User-managed resources must be created in dedicated namespaces.

An XCCDF Rule

Description

<VulnDiscussion>Dedicated namespaces act as security boundaries, limiting the blast radius in case of security incidents or misconfigurations. If an issue arises within a specific namespace, it is contained within that namespace and does not affect the resources in other namespaces. Kubernetes provides Role-Based Access Control (RBAC) mechanisms, and namespaces are a fundamental unit for access control. Using dedicated namespaces for user-managed resources provides a level of isolation. Each namespace acts as a separate environment, allowing users or teams to deploy their applications and services without interfering with the resources in other namespaces. This isolation helps prevent unintentional conflicts and ensures a more predictable deployment environment.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-260905r966072_rule
Severity: Medium
References: CCI-000381
Updated: 19 days ago

Log in to the MKE web UI and navigate to Kubernetes >> Namespaces.

In the top right corner, enable "Set context for all namespaces".

Move any user-managed resources from the default, kube-public and kube-node-lease namespaces, to user namespaces.
- Navigate to Kubernetes >> Services.
- Select the user-managed service.
- Click on the settings wheel in the top right corner to view the .yaml for that service.
- Change the "namespace" to a user namespace.
- Click "Save".

User-managed resources must be created in dedicated namespaces.

Description

Remediation - Manual Procedure