STIGQter: STIG Summary: Kubernetes Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 13 Apr 2021:

User-managed resources must be created in dedicated namespaces.

DISA Rule

SV-242383r712505_rule

Vulnerability Number

V-242383

Group Title

SRG-APP-000038-CTR-000105

Rule Version

CNTR-K8-000290

Severity

CAT I

CCI(s)

CCI-000366 - The organization implements the security configuration settings.

Weight

Fix Recommendation

Move any user-managed resources from the default, kube-public and kube-node-lease namespaces, to user namespaces.

Check Contents

To view the available namespaces, run the command:

kubectl get namespaces

The default namespaces to be validated are default, kube-public and kube-node-lease if it is created.

For the default namespace, execute the commands:

kubectl config set-context --current --namespace=default
kubectl get all

For the kube-public namespace, execute the commands:

kubectl config set-context --current --namespace=kube-public
kubectl get all

For the kube-node-lease namespace, execute the commands:

kubectl config set-context --current --namespace=kube-node-lease
kubectl get all

The only valid return values are the kubernetes service (i.e., service/kubernetes) and nothing at all.

If a return value is returned from the "kubectl get all" command and it is not the kubernetes service (i.e., service/kubernetes), this is a finding.

User-managed resources must be created in dedicated namespaces.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments