iCompaas Support

Profile Applicability:

• Level 2
  

Description:

The NamespaceLifecycle admission control plugin ensures that Pods and other resources are prevented from being created or updated in namespaces that are being deleted. This plugin helps avoid potential issues where resources are unintentionally left in a terminating namespace, which can cause inconsistencies or orphaned resources that may persist after the namespace is deleted.

Rationale:

The NamespaceLifecycle plugin is critical for maintaining cluster hygiene by ensuring that no resources can be created or modified in namespaces marked for deletion. Without this plugin, resources may be inadvertently deployed or modified in namespaces that are in the process of being removed, leading to potential management and cleanup challenges.

Impact:

Pros:

• Ensures proper cleanup of resources when namespaces are deleted, preventing orphaned resources.
  

• Helps maintain the integrity of the cluster by enforcing namespace lifecycle rules.
  

Cons:

• If misconfigured, it may block legitimate resource updates in namespaces during a deletion process, affecting ongoing operations or migrations.
  

Default Value:

This plugin is typically enabled by default in most Kubernetes clusters, but it should be confirmed in your environment.

Pre-requisites:

• Proper namespace lifecycle management and cleanup procedures should be in place.
  

• The admission control configuration must allow namespace lifecycle enforcement.
  

Test Plan:

Using AWS Console:

1. Sign in to the AWS Management Console.
   

2. Navigate to your EKS Cluster.
   

3. Go to the Node Group or EKS configuration details.
   

4. Check the --enable-admission-plugins flag and verify that NamespaceLifecycle is listed among the enabled plugins.
   

Using AWS CLI:

Run the following AWS CLI command to describe your EKS cluster's configuration:

aws eks describe-cluster --name <cluster-name> --query "cluster.config"

1. Ensure that NamespaceLifecycle is listed under --enable-admission-plugins.
   

Implementation Plan:

Using AWS Console:

1. Navigate to the EKS cluster in the AWS Console.
   

2. Under the Cluster Configuration section, modify the API server's settings.
   

3. Ensure that the NamespaceLifecycle admission control plugin is enabled.
   

4. Save the configuration and apply the changes.
   

Using AWS CLI:

Update the --enable-admission-plugins argument to include NamespaceLifecycle:

aws eks update-cluster-config --name <cluster-name> --kubernetes-version <kubernetes-version> --enable-admission-plugins NamespaceLifecycle

Backout Plan:

Using AWS Console:

1. Navigate to the EKS cluster's API server configuration.
   

2. If necessary, remove NamespaceLifecycle from the list of enabled admission control plugins.
   

3. Save the configuration and redeploy the cluster.
   

Using AWS CLI:

If issues occur, revert the change using:

aws eks update-cluster-config --name <cluster-name> --kubernetes-version <kubernetes-version> --disable-admission-plugins NamespaceLifecycle

References:

• Kubernetes Admission Control Documentation
  

• EKS Cluster Management