Namespaces¶
HNC¶
Hierarchical Namespace Controller (HNC) is included in Compliant Kubernetes. It allows the super Application Developer to manage namespaces as subnamespaces and delegates access automatically. From the perspective of Kubernetes these are regular namespaces, but these can be modified via a namespaced resource by the user. Building a good namespace structure will enable you to apply namespace-scoped RBAC resources to multiple namespaces at once.
Namespace Management¶
Creating a subnamespace:
kubectl apply -f - <<EOF
apiVersion: hnc.x-k8s.io/v1alpha2
kind: SubnamespaceAnchor
metadata:
name: <descendant-namespace>
namespace: <parent-namespace>
EOF
Verify that it gets created:
kubectl get ns <descendant-namespace>
Verify that it gets configured:
$ kubectl get subns -n <parent-namespace> <descendant-namespace> -o yaml
apiVersion: hnc.x-k8s.io/v1alpha2
kind: SubnamespaceAnchor
metadata:
...
name: <descendant-namespace>
namespace: <parent-namespace>
...
status:
status: Ok
If the status is Ok
then the subnamespace is ready to go.
Tip
HNC also comes with the HNS kubectl
plugin.
Using this plugin creating subnamespaces is as easy as:
kubectl hns create -n <parent-namespace> <descendant-namespace>
And provides more detailed information using:
kubectl hns describe <namespace>
kubectl hns tree <namespace>
Resource Propagation¶
When a subnamespace is created all Roles
and RoleBindings
will propagate from the parent namespace to the descendant namespace to ensure that correct access is set. This is what lets you apply namespace-scoped RBAC resources to multiple namespaces at once.
Propagated copies cannot be modified, these types of resources cannot be created in a parent namespace if it conflicts with a resource in a descendant namespace.
To put an exception annotate the Role
or RoleBinding
with propagate.hnc.x-k8s.io/none: "true"
to prevent if from being propagated at all.
Another option is to only propagate to selected descendant namespaces use propagate.hnc.x-k8s.io/treeSelect: ...
, include descendant namespaces with <descendant-namespace>
or exclude namespaces with !<descendant-namespace>
.
Note
In Compliant Kubernetes v0.27.0
and later NetworkPolicies
will also propagate from the parent namespace to the descendant namespace just like Roles
and Rolebindings
.