Namespaces

HNC

Hierarchical Namespace Controller (HNC) is included in Compliant Kubernetes. It allows the super application developer to manage namespaces as subnamespaces and delegates access automatically. From the perspective of Kubernetes these are regular namespaces, but these can be modified via a namespaced resource by the user. Building a good namespace structure will enable you to apply namespace-scoped RBAC resources to multiple namespaces at once.

Namespace Management

Creating a subnamespace:

kubectl apply -f - <<EOF
apiVersion: hnc.x-k8s.io/v1alpha2
kind: SubnamespaceAnchor
metadata:
  name: <descendant-namespace>
  namespace: <parent-namespace>
EOF

Verify that it gets created:

kubectl get ns <descendant-namespace>

Verify that it gets configured:

$ kubectl get subns -n <parent-namespace> <descendant-namespace> -o yaml
apiVersion: hnc.x-k8s.io/v1alpha2
kind: SubnamespaceAnchor
metadata:
    ...
  name: <descendant-namespace>
  namespace: <parent-namespace>
...
status:
  status: Ok

If the status is Ok then the subnamespace is ready to go.

Tip

HNC also comes with the HNS kubectl plugin.

Using this plugin creating subnamespaces is as easy as:

kubectl hns create -n <parent-namespace> <descendant-namespace>

And provides more detailed information using:

kubectl hns describe <namespace>

kubectl hns tree <namespace>

Resource Propagation

When a subnamespace is created all Roles and RoleBindings will propagate from the parent namespace to the descendant namespace to ensure that correct access is set. This is what lets you apply namespace-scoped RBAC resources to multiple namespaces at once. Propagated copies cannot be modified, these types of resources cannot be created in a parent namespace if it conflicts with a resource in a descendant namespace. To put an exception annotate the Role or RoleBinding with propagate.hnc.x-k8s.io/none: "true" to prevent if from being propagated at all. Another option is to only propagate to selected descendant namespaces use propagate.hnc.x-k8s.io/treeSelect: ..., include descendant namespaces with <descendant-namespace> or exclude namespaces with !<descendant-namespace>.

Note

In Compliant Kubernetes v0.27.0 and later NetworkPolicies will also propagate from the parent namespace to the descendant namespace just like Roles and Rolebindings.

Further Reading