Hi everyone,
Does anyone know whether there is any best practices documentation anywhere re separating ‘frontend’ and ‘backend’ pods/deployments into separate namespaces? I’d like to host frontend pods such as web frontends in one Internet facing namespace and backend pods in a separate namespace and I am wondering whether there is any existing best practices documentation that supports this use case from a security perspective?
Thanks very much in advance.
The general guideline I use is to think about “who”:
Who will manage these deployments/services/etc? Is it the same set
of people for both FE and BE? Is it always going to be the same set
of people? Is it OK for FE people to have access to BE things? Are
they coordinating tightly? Many things are namespace-scoped (network
policies, quota, RBAC, etc).
Who will these deployments run as? Will they share the same k8s
service-account? Will they share other permissions (e.g. to
cloud-provider APIs)? Is it OK for FE deployments to have access to
BE’s secrets?
We like to say that a Namespace needs to survive a reorg.
Thanks for your reply. Interesting.
I have also found this on the CNCF website that say that using namespaces as security boundaries is best practice (see number 3):
https://www.cncf.io/blog/2019/01/14/9-kubernetes-security-best-practices-everyone-must-follow/