A template for a secure, multitenant Kubernetes Cluster
- Pod Restrictions (Pod Security Policies)
- Pod Scheduling Tiers (Priority Classes)
- Namespace Network Isolation (Network Policies)
- Default Pod Resource Requirements and Limits (Limit Ranges)
- Network, Storage and Scheduling Quotes (Resource Quotas)
- Cluster Admins and User Permissions (Users & Role Bindings)
- Calico (CNI)
- Traefik (Ingress Controller)
- CEPH (Storage Provider)
- NVidia GPU Support (Accelerator)
- Traefik Foward Auth
- Application of PSPs
- Metrics & APM Monitoring of Traefik
- Add additional users or namespaces to the txt files in the respective directories
- Run
scripts/generate-users.shorscripts/generate-namespaces.shfrom the root of this git repo - Commit the changes and let Flux roll them out
This have the label type: system and can communicate with all pods via the default-allow-system NetworkPolicy
- kube-system - core networking, scheduling and authentication
- kube-operators - cluster-wide application operators that are centrally managed
- rook-ceph - cluster-wide storage operator
User and Application namespaces do not allow traffic from other namespaces or from outside the cluster (including via LoadBalancers) by default.