Kubernetes命名空间管理与多租户隔离构建安全的多租户环境一、命名空间概述**命名空间(Namespace)**是Kubernetes中用于隔离资源的机制支持多租户共享集群资源。1.1 命名空间架构┌─────────────────────────────────────────────────────────────────┐ │ Namespace Architecture │ │ │ │ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │ │ │ Namespace │ │ Namespace │ │ Namespace │ │ │ │ Team A │ │ Team B │ │ Team C │ │ │ └──────┬───────┘ └──────┬───────┘ └──────┬───────┘ │ │ │ │ │ │ │ ▼ ▼ ▼ │ │ ┌─────────────────────────────────────────────────────────┐ │ │ │ 资源隔离层 │ │ │ │ - ResourceQuota - LimitRange - NetworkPolicy │ │ │ └─────────────────────────────────────────────────────────┘ │ │ │ │ │ ▼ │ │ ┌─────────────────────────────────────────────────────────┐ │ │ │ 权限管理层 │ │ │ │ - RBAC - RoleBinding - ServiceAccount │ │ │ └─────────────────────────────────────────────────────────┘ │ └─────────────────────────────────────────────────────────────────┘1.2 命名空间类型命名空间用途default默认命名空间kube-system系统组件kube-public公共资源kube-node-lease节点租约用户自定义业务应用二、命名空间创建与配置2.1 创建命名空间apiVersion: v1 kind: Namespace metadata: name: team-a labels: name: team-a environment: production2.2 命名空间标签配置apiVersion: v1 kind: Namespace metadata: name: team-b labels: name: team-b environment: staging department: engineering三、资源配额配置3.1 ResourceQuota配置apiVersion: v1 kind: ResourceQuota metadata: name: team-a-quota namespace: team-a spec: hard: requests.cpu: 4 requests.memory: 8Gi limits.cpu: 8 limits.memory: 16Gi pods: 20 services: 10 secrets: 1003.2 范围限定ResourceQuotaapiVersion: v1 kind: ResourceQuota metadata: name: team-a-pod-quota namespace: team-a spec: scopes: - NotTerminating hard: pods: 10四、LimitRange配置4.1 LimitRange配置apiVersion: v1 kind: LimitRange metadata: name: team-a-limits namespace: team-a spec: limits: - type: Container default: cpu: 500m memory: 512Mi defaultRequest: cpu: 250m memory: 256Mi max: cpu: 2 memory: 2Gi min: cpu: 100m memory: 128Mi4.2 Pod级别LimitRangeapiVersion: v1 kind: LimitRange metadata: name: team-a-pod-limits namespace: team-a spec: limits: - type: Pod max: cpu: 4 memory: 8Gi min: cpu: 100m memory: 128Mi五、多租户隔离配置5.1 网络隔离apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: team-a-isolation namespace: team-a spec: podSelector: {} policyTypes: - Ingress - Egress ingress: - from: - namespaceSelector: matchLabels: name: team-a egress: - to: - namespaceSelector: matchLabels: name: team-a5.2 跨命名空间访问控制apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: team-a-cross-access namespace: team-b subjects: - kind: ServiceAccount name: team-a-sa namespace: team-a roleRef: kind: Role name: team-b-reader apiGroup: rbac.authorization.k8s.io六、命名空间监控6.1 资源使用监控apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: name: namespace-monitor spec: selector: matchLabels: app: namespace-exporter endpoints: - port: metrics interval: 30s6.2 资源使用告警apiVersion: monitoring.coreos.com/v1 kind: PrometheusRule metadata: name: namespace-alerts spec: groups: - name: namespace.rules rules: - alert: HighResourceUsage expr: sum(kube_resourcequota_used) by (namespace) / sum(kube_resourcequota_hard) by (namespace) 0.8 for: 5m labels: severity: warning annotations: summary: High resource usage in namespace七、命名空间最佳实践7.1 命名规范命名类型示例团队命名team-a, team-b环境命名dev, staging, prod项目命名project-x, project-y7.2 资源规划apiVersion: v1 kind: ResourceQuota metadata: name: production-quota namespace: production spec: hard: requests.cpu: 100 requests.memory: 200Gi limits.cpu: 200 limits.memory: 400Gi7.3 隔离策略apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: production-isolation namespace: production spec: podSelector: {} policyTypes: - Ingress - Egress ingress: - from: - ipBlock: cidr: 10.0.0.0/8 egress: - to: - ipBlock: cidr: 10.0.0.0/8八、命名空间清理8.1 删除命名空间# 删除命名空间 kubectl delete namespace team-a # 强制删除 kubectl delete namespace team-a --force --grace-period08.2 清理脚本#!/bin/bash # 删除所有测试命名空间 kubectl delete ns -l environmenttest # 删除已完成的项目命名空间 kubectl delete ns -l projectcompleted九、总结命名空间管理实践要点合理规划根据团队、环境、项目划分命名空间资源配额配置ResourceQuota限制资源使用限制范围使用LimitRange设置默认资源限制网络隔离配置NetworkPolicy隔离命名空间权限控制使用RBAC控制跨命名空间访问监控告警建立命名空间资源使用监控建议定期审查命名空间配置清理不再使用的命名空间。参考资料Kubernetes命名空间文档ResourceQuota文档LimitRange文档
Kubernetes命名空间管理与多租户隔离:构建安全的多租户环境
Kubernetes命名空间管理与多租户隔离构建安全的多租户环境一、命名空间概述**命名空间(Namespace)**是Kubernetes中用于隔离资源的机制支持多租户共享集群资源。1.1 命名空间架构┌─────────────────────────────────────────────────────────────────┐ │ Namespace Architecture │ │ │ │ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │ │ │ Namespace │ │ Namespace │ │ Namespace │ │ │ │ Team A │ │ Team B │ │ Team C │ │ │ └──────┬───────┘ └──────┬───────┘ └──────┬───────┘ │ │ │ │ │ │ │ ▼ ▼ ▼ │ │ ┌─────────────────────────────────────────────────────────┐ │ │ │ 资源隔离层 │ │ │ │ - ResourceQuota - LimitRange - NetworkPolicy │ │ │ └─────────────────────────────────────────────────────────┘ │ │ │ │ │ ▼ │ │ ┌─────────────────────────────────────────────────────────┐ │ │ │ 权限管理层 │ │ │ │ - RBAC - RoleBinding - ServiceAccount │ │ │ └─────────────────────────────────────────────────────────┘ │ └─────────────────────────────────────────────────────────────────┘1.2 命名空间类型命名空间用途default默认命名空间kube-system系统组件kube-public公共资源kube-node-lease节点租约用户自定义业务应用二、命名空间创建与配置2.1 创建命名空间apiVersion: v1 kind: Namespace metadata: name: team-a labels: name: team-a environment: production2.2 命名空间标签配置apiVersion: v1 kind: Namespace metadata: name: team-b labels: name: team-b environment: staging department: engineering三、资源配额配置3.1 ResourceQuota配置apiVersion: v1 kind: ResourceQuota metadata: name: team-a-quota namespace: team-a spec: hard: requests.cpu: 4 requests.memory: 8Gi limits.cpu: 8 limits.memory: 16Gi pods: 20 services: 10 secrets: 1003.2 范围限定ResourceQuotaapiVersion: v1 kind: ResourceQuota metadata: name: team-a-pod-quota namespace: team-a spec: scopes: - NotTerminating hard: pods: 10四、LimitRange配置4.1 LimitRange配置apiVersion: v1 kind: LimitRange metadata: name: team-a-limits namespace: team-a spec: limits: - type: Container default: cpu: 500m memory: 512Mi defaultRequest: cpu: 250m memory: 256Mi max: cpu: 2 memory: 2Gi min: cpu: 100m memory: 128Mi4.2 Pod级别LimitRangeapiVersion: v1 kind: LimitRange metadata: name: team-a-pod-limits namespace: team-a spec: limits: - type: Pod max: cpu: 4 memory: 8Gi min: cpu: 100m memory: 128Mi五、多租户隔离配置5.1 网络隔离apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: team-a-isolation namespace: team-a spec: podSelector: {} policyTypes: - Ingress - Egress ingress: - from: - namespaceSelector: matchLabels: name: team-a egress: - to: - namespaceSelector: matchLabels: name: team-a5.2 跨命名空间访问控制apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: team-a-cross-access namespace: team-b subjects: - kind: ServiceAccount name: team-a-sa namespace: team-a roleRef: kind: Role name: team-b-reader apiGroup: rbac.authorization.k8s.io六、命名空间监控6.1 资源使用监控apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: name: namespace-monitor spec: selector: matchLabels: app: namespace-exporter endpoints: - port: metrics interval: 30s6.2 资源使用告警apiVersion: monitoring.coreos.com/v1 kind: PrometheusRule metadata: name: namespace-alerts spec: groups: - name: namespace.rules rules: - alert: HighResourceUsage expr: sum(kube_resourcequota_used) by (namespace) / sum(kube_resourcequota_hard) by (namespace) 0.8 for: 5m labels: severity: warning annotations: summary: High resource usage in namespace七、命名空间最佳实践7.1 命名规范命名类型示例团队命名team-a, team-b环境命名dev, staging, prod项目命名project-x, project-y7.2 资源规划apiVersion: v1 kind: ResourceQuota metadata: name: production-quota namespace: production spec: hard: requests.cpu: 100 requests.memory: 200Gi limits.cpu: 200 limits.memory: 400Gi7.3 隔离策略apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: production-isolation namespace: production spec: podSelector: {} policyTypes: - Ingress - Egress ingress: - from: - ipBlock: cidr: 10.0.0.0/8 egress: - to: - ipBlock: cidr: 10.0.0.0/8八、命名空间清理8.1 删除命名空间# 删除命名空间 kubectl delete namespace team-a # 强制删除 kubectl delete namespace team-a --force --grace-period08.2 清理脚本#!/bin/bash # 删除所有测试命名空间 kubectl delete ns -l environmenttest # 删除已完成的项目命名空间 kubectl delete ns -l projectcompleted九、总结命名空间管理实践要点合理规划根据团队、环境、项目划分命名空间资源配额配置ResourceQuota限制资源使用限制范围使用LimitRange设置默认资源限制网络隔离配置NetworkPolicy隔离命名空间权限控制使用RBAC控制跨命名空间访问监控告警建立命名空间资源使用监控建议定期审查命名空间配置清理不再使用的命名空间。参考资料Kubernetes命名空间文档ResourceQuota文档LimitRange文档
