Workloads not in default namespace
Description
Applications should not run in the 'default' namespace.
⚠️ Risk Impact
default namespace usage indicates ad-hoc deployment without namespace governance. NetworkPolicy, RBAC, ResourceQuota, and admission policies are typically not applied to default.
🔍 How EchelonGraph Detects This
EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected cloud accounts. Violations are flagged as medium-severity findings with remediation guidance.
🔧 Remediation
Create dedicated namespaces. Migrate workloads. Deny pods in default via admission policy.
💀 Real-World Attack Scenario
Engineers deployed to default for speed. The default namespace had no NetworkPolicy + no PSS enforcement. Compromised pod had unrestricted lateral movement.
💰 Cost of Non-Compliance
Default-namespace usage: indicator of broader governance gaps.
📋 Audit Questions
- 1.Any workloads in default?
- 2.Admission policy denying default?
🎯 MITRE ATT&CK Mapping
⚡ Common Pitfalls
- ⛔Quick-deploy via default during incident
- ⛔Helm charts that don't specify namespace
- ⛔No admission denial
📈 Business Value
Namespace governance enables policy enforcement.
⏱️ Effort Estimate
Per-workload migration
EchelonGraph identifies default-namespace workloads
Automate CIS Kubernetes 5.7.1 compliance
EchelonGraph continuously monitors this control across all your cloud accounts.
Start Free →