Namespaces¶
HNC¶
Hierarchical Namespace Controller (HNC) is included in Compliant Kubernetes. It allows the Application Developer to manage namespaces as subnamespaces and delegates access automatically. From the perspective of Kubernetes these are regular namespaces, but these can be modified via a namespaced resource by the user. Building a good namespace structure will enable you to apply namespace-scoped RBAC resources to multiple namespaces at once.
Namespace Management¶
Creating a subnamespace:
kubectl apply -f - <<EOF
apiVersion: hnc.x-k8s.io/v1alpha2
kind: SubnamespaceAnchor
metadata:
name: <descendant-namespace>
namespace: <parent-namespace>
EOF
Verify that it gets created:
kubectl get ns <descendant-namespace>
Verify that it gets configured:
$ kubectl get subns -n <parent-namespace> <descendant-namespace> -o yaml
apiVersion: hnc.x-k8s.io/v1alpha2
kind: SubnamespaceAnchor
metadata:
...
name: <descendant-namespace>
namespace: <parent-namespace>
...
status:
status: Ok
If the status is Ok then the subnamespace is ready to go.
Tip
HNC also comes with the HNS kubectl plugin.
Using this plugin creating subnamespaces is as easy as:
kubectl hns create -n <parent-namespace> <descendant-namespace>
And provides more detailed information using:
kubectl hns describe <namespace>
kubectl hns tree <namespace>
Resource Propagation¶
When a subnamespace is created all Roles, RoleBindings and NetworkPolicies will propagate from the parent namespace to the descendant namespace to ensure that correct access is set. This is what lets you apply namespace-scoped RBAC resources to multiple namespaces at once.
Propagated copies cannot be modified, these types of resources cannot be created in a parent namespace if it conflicts with a resource in a descendant namespace.
To put an exception, annotate the Role, RoleBinding or NetworkPolicy with propagate.hnc.x-k8s.io/none: "true" to prevent it from being propagated at all.
Another option is to only propagate to selected descendant namespaces use propagate.hnc.x-k8s.io/treeSelect: ..., include descendant namespaces with <descendant-namespace> or exclude namespaces with !<descendant-namespace>.
Opt-in Propagation¶
HNC has the option to enable opt-in propagation for additional resources such as Secrets. This allows you to specify additional resources that you want propagated, but only if the object has a valid selector annotation set, while ignoring others. If you want to enable this feature, you can file a service ticket or contact your Platform Administrator with a list of resources that you want it enabled for.