Profile Applicability:
Level 1
Description:
Kubernetes namespaces provide a way to organize and isolate resources within a cluster. By using namespaces, you can create administrative boundaries between different workloads and teams, enabling you to apply specific policies, access controls, and resource quotas to each namespace. This check ensures that Kubernetes resources are logically separated into different namespaces for better management, security, and scalability.
Rationale:
Using namespaces to create administrative boundaries is a best practice to ensure that workloads are isolated from one another, even if they share the same cluster. This separation allows you to define role-based access control (RBAC) policies, set resource quotas, and apply security policies to each namespace independently, reducing the risk of unintentional cross-namespace communication or resource contention.
Impact:
Pros:
Improves resource management by logically grouping resources.
Enhances security and control by enabling fine-grained policies through namespaces.
Facilitates easier troubleshooting and monitoring by isolating workloads.
Cons:
Requires additional configuration to ensure resources are assigned to the appropriate namespaces.
Increased administrative overhead if there are many namespaces to manage.
Default Value:
By default, all Kubernetes resources are placed in the default namespace unless another namespace is specified. Using custom namespaces requires manual configuration.
Pre-requisites:
Ensure that you have a clear namespace strategy and that RBAC policies and resource quotas are configured for the namespaces.
Test Plan:
Using Azure Console:
Navigate to the Azure portal and review the Kubernetes cluster settings.
Check if resources such as pods, services, and deployments are placed in custom namespaces instead of the default namespace.
Ensure that appropriate resource quotas, RBAC policies, and network policies are applied to the namespaces to manage access and resources effectively.
Using Azure CLI:
List all namespaces in the cluster to check for resources placed in the default namespace:
kubectl get namespaces
Verify that resources are placed in custom namespaces:
kubectl get all --all-namespaces
Review the resource allocation and RBAC policies applied to each namespace:
kubectl get resourcequotas --all-namespaces kubectl get rolebindings --all-namespace
Implementation Plan:
Using Azure Console:
In the Azure portal, create custom namespaces for different teams, applications, or environments by navigating to Kubernetes Services and selecting Namespaces.
Ensure that the default namespace is not used for workloads, and assign appropriate custom namespaces for each application or environment.
Apply RBAC policies and resource quotas to the namespaces to control access and resource consumption.
Update the Pod and Deployment specifications to use the custom namespaces by editing the YAML files or through the Azure portal.
Using Azure CLI:
Create custom namespaces for different teams or applications:
kubectl create namespace <namespace-name>
Apply RBAC roles or resource quotas to the namespaces to manage resources:
kubectl apply -f resource-quota.yaml --namespace=<namespace-name> kubectl apply -f rbac-policy.yaml --namespace=<namespace-name>
Modify deployment configurations to specify the custom namespace:
kubectl apply -f deployment.yaml --namespace=<namespace-name>
Backout Plan:
Using Azure Console:
If using custom namespaces causes issues, revert the configuration by switching the workloads back to the default namespace in the Azure portal.
Remove the RBAC policies and resource quotas from the namespaces if necessary.
Using Azure CLI:
Revert any namespace-related changes by moving resources back to the default namespace:
kubectl apply -f deployment.yaml --namespace=default
Remove the applied RBAC roles or resource quotas with the following command:
kubectl delete resourcequota <resourcequota-name> --namespace=<namespace-name> kubectl delete rolebinding <rolebinding-name> --namespace=<namespace-name>