🛡️
CTHFM: Kubernetes
  • Welcome
  • Kubernetes Fundamentals
    • Kubernetes Components
      • Kubernetes Master Node
      • Worker Nodes
      • Pods
      • Service
      • ConfigMaps and Secrets
      • Namespaces
      • Deployments
      • ReplicaSets
      • Jobs and CronJobs
      • Horizontal Pod Autoscaler (HPA)
      • Kubernetes Ports and Protocols
    • Kubectl
      • Installation and Setup
      • Basic Kubectl
      • Working With Pods
      • Deployments and ReplicaSets
      • Services and Networking
      • ConfigMaps and Secrets
      • YAML Manifest Management
      • Debugging and Troubleshooting
      • Kubectl Scripting: Security
      • Customizing Kubectl
      • Security Best Practices
      • Common Issues
      • Reading YAML Files
    • MiniKube
      • Intro
      • Prerequisites
      • Installation MiniKube
      • Starting MiniKube
      • Deploy a Sample Application
      • Managing Kubernetes Resources
      • Configuring MiniKube
      • Persistent Storage in Minikube
      • Using Minikube for Local Development
      • Common Pitfalls
      • Best Practices
  • Kubernetes Logging
    • Kubernetes Logging Overview
    • Audit Logs
    • Node Logs
    • Pod Logs
    • Application Logs
    • Importance of Logging
    • Types of Logs
    • Collecting and Aggregating Logs
    • Monitoring and Alerting
    • Log Parsing and Enrichment
    • Security Considerations in Logging
    • Best Practices
    • Kubernetes Logging Architecture
  • Threat Hunting
    • Threat Hunting Introduction
    • What Makes Kubernetes Threat Hunting Unique
    • Threat Hunting Process
      • Hypothesis Generation
      • Investigation
      • Identification
      • Resolution & Follow Up
    • Pyramid of Pain
    • Threat Frameworks
      • MITRE Containers Matrix
        • MITRE Att&ck Concepts
        • MITRE Att&ck Data Sources
        • MITRE ATT&CK Mitigations
        • MITRE Att&ck Containers Matrix
      • Microsoft Threat for Kubernetes
    • Kubernetes Behavioral Analysis and Anomaly Detection
    • Threat Hunting Ideas
    • Threat Hunting Labs
  • Security Tools
    • Falco
      • Falco Overview
      • Falco's Architecture
      • Runtime Security Explained
      • Installation and Setup
      • Falco Rules
      • Tuning Falco Rules
      • Integrating Falco with Kubernetes
      • Detecting Common Threats with Falco
      • Integrating Falco with Other Security Tools
      • Automating Incident Response with Falco
      • Managing Falco Performance and Scalability
      • Updating and Maintaining Falco
      • Real-World Case Studies and Lessons Learned
      • Labs
        • Deploying Falco on a Kubernetes Cluster
        • Writing and Testing Custom Falco Rules
        • Integrating Falco with a SIEM System
        • Automating Responses to Falco Alerts
    • Open Policy Agent (OPA)
      • Introduction to Open Policy Agent (OPA)
      • Getting Started with OPA
      • Rego
      • Advanced Rego Concepts
      • Integrating OPA with Kubernetes
      • OPA Gatekeeper
      • Policy Enforcement in Microservices
      • OPA API Gateways
      • Introduction to CI/CD Pipelines and Policy Enforcement
      • External Data in OPA
      • Introduction to Decision Logging
      • OPA Performance Monitoring
      • OPA Implementation Best Practices
      • OPA Case Studies
      • OPA Ecosystem
    • Kube-Bench
    • Kube-Hunter
    • Trivy
    • Security Best Practices and Documentation
      • RBAC Good Practices
      • Official CVE Feed
      • Kubernetes Security Checklist
      • Securing a Cluster
      • OWASP
  • Open Source Tools
    • Cloud Native Computing Foundation (CNCF)
      • Security Projects
  • Infrastructure as Code
    • Kubernetes and Terraform
      • Key Focus Areas for Threat Hunters
      • Infastructure As Code: Kubernetes
      • Infrastructure as Code (IaC) Basics
      • Infastructure As Code Essential Commands
      • Terraform for Container Orchestration
      • Network and Load Balancing
      • Secrets Management
      • State Management
      • CI/CD
      • Security Considerations
      • Monitoring and Logging
      • Scaling and High Availability
      • Backup and Disaster Recovery
    • Helm
      • What is Helm?
      • Helm Architecture
      • Write Helm Charts
      • Using Helm Charts
      • Customizing Helm Charts
      • Customizing Helm Charts
      • Building Your Own Helm Chart
      • Advanced Helm Chart Customization
      • Helm Repositories
      • Helm Best Practices
      • Helmfile and Continuous Integration
      • Managing Secrets with Helm and Helm Secrets
      • Troubleshooting and Debugging Helm
      • Production Deployments
      • Helm Case Studies
Powered by GitBook
On this page
  • Namespaces Overview
  • 1. Purpose of Namespaces
  • 2. Default Namespaces
  • 3. Creating and Managing Namespaces
  • 4. Resource Management in Namespaces
  • 5. Access Control in Namespaces
  • 6. Namespace Scoped vs. Cluster Scoped Resources
  • 7. Working with Namespaces in kubectl
  • 8. Use Cases for Namespaces
  • 9. Best Practices
  • Summary
  1. Kubernetes Fundamentals
  2. Kubernetes Components

Namespaces

Namespaces Overview

Namespaces in Kubernetes are a way to divide cluster resources between multiple users or teams. They provide a mechanism for isolating groups of resources within the same cluster, enabling better organization, resource allocation, and access control. Here’s a detailed look at namespaces in Kubernetes:

1. Purpose of Namespaces

  • Resource Isolation:

    • Namespaces provide a way to partition resources, such as pods, services, and deployments, within the same cluster. This isolation ensures that resources in one namespace do not interfere with resources in another.

  • Multi-Tenancy:

    • Namespaces allow multiple users or teams to share the same Kubernetes cluster without interfering with each other. Each namespace can be assigned specific roles, resource quotas, and policies, making it easier to manage a multi-tenant environment.

  • Resource Organization:

    • Namespaces help organize resources in a large cluster. For example, resources related to development, testing, and production environments can be placed in separate namespaces.

2. Default Namespaces

  • Kubernetes comes with several pre-defined namespaces:

    • default: The default namespace for resources that are not assigned a specific namespace.

    • kube-system: Contains system-related resources and components, such as the API server, scheduler, and controller manager.

    • kube-public: A namespace that is readable by all users (including those not authenticated). It is generally used for public resources that need to be accessible by everyone in the cluster.

    • kube-node-lease: Used for node lease objects, which hold information about node heartbeat data. This is part of the mechanism that determines the availability of nodes.

3. Creating and Managing Namespaces

  • Creating a Namespace:

    • You can create a new namespace using the kubectl command:

      kubectl create namespace <namespace-name>

    • For example, to create a namespace called development:

      kubectl create namespace development

  • Listing Namespaces:

    • You can list all namespaces in the cluster using:

      kubectl get namespaces

    • This command will display all existing namespaces in the cluster.

  • Deleting a Namespace:

    • You can delete a namespace (and all resources within it) using:

      kubectl delete namespace <namespace-name>

    • Be cautious when deleting namespaces, as this action will remove all resources within the namespace.

4. Resource Management in Namespaces

  • Resource Quotas:

    • Kubernetes allows you to define resource quotas within namespaces to limit the amount of CPU, memory, and storage that can be used. This is useful for preventing a single namespace from consuming all the cluster’s resources.

    • Example of a resource quota definition:

      apiVersion: v1
kind: ResourceQuota
metadata:
  name: compute-resources
  namespace: development
spec:
  hard:
    requests.cpu: "20"
    requests.memory: "50Gi"
    limits.cpu: "30"
    limits.memory: "60Gi"

  • Limit Ranges:

    • Limit ranges define default resource requests and limits for containers in a namespace. They ensure that all pods in the namespace have reasonable resource constraints.

    • Example of a limit range definition:

      apiVersion: v1
kind: LimitRange
metadata:
  name: cpu-mem-limits
  namespace: development
spec:
  limits:
    - default:
        cpu: "500m"
        memory: "512Mi"
      defaultRequest:
        cpu: "250m"
        memory: "256Mi"
      type: Container

5. Access Control in Namespaces

  • Role-Based Access Control (RBAC):

    • Kubernetes supports RBAC, which allows you to define roles and bind them to users or service accounts within a namespace. This ensures that users only have the permissions they need within their assigned namespaces.

    • Example of a role binding:

      apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: developer-access
  namespace: development
subjects:
- kind: User
  name: developer1
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: developer-role
  apiGroup: rbac.authorization.k8s.io

6. Namespace Scoped vs. Cluster Scoped Resources

  • Namespace Scoped Resources:

    • Most Kubernetes resources, such as pods, services, and config maps, are namespace-scoped. They exist and are accessible only within the namespace in which they are created.

  • Cluster Scoped Resources:

    • Some resources, like nodes, persistent volumes, and custom resource definitions (CRDs), are cluster-scoped, meaning they exist across the entire cluster and are not confined to any namespace.

7. Working with Namespaces in kubectl

  • Setting a Default Namespace for kubectl:

    • To avoid specifying the namespace in every command, you can set a default namespace for kubectl:

      kubectl config set-context --current --namespace=<namespace-name>

  • Switching Between Namespaces:

    • You can use the -n flag to specify a namespace for a particular command:

      kubectl get pods -n <namespace-name>

8. Use Cases for Namespaces

  • Development vs. Production:

    • Separate namespaces can be used to isolate development, testing, and production environments within the same cluster.

  • Multi-Tenant Clusters:

    • In environments where multiple teams or projects share the same cluster, namespaces help to ensure that each tenant’s resources are isolated and managed independently.

  • Resource Constraints:

    • Namespaces are ideal for applying resource quotas and access controls to ensure fair resource distribution and security within a shared cluster.

9. Best Practices

  • Minimal Namespace Usage:

    • For small clusters or single-tenant environments, it might be easier to work within the default namespace.

  • Namespace Naming Conventions:

    • Use clear and consistent naming conventions for namespaces to make resource management easier.

  • Monitor Namespace Usage:

    • Regularly monitor resource usage in each namespace to ensure that quotas and limits are properly enforced.

Summary

Namespaces are a powerful tool in Kubernetes for organizing and managing resources, especially in larger, multi-tenant clusters. They provide a logical division of resources and help enforce policies, security, and resource constraints across different parts of the cluster.

PreviousConfigMaps and SecretsNextDeployments

Last updated 7 months ago