Magic Namespace

Magic Namespace provides an easy, comprehensive option for cluster operators to manage namespaces and observe good security practices in multi-tenant, RBAC-enabled Kubernetes clusters.

Introduction

So you've got a multi-tenant cluster? Let's assume your cluster is RBAC-enabled. If it isn't, go fix that first. You're playing with fire. Until you fix that, you don't need Magic Namespace. Go fix it. We'll wait...

In a multi-tenant cluster, a clustering operator (someone with full, unrestricted privileges across the entire cluster), will manage users, groups, service accounts, roles, and user/group bindings to roles-- all to either permit or prevent subjects from performing certain actions in different namespaces.

A common paradigm that has emerged is that teams are given their own namespace and some degree of latitude to administer that namespace, whilst not being permitted to perform actions on other teams' namespaces.

Now bring Helm/Tiller into the equation. In an RBAC-enabled cluster, Tiller is so often granted the cluster-admin role-- which gives it "root" access to the entire cluster. While such a Tiller may be suitable for use by a clustering operator, it's not suitable for use by other teams, as it presents them with an easy avenue for escalating their privileges.

To compensate for this, a pattern that has emerged to complement the namespace-per-team pattern is the tiller-per-namespace pattern. This has been widely adopted in multi-tenant, RBAC-enabled clusters. Until now, cluster operators have tended to create their own bespoke scripts for performing all requisite setup to implement these patterns.

Magic Namespace takes the pain out of this setup. It offers cluster operators an easy, comprehensive avenue for using their Tiller to manage namespaces, service accounts, other Tillers, and role bindings for their constituent teams. Magic Namespace permits cluster operators to manage all of this using familiar Helm-based workflows.

How it Works

By default, Magic Namespace creates a service account for Tiller in the designated namespace and binds it to the admin role for that namespace. It also creates a deployment that utilizes this service account. This can be disabled or configured further, but the default behavior is sensible. In fact, the defaults close a variety of known Tiller-based attack vectors.

Magic Namespace also offers cluster operators to define additional service accounts and role bindings for use within the namespace. Typically, it would be a good idea to define at least one role binding that grants a user or group administrative privileges in the namespace. Absent this, the namespace's own Tiller will function, but no user (other than the cluster operator) will be capable of interacting with it via Helm.

Prerequisites

  • A Kubernetes cluster with RBAC enabled

Tell us about a new Kubernetes application

Newsletter

Never miss a thing! Sign up for our newsletter to stay updated.

About

Discover and share new Kubernetes applications

Navigation