Elevator Pitch
Kubernetes Namespaces aren’t just dumb containers; they’re a critical part of the security and operation of your cluster. Hierarchical namespaces give you more control over your policies, but strict hierarchy can be too limiting. So we’ve added new ways to make your policies even more flexible.
Description
The Hierarchical Namespace Controller (HNC) extends Kubernetes namespaces to support the notion of hierarchy: that is, policies applied to ancestor namespaces should also apply to descendant namespaces. This allows cluster admins to naturally express more powerful policies, and also give cluster users the freedom to create new namespaces without bypassing those policies.
However, strict hierarchies can be too limiting - lots of rules have special cases. To handle this, the latest version of HNC (v0.7.0) add the concept of exceptions - policies that can be restricted to only apply to certain namespaces.
This talk will introduce exceptions and talk about the path to HNC v1.0.
Notes
I’m the lead developer of HNC. One of my fellow developers may also join this presentation; I’ll update this proposal if she joins in.