Profile applicability: Level 1
User Pods should not be placed in kube-system or kube-public, as these are reserved
for cluster services.
Deploy user pods into a designated namespace other than kube-system.
Audit
Run the following command and review the namespaces of user resources for each resource
type:
kubectl get pods -n kube-system
Repeat for
deployments, services, replicasets, statefulsets, daemonsets, jobs, cronjobs. Ensure no user resources use the kube-system namespace.Remediation
Create user namespaces and recreate user resources within those namespaces. Pods and
services in different namespaces can still communicate with each other unless additional
separation is enforced.
The following example is for each team or group of users, a Kubernetes namespace can
be created using either a kubectl command or YAML file. Any name with the prefix kube-
should be avoided as it may conflict with Kubernetes system reserved namespaces.
Create a namespace with a kubectl command:
kubectl create namespace <insert-namespace-name-here>
Create namespace using YAML file:
- Create a new file called my-namespace.yaml with the contents:
apiVersion: v1 kind: Namespace metadata: name: <insert-namespace-name-here>
- Apply the namespace using:
kubectl create –f ./my-namespace.yaml
- To create new Pods in an existing namespace, switch to the desired namespace using:
kubectl config use-context <insert-namespace-here>
- Apply new deployment using:
kubectl apply -f deployment.yaml
- Alternatively, the namespace can be added to the kubectl command using:
kubectl apply -fvdeployment.yaml --namespace=<insert-namespace-here>
Or specify namespace:<insert-namespace-here>under metadata in the YAML declaration.
Once created, resources cannot be moved between namespaces. The resource must be deleted,
then created in the new namespace.