Profile Applicability:

  • Level 2

Description:
 Kubernetes creates a default namespace for all resources that are not explicitly assigned to a namespace. This namespace should be avoided for organizing workloads in a production environment, as it may cause confusion, poor resource isolation, and difficulty in managing and securing workloads. This check ensures that resources are not using the default namespace unless absolutely necessary.

Rationale:
 Using the default namespace for workloads makes it harder to apply security controls, role-based access policies, and resource limits in a fine-grained manner. By creating custom namespaces for different teams, applications, or environments, you can enhance security, resource management, and operational efficiency. Isolating workloads in different namespaces also helps with monitoring, logging, and auditing.

Impact:

  • Pros:

    • Improves organization and isolation of workloads within different namespaces.

    • Makes it easier to apply resource limits, security policies, and monitoring.

    • Enhances security and governance by separating resources based on teams or projects.

  • Cons:

    • Requires additional management to ensure workloads are correctly assigned to appropriate namespaces.

    • Might increase the complexity of the cluster management in large-scale environments.

Default Value:
 By default, Kubernetes assigns resources to the default namespace if no other namespace is specified.

Pre-requisites:
 Ensure that namespaces are properly defined and configured for different workloads, and that appropriate RBAC policies and resource quotas are applied.

Remediation

Test Plan:

Using Azure Console:

  1. Navigate to the Azure portal and review the Kubernetes cluster resources.

  2. Verify that resources are not deployed in the default namespace and check if they are assigned to appropriate custom namespaces.

  3. Use the Kubernetes dashboard to inspect resources and ensure proper namespace usage.

Using Azure CLI:

  1. List all resources and check their namespaces:

    kubectl get all --all-namespaces

  2. Ensure that no resources are using the default namespace for workloads.

  3. Verify that custom namespaces are used for different applications and workloads.

Implementation Plan:

Using Azure Console:

  1. In the Azure portal, create custom namespaces for different teams, applications, or environments.

  2. Modify the Kubernetes deployment or pod specifications to assign them to the appropriate namespaces.

  3. Apply RBAC policies, resource limits, and security controls to the custom namespaces for better management.

Using Azure CLI:

  1. Create custom namespaces for different teams or applications:

    kubectl create namespace <namespace-name>

  2. Modify the deployment or pod configuration to use the custom namespace:

    kubectl apply -f deployment.yaml --namespace=<namespace-name>

  3. Ensure all resources are assigned to the appropriate namespaces and remove any that are in the default namespace.

Backout Plan:

Using Azure Console:

  1. If the namespace reassignment causes issues, revert the changes by moving resources back to the default namespace via the Azure portal.

Using Azure CLI:

  1. Revert any namespace-related changes by moving resources back to the default namespace:

     kubectl apply -f deployment.yaml --namespace=default

  2. Ensure that resources are properly assigned to the appropriate namespaces.

References:

  1. Kubernetes Namespace Documentation

  2. Azure Kubernetes Service (AKS) Best Practices