Kubernetes Deep Dive

Sign Up Free or Log In to participate!

Kubernetes namespace isolation

In this session, Nigel advising against namespaces as an isolation mechanism, I believe in Openshift3.x , that is what is used to separate users for multitenancy as well as projects. it is true that they also have selinux as part of the mix . some other k8s distros sperate them by cluster, and now in Openshift 4.x I believe one can have his own cluster, not totally 100% sure.

so what are the recommended best isolations for users, projects, business units? and what is out there?

1 Answers

In my opinion, K8S cluster objects are separeted by 3 factors, responsebility/ security/management/cost.

-responsebility

Mainly separeted by projects, stakeholders in your organizations.

We should use namespace isolation for this reason.

-security

If you separate phisical network among project/environment for company’s requirement,

of course you should separate k8s cluster.

In addition, if you use CI/CD tools in your environment, you should consider that how to move your containers among environment.

-Management

For k8s administrator, minimum k8s clusters are better to manage.

At a minimum, k8s administrator should manage Production2, Develop2 clusters.(For upgrade k8s cluster)

https://twitter.com/kelseyhightower/status/1138586423978672129

Separating cluster for projects, it become hard task for k8s admins.

(Backup, Monitoring, Upgrade, Certificate management…)

-Cost

In most cases, Cluster-level separeting is costly due to node core based license, or cluster-based chage.

I like this example for considering how isolate k8s resources

https://www.youtube.com/watch?v=gl131UXp5yo

I hope this would help for you!

Walid Shaari

Thank you for the links and your input

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?