Prisma Cloud Compute must run within a defined/separate namespace (e.g., Twistlock).
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-253547 | SRG-APP-000431-CTR-001065 | CNTR-PC-001380 | SV-253547r961608_rule | 2024-12-06 | 2 |
| Description |
|---|
| Namespaces are a key boundary for network policies, orchestrator access control restrictions, and other important security controls. Prisma Cloud Compute containers running within a separate and exclusive namespace will inherit the namespace's security features. Separating workloads into namespaces can help contain attacks and limit the impact of mistakes or destructive actions by authorized users. |
| ℹ️ Check |
|---|
| Inspect the Kubernetes namespace in which Prisma Cloud Compute is deployed: $ kubectl get pods -n twistlock NAME READY STATUS RESTARTS AGE twistlock-console-855744b66b-xs9cm 1/1 Running 0 4d6h twistlock-defender-ds-99zj7 1/1 Running 0 58d twistlock-defender-ds-drsh8 1/1 Running 0 58d Inspect the list of pods. If a non-Prisma Cloud Compute (does not start with "twistlock") pod is running in the same namespace, this is a finding. |
| ✔️ Fix |
|---|
| Deploy the Prisma Cloud Compute Console and Defender containers within a distinct namespace. |