Kubernetes and Cloud Native Security Associate (KCSA)

Overview of Cloud Native Security

Kubernetes Isolation Techniques

Ensuring robust isolation within Kubernetes clusters is crucial for maintaining security and stability across production (prod), development (dev), and testing (test) environments. In multi-tenant clusters, proper isolation prevents one team’s workload from impacting another. This guide walks through five key isolation strategies.


1. Namespace Separation

Namespaces partition cluster resources and faults, enabling logical separation and multitenancy. By isolating environments into distinct namespaces, you limit blast radius and simplify resource management.

kubectl create namespace prod
kubectl create namespace test
kubectl create namespace dev
kubectl create namespace team-a
kubectl create namespace team-b

Each team or project operates independently within its own namespace.

Note

Use descriptive naming conventions (e.g., team-a, team-b) to keep namespaces organized and easy to manage.


2. Network Policies

By default, Pods can communicate across namespaces without restriction. Kubernetes NetworkPolicy resources let you define fine-grained ingress and egress rules.

Example: Allow only Pods in the prod namespace to receive ingress traffic from peers within prod:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-internal-prod-namespace
  namespace: prod
spec:
  podSelector: {}        # Select all Pods in prod
  policyTypes:
    - Ingress
  ingress:
    - from:
        - podSelector: {}  # Only Pods in the same namespace
FieldDescription
podSelectorTargets all Pods in a namespace
policyTypesSpecifies Ingress, Egress, or both
ingressDefines allowed incoming sources

3. Role-Based Access Control (RBAC)

RBAC enforces the principle of least privilege, reducing accidental or malicious changes. Define Roles and RoleBindings to grant only the permissions required.

The image illustrates Role-Based Access Control (RBAC) for managing access to different namespaces (Prod, Test, Dev) in a Kubernetes environment, with a focus on developer access.

Example use cases:

  • Developers: read-only access to prod
  • Developers: full access to dev

In multi-tenant clusters, RBAC isolates teams:

The image illustrates Role-Based Access Control (RBAC) in a Kubernetes environment, showing different namespaces (Prod, Test, Dev, Team A, Team B) with pods and access permissions. It highlights multi-tenancy with namespaces.

RoleNamespacePermissions
dev-readerprodget, list
dev-admindevcreate, delete, update

4. Resource Quotas and Limits

ResourceQuotas control overall resource consumption per namespace. Pod-level resource requests and limits prevent individual workloads from exhausting CPU or memory.

The image illustrates resource quotas and limits in a multi-tenant setup, showing different namespaces (Prod, Test, Dev, Team A, Team B) each containing a pod and associated resource icons.

Example ResourceQuota:

apiVersion: v1
kind: ResourceQuota
metadata:
  name: team-a-quota
  namespace: team-a
spec:
  hard:
    requests.cpu: "4"
    requests.memory: "8Gi"
    limits.cpu: "8"
    limits.memory: "16Gi"
Quota TypePurpose
requests.cpuGuaranteed CPU resources per namespace
limits.memoryMaximum memory usage for that namespace

5. Security Context

By default, containers may run as root, which heightens risk if compromised. Use a securityContext to enforce non-root execution and restrict privileges.

apiVersion: v1
kind: Pod
metadata:
  name: backend-pod
  namespace: dev
spec:
  securityContext:
    runAsUser: 1000
    runAsGroup: 3000
    fsGroup: 2000
  containers:
    - name: backend-container
      image: nginx:latest
      securityContext:
        allowPrivilegeEscalation: false

Warning

Always verify that your container images support non-root users and drop unnecessary Linux capabilities.


Summary of Isolation Techniques

The image is a summary slide listing five security practices for applications, including using namespaces, implementing network policies, applying RBAC, setting resource quotas, and using security contexts.

TechniqueBenefit
Namespace SeparationLogical isolation and resource partitioning
Network PoliciesFine-grained pod-to-pod communication control
Role-Based Access ControlLeast-privilege access management
Resource Quotas & LimitsPrevent resource monopolization
Security ContextsEnforce non-root execution and capability drops

Further Reading

Watch Video

Watch video content

Previous
Infrastructure Security