Profile applicability: Level 1
Kubernetes provides a default namespace, where objects are placed if no namespace
is specified for them. Placing objects in this namespace makes application of RBAC
and other controls more difficult.
Resources in a Kubernetes cluster should be segregated by namespace to allow for security
controls to be applied at that level and to make it easier to manage resources.
 |
NoteUnless a namespace is specific on object creation, the
default namespace will be used. |
Audit
Option 1
Run this command to list objects in default namespace:
kubectl get $(kubectl api-resources --verbs=list --namespaced=true -o name | paste -sd, -) --ignore-not-found -n default
The only entries there should be system managed resources such as the
kubernetes service.Option 2
kubectl get pods -n default
Returning
No resources found in default namespace.Remediation
Ensure that namespaces are created to allow for appropriate segregation of Kubernetes
resources and that all new resources are created in a specific namespace.