User-managed resources must be created in dedicated namespaces.

An XCCDF Rule

Description

Dedicated namespaces act as security boundaries, limiting the blast radius in case of security incidents or misconfigurations. If an issue arises within a specific namespace, it is contained within that namespace and does not affect the resources in other namespaces. Kubernetes provides Role-Based Access Control (RBAC) mechanisms, and namespaces are a fundamental unit for access control. Using dedicated namespaces for user-managed resources provides a level of isolation. Each namespace acts as a separate environment, allowing users or teams to deploy their applications and services without interfering with the resources in other namespaces. This isolation helps prevent unintentional conflicts and ensures a more predictable deployment environment.

ID: SV-260905r966072_rule
Version: CNTR-MK-000580
Severity: Medium
References: CCI-000381
Updated: 26 days ago

Remediation Templates

Log in to the MKE web UI and navigate to Kubernetes >> Namespaces.

In the top right corner, enable "Set context for all namespaces".

Move any user-managed resources from the default, kube-public and kube-node-lease namespaces, to user namespaces.
- Navigate to Kubernetes >> Services.
- Select the user-managed service.
- Click on the settings wheel in the top right corner to view the .yaml for that service.
- Change the "namespace" to a user namespace.
- Click "Save".

User-managed resources must be created in dedicated namespaces.

Description

Remediation Templates

A Manual Procedure