Kubernetes namespaces offer no isolation, and how you can work around it

Kubernetes namespaces help segregate workloads from multiple teams. However, by default, they don't offer any isolation mechanism:

• Any pod in the cluster can still talk to all the other pods (even if they are in different namespaces).
• A workload's abuse of CPU, memory or I/Os can affect pods in a different namespace.
• If you change the settings for the traffic requirements (e.g. a higher file max upload size), all apps are given the same settings.

So, how do you isolate workloads and ensure they don't interact with each other (or they do so in a controller manner)?

In this session, you will learn:

• How namespaces work and their limitation.

• How to use Kyverno to limit what tenants can do in their cluster.

• What additional tools and techniques do you need to provide more isolation (e.g., sandboxed container runtimes, dedicated ingress controller per namespace, layer7 authorization policies, Kubernetes APIQoS, etc.)