Profile Applicability:
Level 1
Description:
Namespaces in Kubernetes provide a way to organize and isolate resources within a cluster. By creating namespaces, you can create administrative boundaries between different workloads and teams. This check ensures that namespaces are used effectively to segment resources, enforce security boundaries, and simplify resource management.
Rationale:
Using namespaces allows you to logically separate resources, such as pods, services, and deployments, into distinct groups. This segmentation improves resource organization, enhances security by providing access controls at the namespace level, and makes it easier to manage and scale resources. By defining clear administrative boundaries, you can enforce policies, limit resource usage, and improve the overall security and operational efficiency of the cluster.
Impact:
Pros:
Helps manage complex environments by logically grouping resources.
Enables role-based access control (RBAC) and resource quotas within namespaces for better security and governance.
Simplifies resource management and monitoring by isolating resources at the namespace level.
Cons:
Requires additional setup and management of namespaces.
May increase administrative overhead, especially in large-scale environments with many teams or workloads.
Default Value:
By default, all resources in Kubernetes are created in the default namespace unless otherwise specified. Using namespaces for administrative boundaries requires manual configuration.
Pre-requisites:
Ensure that the cluster is configured to support namespaces, and that Kubernetes RBAC or resource quota policies are used to manage resources at the namespace level.
Remediation
Test Plan:
Using Azure Console:
Navigate to the Azure portal and access the Kubernetes cluster.
Review the namespaces within your AKS cluster and verify if namespaces are used for logical segmentation of resources.
Check if RBAC or resource quotas are applied to different namespaces to create effective administrative boundaries.
Using Azure CLI:
List all namespaces in the Kubernetes cluster:
kubectl get namespaces
Ensure that namespaces are logically defined to create administrative boundaries between resources.
Implementation Plan:
Using Azure Console:
In the Azure portal, create separate namespaces for different teams, projects, or environments by navigating to the Kubernetes cluster and selecting Namespaces under the Kubernetes Services section.
Apply RBAC or resource quotas at the namespace level to manage access and resource limits.
Ensure that resources, such as deployments, services, and pods, are created within their respective namespaces for effective separation.
Using Azure CLI:
Create a new namespace using the following command:
kubectl create namespace <namespace-name>
Apply resource quotas to the namespace to limit resource usage (e.g., CPU, memory):
kubectl create -f resource-quota.yaml --namespace=<namespace-name>
Create RBAC roles or bindings for the namespace using:
kubectl create role <role-name> --namespace=<namespace-name> --verb=<verbs> --resource=<resources>
Ensure that all resources, such as pods and services, are deployed within the correct namespaces by specifying the --namespace flag in your deployment commands.
Backout Plan:
Using Azure Console:
If applying namespaces causes issues with resource management or accessibility, revert to the previous configuration by using the Azure portal to delete or modify the namespaces.
If necessary, reassign resources to the default namespace.
Using Azure CLI:
Revert any namespace-related changes by deleting or reassigning resources:
kubectl delete namespace <namespace-name>
Re-deploy resources to the default namespace or other namespaces if required.