lacework-global-352
Do not use default namespace (Manual)
Profile Applicability
• Level 2
Description
Kubernetes places objects in a default namespace if you do not specify a namespace for them. Placing objects in this namespace makes application of Role-Based Access Control (RBAC) and other controls more difficult.
Rationale
Resources in a Kubernetes cluster should be segregated by namespace, to allow for security controls to be applied at that level and to make it easier to manage resources.
Impact
None
Audit
Run this command to list objects in default namespace
kubectl get $(kubectl api-resources --verbs=list --namespaced=true -o name | paste -sd, -) --ignore-not-found -n default
The only entries there should be system managed resources such as the kubernetes
service
Remediation
Create namespaces to allow for appropriate segregation of Kubernetes resources and creation of all new resources in a specific namespace.