Namespaces
Namespace Isolation
Kubernetes provides a feature called namespaces to isolate resources within the same cluster. This isolation is crucial in a multi-tenant environment where different users or teams share the same Kubernetes cluster.
However, setting up and managing this isolation can be a complex task. This is where kspacr comes in, automating the configuration for each namespace and ensuring a secure and efficient environment.
--
Users & Service Accounts
kspacr ensures that every Kubernetes User and Service Account is restricted by Role-Based Access Control (RBAC) to only access its namespace. This means that users can only see and interact with resources within their assigned namespace, ensuring data privacy and reducing the risk of accidental interference.
Users with the necessary permissions can create additional service accounts in their namespaces.
Pre-defined RBAC Roles
kspacr provides carefully crafted pre-defined RBAC roles for read
and read/write
access for every namespace. This allows for fine-grained access control, ensuring that users have the necessary permissions for their tasks without granting them unnecessary privileges.
Users with the necessary permissions can create more RBAC roles in their namespaces. To avoid priviledge escalation, these roles can not have more permissions than the user's role.
Pod Security Standard
kspacr automatically applies the restricted
Pod Security Standard level to each Namespace using the standard Pod Security admission controller. This ensures that users cannot break out of their pod and namespace limits. The Restricted policy is aimed at enforcing current Pod hardening best practices, at the expense of some compatibility. This prevents users from accessing resources outside their namespace, further enhancing security.
Network Policies
kspacr applies Network Policies to isolate network traffic between namespaces. By default, a zero-trust policy is applied, meaning that pods in a namespace are not allowed to communicate with pods in another namespace unless explicitly allowed. This prevents unauthorized network access and data leakage.
Resource Quotas
kspacr applies Resource Quotas to limit the computing and storage resources available per namespace. This prevents a single namespace from consuming all the resources in the cluster, ensuring fair resource allocation and preventing resource starvation.
Limit Ranges
kspacr applies Limit Ranges to automatically define resource limits for containers and pods. This ensures that each container and pod within a namespace has a defined limit for resource consumption, preventing them from consuming excessive resources and affecting other containers and pods.
Kyverno - Admission Controller
kspacr uses Kyverno, a Kubernetes Native Policy Manager and Admission Controller, to validate every API server request and perform extensive security checks using these security policies. This ensures that all requests are valid and secure, preventing unauthorized or malicious actions.