Profile Applicability:
Level 1
Description:
Kubernetes automatically creates a default namespace for all resources that are not explicitly assigned to a namespace. This check ensures that the default namespace is not used for application workloads and that custom namespaces are created for better resource organization, security, and management.
Rationale:
Using the default namespace for all workloads makes it harder to manage and apply access control policies, as all resources are grouped together. By creating and using custom namespaces, you can more effectively manage workloads, apply role-based access control (RBAC) policies, and apply resource quotas. Additionally, namespaces help to isolate resources and improve security.
Impact:
Pros:
Enhances organization by categorizing workloads into custom namespaces.
Improves security and resource isolation by applying RBAC and resource quotas on a per-namespace basis.
Simplifies workload management and troubleshooting by logically grouping resources.
Cons:
Requires additional configuration and planning to ensure workloads are placed in appropriate namespaces.
Increases complexity for managing multiple namespaces in large environments.
Default Value:
By default, all resources in Kubernetes are created in the default namespace unless another namespace is explicitly specified.
Pre-requisites:
Ensure that namespaces are configured for different workloads, and that RBAC policies and resource quotas are in place to manage workloads effectively.
Test Plan:
Using Azure Console:
Navigate to the Azure portal and review the Kubernetes resources in your Azure Kubernetes Service (AKS) cluster.
Check if any workloads (pods, deployments, services) are using the default namespace.
Ensure that workloads are grouped into logical custom namespaces based on team, project, or environment.
Using Azure CLI:
List all resources and check their namespaces:
Verify that no resources are using the default namespace for application workloads.
Check if custom namespaces are used by listing namespaces:
Ensure that workloads are deployed in appropriate namespaces and not in default.
Implementation Plan:
Using Azure Console:
In the Azure portal, create custom namespaces for different teams, projects, or environments by navigating to Kubernetes Services and selecting Namespaces.
Assign appropriate namespaces to workloads by editing the deployment specifications and ensuring they are created in their respective custom namespaces.
Configure RBAC and resource quotas for each namespace to control access and manage resources effectively.
Using Azure CLI:
Create custom namespaces for different workloads or teams:
Update deployment specifications to assign workloads to custom namespaces:
Assign RBAC roles to users based on the namespace using the following command:
Ensure that all application workloads are deployed in their respective namespaces and not in the default namespace.
Backout Plan:
Using Azure Console:
If workloads in custom namespaces cause issues, revert the configuration by switching back to the default namespace in the Azure portal.
Reassign workloads to the default namespace if necessary.
Using Azure CLI:
Revert any namespace-related changes by moving resources back to the default namespace:
Remove any namespace-specific RBAC or resource quota configurations if necessary.