KubernetesOverview
Kubernetes provides a default namespace, where objects are placed if no namespace is specified for them. Placing objects in this namespace makes application of RBAC and other controls more difficult.
Rationale
Resources in a Kubernetes cluster should be segregated by namespace, to allow for security controls to be applied at that level and to make it easier to manage resources.
Audit
Run this command to list objects in default namespace
kubectl get $(kubectl api-resources --verbs=list --namespaced=true -o name | paste -sd, -) --ignore-not-found -n default
The only entries there should be system managed resources such as the kubernetes service.
Remediation guidance
Ensure that namespaces are created to allow for appropriate segregation of Kubernetes resources and that all new resources are created in a specific namespace.
Default value
Unless a namespace is specific on object creation, the default namespace will be used.
Multiple Remediation Paths
SERVICE-WIDE (RECOMMENDED when many resources are affected): Apply organization/tenant-level guardrails and baseline policies for the entire platform.
ASSET-LEVEL: Fix only the affected resources identified by this control.
PREVENTIVE: Add preventive policy checks to CI/CD and periodic posture scans.
References for Service-Wide Patterns
- Platform policy/governance and preventive control patterns should be applied tenant-wide where supported.
Query logic
These are the stored checks tied to this control.
Kubernetes ConfigMaps in default namespace
Connectors
Covered asset types
Expected check: eq []
{
namespaces(where: {internalName: "default"}) {
configMaps (where: {internalName_NOT: "kube-root-ca.crt"}){
...AssetFragment
}
}
}Kubernetes Endpoints in default namespace
Connectors
Covered asset types
Expected check: eq []
{
namespaces(where: {internalName: "default"}) {
endpoints (where: {internalName_NOT: "kubernetes"}){
...AssetFragment
}
}
}Kubernetes PersistentVolumeClaims in default namespace
Connectors
Covered asset types
Expected check: eq []
{
namespaces(where: {internalName: "default"}) {
persistentVolumeClaims{
...AssetFragment
}
}
}Kubernetes ServiceAccounts in default namespace
Connectors
Covered asset types
Expected check: eq []
{
namespaces(where: { internalName: "default" }) {
serviceAccounts(where: {internalName_NOT: "default"}) {
...AssetFragment
}
}
}Kubernetes Services in default namespace
Connectors
Covered asset types
Expected check: eq []
{
namespaces(where: { internalName: "default" }) {
services(where: {internalName_NOT: "kubernetes"}) {
...AssetFragment
}
}
}
Kubernetes DaemonSets in default namespace
Connectors
Covered asset types
Expected check: eq []
{
namespaces(where: { internalName: "default" }) {
daemonSets {
...AssetFragment
}
}
}Kubernetes Deployments in default namespace
Connectors
Covered asset types
Expected check: eq []
{
namespaces(where: { internalName: "default" }) {
deployments {
...AssetFragment
}
}
}Kubernetes ReplicaSets in default namespace
Connectors
Covered asset types
Expected check: eq []
{
namespaces(where: { internalName: "default" }) {
replicaSets(where: {deploymentName: ""}) {
...AssetFragment
}
}
}
Kubernetes StatefulSets in default namespace
Connectors
Covered asset types
Expected check: eq []
{
namespaces(where: { internalName: "default" }) {
statefulSets {
...AssetFragment
}
}
}
Kubernetes Ingresses in default namespace
Connectors
Covered asset types
Expected check: eq []
{
namespaces(where: { internalName: "default" }) {
ingresses {
...AssetFragment
}
}
}
Kubernetes NetworkPolicies in default namespace
Connectors
Covered asset types
Expected check: eq []
{
namespaces(where: { internalName: "default" }) {
networkPolicies {
...AssetFragment
}
}
}Kubernetes RoleBindings in default namespace
Connectors
Covered asset types
Expected check: eq []
{
namespaces(where: { internalName: "default" }) {
roleBindings {
...AssetFragment
}
}
}Kubernetes Roles in default namespace
Connectors
Covered asset types
Expected check: eq []
{
namespaces(where: { internalName: "default" }) {
roles {
...AssetFragment
}
}
}
Kubernetes CronJobs in default namespace
Connectors
Covered asset types
Expected check: eq []
{
namespaces(where: { internalName: "default" }) {
cronJobs {
...AssetFragment
}
}
}
Kubernetes Jobs in default namespace
Connectors
Covered asset types
Expected check: eq []
{
namespaces(where: { internalName: "default" }) {
jobs(where: { cronJobName: "" }) {
...AssetFragment
}
}
}
