5.7.1 Create administrative boundaries between resources using namespaces

Information

Use namespaces to isolate your Kubernetes objects.

Rationale:

Limiting the scope of user permissions can reduce the impact of mistakes or malicious activities. A Kubernetes namespace allows you to partition created resources into logically named groups. Resources created in one namespace can be hidden from other namespaces. By default, each resource created by a user in Kubernetes cluster runs in a default namespace, called default. You can create additional namespaces and attach resources and users to them. You can use Kubernetes Authorization plugins to create policies that segregate access to namespace resources between different users.

Impact:

You need to switch between namespaces for administration.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Follow the documentation and create namespaces for objects in your deployment as you need them.

Default Value:

By default, Kubernetes starts with two initial namespaces:

default - The default namespace for objects with no other namespace

kube-system - The namespace for objects created by the Kubernetes system

kube-node-lease - Namespace used for node heartbeats

kube-public - Namespace used for public information in a cluster

See Also

https://workbench.cisecurity.org/files/3891

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7, CSCv7|12

Plugin: Unix

Control ID: ca75d601281af6632743ebcca4c823d6199c40dedb60e9071f9fa8e7c23c8e9d