Profile Applicability:
 • Level 1

Description:
 Kubernetes provides a default namespace where objects are placed if no namespace is specified during their creation. Using this default namespace makes the application of Role-Based Access Control (RBAC) and other security measures more difficult and less effective.

Rationale:
 To ensure better resource isolation and improve security, Kubernetes resources should be segregated into dedicated namespaces. This allows for more granular control and enables the implementation of RBAC policies, network policies, and other security measures at the namespace level.

Impact:
 Pros:

  • Improved security and access control by using separate namespaces.

  • Better organization and easier management of resources.

Cons:

  • Requires additional administrative effort to manage and configure namespaces.

Default Value:
 Unless a specific namespace is mentioned during object creation, Kubernetes places resources in the default namespace.

Pre-requisites:

  • Knowledge of Kubernetes namespaces and RBAC configuration.

  • Administrative access to the Kubernetes cluster.

Remediation

Test Plan:

Using AWS Console:

  1. Navigate to the Kubernetes cluster in the AWS Console.

  2. Check the resources in the default namespace.

  3. Confirm that only system-managed resources like the Kubernetes service remain in the default namespace.

Using AWS CLI:

  1. Run the following command to list objects in the default namespace:

kubectl get $(kubectl api-resources --verbs=list --namespaced=true -o name | paste -sd, -) --ignore-not-found -n default

  1. Alternatively, check for pods in the default namespace:

kubectl get pods -n default

The result should ideally show No resources found in default namespace.

Implementation Plan

Using AWS Console:

  1. Create new namespaces for different applications and workloads.

  2. Assign resources to their respective namespaces during creation.

  3. Configure RBAC and network policies at the namespace level to ensure proper access controls.

Using AWS CLI:

  1. Create a new namespace using the following command:

kubectl create namespace <namespace-name>

  1. When creating resources, ensure they are assigned to the appropriate namespace. For example, create a deployment in the newly created namespace:

kubectl create deployment <deployment-name> --image=<image-name> -n <namespace-name>

Backout Plan

Using AWS Console:

  1. If there are issues with resource isolation, review the namespaces and ensure that all resources are properly assigned to their respective namespaces.

  2. If necessary, delete any unwanted resources from the default namespace.

Using AWS CLI:

  1. Remove any resources from the default namespace if they were mistakenly created there:

kubectl delete deployment <deployment-name> -n default

  1. Ensure that future resources are created in the correct namespace by setting the appropriate context or specifying the namespace during creation.

References:

  1. Kubernetes Documentation on Namespaces

ontrol ID

Control Description

v8

16.7

Use standard, industry-recommended hardening configuration templates for application infrastructure, including cloud containers and PaaS components.

v7

5.1

Maintain documented, standard security configuration standards for all authorized operating systems and software.