Infrastructure and Networking
In this section, we'll look at some of the ways in which we can isolate workloads.
We'll start at the cluster level, switch to the runtime level, and then look outside the cluster at supporting infrastructure, such as network firewalls.
Cluster-Level Workload Isolation
Cutting straight to the chase, Kubernetes does not support secure multi-tenant clusters. The only cluster-level security boundary in Kubernetes is the cluster itself.
Let's look a bit closer...
The only way to divide a Kubernetes cluster is by creating namespaces. A Kubernetes namespace is not the same as a Linux kernel namespace. It is a logical partition of a single Kubernetes cluster. In fact, it's little more than a way of grouping resources and applying things such as:
- Limits
- Quotas
- RBAC rules
- More...
The take-home point is that Kubernetes namespaces cannot guarantee that a Pod in one namespace will not impact a Pod in another...