Namespace Strategy and Multi-Tenancy: Isolation, Quotas, and Policies

Calendar February 22, 2026
Kubernetes
Intermediate
Namespace-Design, Multi-Tenancy-Configuration, Resource-Management, Security-Hardening
Namespaces, Multi-Tenancy, Resource-Quotas, Network-Policies, Rbac, Isolation
Kubectl

Namespace Strategy and Multi-Tenancy#

Namespaces are the foundation for isolating workloads in a shared Kubernetes cluster. Without a deliberate strategy, teams deploy into arbitrary namespaces, resources are unbound, and one misbehaving application can take down the entire cluster.

Why Namespaces Matter#

Namespaces provide four isolation boundaries:

  • RBAC scoping: Roles and RoleBindings are namespace-scoped, so you can grant teams access to their namespaces only.
  • Resource quotas: Limit CPU, memory, and object counts per namespace, preventing one team from starving others.
  • Network policies: Restrict traffic between namespaces so a compromised application cannot reach services it should not.
  • Organizational clarity: kubectl get pods -n payments-prod shows exactly what you expect, not a jumble of unrelated workloads.

System Namespaces#

These exist in every cluster and should be off-limits to application teams:

RBAC Patterns: Practical Access Control for Kubernetes

Calendar February 22, 2026
Kubernetes
Intermediate
Rbac-Configuration, Service-Account-Management, Security-Hardening
Rbac, Security, Service-Accounts, Access-Control
Kubectl

RBAC Patterns#

Kubernetes RBAC controls who can do what to which resources. It is built on four objects: Roles, ClusterRoles, RoleBindings, and ClusterRoleBindings. Getting RBAC right means understanding how these four pieces compose and knowing the common patterns that cover 90% of real-world needs.

The Four RBAC Objects#

Role – Defines permissions within a single namespace. Lists API groups, resources, and allowed verbs.

ClusterRole – Defines permissions cluster-wide or for non-namespaced resources (nodes, persistent volumes, namespaces themselves).

OPA Gatekeeper: Policy as Code for Kubernetes

Calendar February 21, 2026
Kubernetes
Intermediate
Policy-as-Code, Rego-Development, Constraint-Management, Security-Hardening
Opa, Gatekeeper, Policy, Security, Admission-Control, Rego
Kubectl, Helm, Gatekeeper

OPA Gatekeeper: Policy as Code for Kubernetes#

Gatekeeper is a Kubernetes-native policy engine built on Open Policy Agent (OPA). It runs as a validating admission webhook and evaluates policies written in Rego against every matching API request. Instead of deploying raw Rego files to an OPA server, Gatekeeper uses Custom Resource Definitions: you define policies as ConstraintTemplates and instantiate them as Constraints. This makes policy management declarative, auditable, and version-controlled.

Pod Security Standards and Admission: Replacing PodSecurityPolicy

Calendar February 21, 2026
Kubernetes
Intermediate
Pod-Security-Configuration, Namespace-Security, Migration-Planning, Security-Hardening
Pod-Security, Psa, Psp, Security, Admission-Control
Kubectl

Pod Security Standards and Admission#

PodSecurityPolicy (PSP) was removed from Kubernetes in v1.25. Its replacement is Pod Security Admission (PSA), a built-in admission controller that enforces three predefined security profiles. PSA is simpler than PSP – no separate policy objects, no RBAC bindings to manage – but it is also less flexible. You apply security standards to namespaces via labels and the admission controller handles enforcement.

The Three Security Standards#

Kubernetes defines three Pod Security Standards, each progressively more restrictive: