Skip to content



Hierarchical Namespace Controller (HNC) is included in Compliant Kubernetes. It allows the Application Developer to manage namespaces as subnamespaces and delegates access automatically. From the perspective of Kubernetes these are regular namespaces, but these can be modified via a namespaced resource by the user. Building a good namespace structure will enable you to apply namespace-scoped RBAC resources to multiple namespaces at once.

Namespace Management

Creating a subnamespace:

kubectl apply -f - <<EOF
kind: SubnamespaceAnchor
  name: <descendant-namespace>
  namespace: <parent-namespace>

Verify that it gets created:

kubectl get ns <descendant-namespace>

Verify that it gets configured:

$ kubectl get subns -n <parent-namespace> <descendant-namespace> -o yaml
kind: SubnamespaceAnchor
  name: <descendant-namespace>
  namespace: <parent-namespace>
  status: Ok

If the status is Ok then the subnamespace is ready to go.


HNC also comes with the HNS kubectl plugin.

Using this plugin creating subnamespaces is as easy as:

kubectl hns create -n <parent-namespace> <descendant-namespace>

And provides more detailed information using:

kubectl hns describe <namespace>

kubectl hns tree <namespace>

If you decide a subnamespace is no longer needed, then you can't delete it using kubectl delete namespace <descendant-namespace>. As you will get the following error:

Error from server (Forbidden): namespaces <descendant-namespace> is forbidden: User <your user> cannot delete resource "namespaces" in API group "" in the namespace <descendant-namespace>: RBAC: [ "user-crds" not found, "user-crds-resourcename-limit" not found]

Instead you will have to delete it using either of these commands:

kubectl delete subns -n <parent-namespace> <descendant-namespace>
# or
kubectl hns delete -n <parent-namespace> <descendant-namespace> # with the plugin installed

Resource Propagation

When a subnamespace is created all Roles, RoleBindings and NetworkPolicies will propagate from the parent namespace to the descendant namespace to ensure that correct access is set. This is what lets you apply namespace-scoped RBAC resources to multiple namespaces at once. Propagated copies cannot be modified, these types of resources cannot be created in a parent namespace if it conflicts with a resource in a descendant namespace. To put an exception, annotate the Role, RoleBinding or NetworkPolicy with "true" to prevent it from being propagated at all. Another option is to only propagate to selected descendant namespaces use ..., include descendant namespaces with <descendant-namespace> or exclude namespaces with !<descendant-namespace>.

Opt-in Propagation

HNC has the option to enable opt-in propagation for additional resources such as Secrets. This allows you to specify additional resources that you want propagated, but only if the object has a valid selector annotation set, while ignoring others. If you want to enable this feature, you can file a service ticket or contact your Platform Administrator with a list of resources that you want it enabled for.

Further Reading