Profile Applicability:
 • Level 1

Description:
 Use namespaces to isolate your Kubernetes objects to ensure logical boundaries between resources. This approach helps in managing access control and organizing resources by their intended use cases.

Rationale:
 Namespaces provide a way to logically partition resources in a Kubernetes cluster. By isolating resources within specific namespaces, administrators can create boundaries that prevent one group of resources or users from interacting with others. This helps in limiting the scope of user permissions, thus reducing the potential impact of mistakes or malicious activities. By using namespaces, you can implement policies that segregate access and ensure that only authorized users or services can access resources in a particular namespace.

Impact:
 Pros:

  • Reduced risk of accidental or intentional misuse of resources.

  • Clearer organization of resources within the cluster.

  • Easier to manage policies and permissions specific to different namespaces.

Cons:

  • Administrators need to manage multiple namespaces and switch contexts when managing resources.

  • Increased complexity in managing access controls across multiple namespaces.

Default Value:
 By default, Kubernetes comes with four predefined namespaces:

  1. default: The default namespace for objects with no other specified namespace.

  2. kube-system: The namespace for Kubernetes system resources.

  3. kube-public: The namespace used for publicly readable ConfigMaps.

  4. kube-node-lease: The namespace for the associated lease objects for each node.

Pre-requisites:

  • Knowledge of namespace-based access controls and how to configure them.

  • Ability to create and manage Kubernetes namespaces.

  • Appropriate RBAC policies to control access between namespaces.

Remediation

Test Plan:

Using AWS Console:

  1. Log into the AWS Management Console.

  2. Navigate to your EKS cluster and check the namespaces.

  3. Ensure that the namespaces in use are logically organized and aligned with your security requirements.

Using AWS CLI:

  1. Run the following command to list all namespaces:

kubectl get namespaces

  1. Ensure that the namespaces created are appropriate and reflect the required isolation of resources.

Implementation Plan

Using AWS Console:

  1. Create new namespaces as needed using the Kubernetes API or through the AWS Console.

  2. Assign resources (like pods, services, and deployments) to these namespaces based on your use case.

  3. Configure appropriate Role-Based Access Control (RBAC) policies to restrict access to these namespaces.

Using AWS CLI:

  1. To create a new namespace, use the following command:

kubectl create namespace <namespace-name>

  1. Assign specific resources to the newly created namespaces, for example:

kubectl create deployment <deployment-name> --image=<image-name> -n <namespace-name>

  1. Set up RBAC policies to limit access to specific namespaces. For example:

kubectl create role <role-name> --verb=<verb> --resource=<resource> -n <namespace-name>
kubectl create rolebinding <role-binding-name> --role=<role-name> --user=<user-name> -n <namespace-name>

Backout Plan

Using AWS Console:

  1. If namespace creation or segregation causes issues, revert to using fewer namespaces or the default namespace setup.

  2. Ensure that the cluster operates smoothly after reverting changes.

Using AWS CLI:

  1. Delete any created namespaces if necessary:

kubectl delete namespace <namespace-name>

  1. Ensure that any resources are moved back to the default namespace if applicable.

References:

  1. Kubernetes Documentation on Namespaces

  2. Security Best Practices for Kubernetes Deployment