In this session, Nigel advising against namespaces as an isolation mechanism, I believe in Openshift3.x , that is what is used to separate users for multitenancy as well as projects. it is true that they also have selinux as part of the mix . some other k8s distros sperate them by cluster, and now in Openshift 4.x I believe one can have his own cluster, not totally 100% sure.
so what are the recommended best isolations for users, projects, business units? and what is out there?
1 Answers
In my opinion, K8S cluster objects are separeted by 3 factors, responsebility/ security/management/cost.
-responsebility
Mainly separeted by projects, stakeholders in your organizations.
We should use namespace isolation for this reason.
-security
If you separate phisical network among project/environment for company’s requirement,
of course you should separate k8s cluster.
In addition, if you use CI/CD tools in your environment, you should consider that how to move your containers among environment.
-Management
For k8s administrator, minimum k8s clusters are better to manage.
At a minimum, k8s administrator should manage Production2, Develop2 clusters.(For upgrade k8s cluster)
https://twitter.com/kelseyhightower/status/1138586423978672129
Separating cluster for projects, it become hard task for k8s admins.
(Backup, Monitoring, Upgrade, Certificate management…)
-Cost
In most cases, Cluster-level separeting is costly due to node core based license, or cluster-based chage.
I like this example for considering how isolate k8s resources
https://www.youtube.com/watch?v=gl131UXp5yo
I hope this would help for you!
Thank you for the links and your input