[Suggestion] Best Practices for Namespace

[knowlengr]

Consideration of best or suggested practices for namespace management.

Possible Impact

• Additional layer of control for zero trust inspection / enforcement
• Improved granularity for telemetry / observability for cloud workloads
• Connect namespace to broader metadata objectives, including designations for PII, confidential computing, cost, semantic dependencies within applications
• Resilience when namespace is an attack target

Additional Research Possibly relevant references. (Personal research is ongoing.)

• I. -M. Stan, D. Rosner and Ş. -D. Ciocîrlan, "Enforce a Global Security Policy for User Access to Clustered Container Systems via User Namespace Sharing," 2020 19th RoEduNet Conference: Networking in Education and Research (RoEduNet), 2020, pp. 1-6, doi: 10.1109/RoEduNet51892.2020.9324866.
• C. L. Abad, H. Luu, N. Roberts, K. Lee, Y. Lu and R. H. Campbell, "Metadata Traces and Workload Models for Evaluating Big Storage Systems," 2012 IEEE Fifth International Conference on Utility and Cloud Computing, 2012, pp. 125-132, doi: 10.1109/UCC.2012.27.
• I. -M. Stan, D. Rosner and Ş. -D. Ciocîrlan, "Enforce a Global Security Policy for User Access to Clustered Container Systems via User Namespace Sharing," 2020 19th RoEduNet Conference: Networking in Education and Research (RoEduNet), 2020, pp. 1-6, doi: 10.1109/RoEduNet51892.2020.9324866.

Related

• Share a Cluster with Namespaces: This page shows how to view, work in, and delete namespaces. The page also shows how to use Kubernetes namespaces to subdivide your cluster
• Kubernetes best practices: Organizing with Namespaces
• Kubernetes Namespaces Demystified - How To Make The Most of Them
• Palo Alto Prisma Cloud Microsegmentation Administrator's Guide: Microsegmentation namespaces
• How to Design and Implement an Effective Container Micro-Segmentation Strategy with Kubernetes (Illumio)
• Tanzu Kubernetes Grid Workload Isolation using NSX-T Micro Segmentation
• KubeSlice Overview
• Micro-Segmentation with Istio Authorization
• Google Cloud Workload Identity with Kubernetes and Terraform: A tutorial on improving your security posture with Google Kubernetes Engine workloads
• Vault namespace API locking
• Cross-namespace communication in Kubernetes
• Security namespaces in Azure
• Namespace in Google Chronicle
• Onboarding namespaces in Open Service Mesh

[lumjjb]

Sorry a bit of a lag here, but i think a few things i mentioned during the call were openshift projects that tried to implement more defined security boundaries around k8s.

Also the Flux multitenancy proposal may be a good data point as well - not sure if this is the best link: https://github.com/fluxcd/flux2-multi-tenancy

[JimBugwadia]

Relatively new entry in the K8s docs that discusses various isolation levels from a multi-tenancy perspective:

https://kubernetes.io/docs/concepts/security/multi-tenancy/

[stale[bot]]

This issue has been automatically marked as inactive because it has not had recent activity.

[stale[bot]]

This issue has been automatically marked as inactive because it has not had recent activity.

[anvega]

Closing as this has been inactive for a few years. Please feel free to reopen if there is renewed interest in pursuing this.