Configure Kubernetes namespaces#

In a Kubernetes cluster, namespaces provide a logical layer of isolation between users and groups of users. Namespaces enable you to assign resource quotas and security limits to your workloads and users, as well as establish organizational, procedural, and security boundaries.

Isolate a user to a specific namespace#

If you want to restrict the actions that an OpenStack user can perform in a Kubernetes cluster, you can do so by assigning that user admin privileges in a specific Kubernetes namespace. Such a user can perform any actions in that namespace, but their privileges are limited in other namespaces.

  1. Create an OpenStack user by using the Horizon Dashboard or OpenStack CLI:

    $ openstack user create foo --password "password"
      +---------------------+----------------------------------+
      | Field               | Value                            |
      +---------------------+----------------------------------+
      | domain_id           | default                          |
      | enabled             | True                             |
      | id                  | 273842e69d844fe3a432c54e270f2e66 |
      | name                | foo                              |
      | password_expires_at | None                             |
      +---------------------+----------------------------------+
    
  2. Create a namespace:

    $ kubectl create namespace foo-dev
      namespace "foo-dev" created
    
  3. Optionally, define a NetworkPolicy for the namespace.

    See Configure network policies. Although, this step is optional, a network policy ensures an additional level of security in a multitenant environment.

  4. Give the user administrative privileges in the created namespace by configuring a RoleBinding:

    $ kubectl create -f- <<EOF
      apiVersion: rbac.authorization.k8s.io/v1
      kind: RoleBinding
      metadata:
        namespace: foo-dev
        name: foo-admin
      roleRef:
        kind: ClusterRole
        name: admin
        apiGroup: rbac.authorization.k8s.io
      subjects:
      - kind: User
        name: foo
        apiGroup: rbac.authorization.k8s.io
      - kind: Group
        name: system:serviceaccounts:foo-dev
        apiGroup: rbac.authorization.k8s.io
      EOF
      rolebinding "foo-admin" created
    

    The user foo now has the predefined Kubernetes admin role within foo-dev, which permits the creation of all resources inside of foo-dev. The user is restricted from creating resources outside of the foo-dev namespace, as well as from using certain Pod features, which is described in Configure Pod security policies. The user can download the kubeconfig file from the Rackspace KaaS UI to access the cluster API.