Prevent Default Namespace 1.1.1

Prevents that containers run in the namespace 'default'. Namespaces other than 'default' should be used to segregate resources. It is also more difficult to apply RBAC and resource quotas, among other things.


Note that this policy is part of the following security standards:

  • cis/kubernetes: CIS Kubernetes Benchmark v1.6.0: Section 5.7.4
  • bsi/containerization: BSI IT-Grundschutz "Containerisierung": Section: APP.4.4.A1
  • Operational
  • Security
  • bsi/containerization
  • cis/kubernetes

Applies to

  • Pod
  • ReplicaSet
  • ReplicationController
  • Deployment
  • StatefulSet
  • DaemonSet
  • Job
  • CronJob

Example

apiVersion: batch/v1
kind: Job
metadata:
  name: pi
- namespace: default
+ namespace: pi
spec:
  template:
    spec:
      containers:
        - name: pi
          image: perl
          command: ["perl", "-Mbignum=bpi", "-wle", "print bpi(2000)"]

Risk acceptance

Use the annotation securitytower.io/policy.exclusion.preventdefaultnamespace as on the example below.
apiVersion: batch/v1
kind: Job
metadata:
  name: pi
  namespace: default
  annotations:
    securitytower.io/policy.exclusion.preventdefaultnamespace: |-
      This container needs to run in the 'default' namespace because...
...