Prisma Cloud Compute must run within a defined/separate namespace (e.g., Twistlock).
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-253547 | CNTR-PC-001380 | SV-253547r961608_rule | CCI-002530 | medium |
| Description | ||||
| Namespaces are a key boundary for network policies, orchestrator access control restrictions, and other important security controls. Prisma Cloud Compute containers running within a separate and exclusive namespace will inherit the namespace's security features. Separating workloads into namespaces can help contain attacks and limit the impact of mistakes or destructive actions by authorized users. | ||||
| STIG | Date | |||
| Palo Alto Networks Prisma Cloud Compute Security Technical Implementation Guide | 2024-12-06 | |||
Details
Check Text (C-253547r961608_chk)
Inspect the Kubernetes namespace in which Prisma Cloud Compute is deployed:
$ kubectl get pods -n twistlock
NAME READY STATUS RESTARTS AGE
twistlock-console-855744b66b-xs9cm 1/1 Running 0 4d6h
twistlock-defender-ds-99zj7 1/1 Running 0 58d
twistlock-defender-ds-drsh8 1/1 Running 0 58d
Inspect the list of pods.
If a non-Prisma Cloud Compute (does not start with "twistlock") pod is running in the same namespace, this is a finding.
Fix Text (F-56950r840478_fix)
Deploy the Prisma Cloud Compute Console and Defender containers within a distinct namespace.