Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI
Use the Knowledge Base AI to help improve your Cloud Posture

Use Non-Default Namespaces

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that the default Kubernetes namespace is not used for your Oracle Cloud Infrastructure (OCI) Kubernetes Engine (OKE) clusters. Objects deployed there are difficult to segregate and control, which complicates the application of Role-Based Access Control (RBAC) and other security policies, making resource management and segregation harder.

Security

The default Kubernetes namespace should be avoided for all production workloads. Resources within the OKE cluster should be segregated by dedicated namespaces to effectively apply Role-Based Access Control (RBAC) and other security controls, simplifying both resource management and operational separation.

Audit

To determine if the default Kubernetes namespace is used , perform the following operations:

Using OCI CLI

  1. Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account:

    oci iam compartment list
	--all
	--include-root
	--query 'data[]."id"'

  2. The command output should return the requested OCI compartment identifiers (OCIDs):

    [
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

  3. Run ce cluster list command (Windows/macOS/Linux) with the ID of the OCI compartment that you want to examine as the identifier parameter, to list the ID of each OCI Kubernetes Engine (OKE) cluster available in the selected OCI compartment:

    oci ce cluster list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--all
	--query 'data[]."id"'

  4. The command output should return the requested OKE cluster IDs:

    [
	"ocid1.cluster.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.cluster.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

  5. Run ce cluster create-kubeconfig command (Windows/macOS/Linux) with the ID of the OCI Kubernetes Engine (OKE) cluster that you want to access as the identifier parameter, to generate and configure the Kubernetes configuration file (kubeconfig) that the kubectl tool needs to securely communicate with and manage the selected OKE cluster:

    oci ce cluster create-kubeconfig
	--cluster-id 'ocid1.cluster.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--file $HOME/.kube/config
	--kube-endpoint PUBLIC_ENDPOINT
	--region 'ap-sydney-1'
	--token-version 2.0.0

  6. The command output should return the path to the new Kubeconfig file:

    New config written to the Kubeconfig file /home/user/.kube/config

  7. Run the following command to check the versions of the client and server components of your Kubernetes cluster:

    kubectl version

  8. The command output should return the versions of the client and server components:

    Client Version: v1.33.1
Kustomize Version: v5.6.0
Server Version: v1.34.1

  9. Run the following command to list the resources in the default namespace:

    kubectl get all -n default

  10. The command output should return the requested information:

    NAME                      TYPE        CLUSTER-IP   EXTERNAL-IP   PORT(S)   AGE
service/kubernetes        ClusterIP   10.96.0.1    <none>        443/TCP   17d
service/nginx-service     ClusterIP   10.90.2.5    <none>        443/TCP   17d
deployment.webs/nginx     ClusterIP   10.30.0.9    <none>        443/TCP   17d
pod/nginx-abcd1234-abcd   ClusterIP   10.28.0.1    <none>        443/TCP   17d

    The only entries returned by the command output should be system-managed resources such as the Kubernetes service (i.e., service/kubernetes). If one or more non-system resources are returned, as shown in the example above, it indicates that workloads have been incorrectly deployed to the default namespace, violating organizational policy and best practices for security segregation and resource management.

Remediation / Resolution

Ensure that namespaces are created to allow for appropriate segregation of Kubernetes resources. All new resources must be created in a specific namespace. To create new namespaces for your Kubernetes resources, perform the following operations:

Using OCI CLI

  1. Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account:

    oci iam compartment list
	--all
	--include-root
	--query 'data[]."id"'

  2. The command output should return the requested OCI compartment identifiers (OCIDs):

    [
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

  3. Run ce cluster list command (Windows/macOS/Linux) with the ID of the OCI compartment that you want to examine as the identifier parameter, to list the ID of each OCI Kubernetes Engine (OKE) cluster available in the selected OCI compartment:

    oci ce cluster list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--all
	--query 'data[]."id"'

  4. The command output should return the requested OKE cluster IDs:

    [
	"ocid1.cluster.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.cluster.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

  5. Run ce cluster create-kubeconfig command (Windows/macOS/Linux) with the ID of the OCI Kubernetes Engine (OKE) cluster that you want to access as the identifier parameter, to generate and configure the Kubernetes configuration file (kubeconfig) that the kubectl tool needs to securely communicate with and manage the selected OKE cluster:

    oci ce cluster create-kubeconfig
	--cluster-id 'ocid1.cluster.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--file $HOME/.kube/config
	--kube-endpoint PUBLIC_ENDPOINT
	--region 'ap-sydney-1'
	--token-version 2.0.0

  6. The command output should return the path to the new Kubeconfig file:

    New config written to the Kubeconfig file /home/user/.kube/config

  7. Run the following command to check the versions of the client and server components of your Kubernetes cluster:

    kubectl version

  8. The command output should return the versions of the client and server components:

    Client Version: v1.33.1
Kustomize Version: v5.6.0
Server Version: v1.34.1

  9. Run the kubectl create namespace command to create a new Kubernetes namespace:

    kubectl create namespace nginx-123abc-abc

  10. The command output should return the name of the new Kubernetes namespace:

    namespace/nginx-123abc-abc created

References

Publication date Dec 11, 2025

Related OCI-OKE rules