Best practices: Front end / back end pods - different namespaces?

Hi everyone,

Does anyone know whether there is any best practices documentation anywhere re separating ‘frontend’ and ‘backend’ pods/deployments into separate namespaces? I’d like to host frontend pods such as web frontends in one Internet facing namespace and backend pods in a separate namespace and I am wondering whether there is any existing best practices documentation that supports this use case from a security perspective?

Thanks very much in advance.

The general guideline I use is to think about “who”:

  • Who will manage these deployments/services/etc? Is it the same set
    of people for both FE and BE? Is it always going to be the same set
    of people? Is it OK for FE people to have access to BE things? Are
    they coordinating tightly? Many things are namespace-scoped (network
    policies, quota, RBAC, etc).

  • Who will these deployments run as? Will they share the same k8s
    service-account? Will they share other permissions (e.g. to
    cloud-provider APIs)? Is it OK for FE deployments to have access to
    BE’s secrets?

We like to say that a Namespace needs to survive a reorg.

Thanks for your reply. Interesting.

I have also found this on the CNCF website that say that using namespaces as security boundaries is best practice (see number 3):