces.