...

Workload Isolation

Let's explore some techniques for isolating workloads.

We'll cover the following...

Cluster-level workload isolation
- Namespaces and soft multi-tenancy
- Namespaces and hard multi-tenancy
Node isolation
Runtime isolation
Network isolation

This section will show us some ways we can use to isolate workloads.

We’ll start at the cluster level, switch to the runtime level, and then look outside the cluster at infrastructure such as network firewalls.

Cluster-level workload isolation

Cutting straight to the chase, Kubernetes does not support secure multi-tenant clusters. The only way to isolate two workloads is to run them on their own clusters with their own hardware.

Let’s look a bit closer.

The only way to divide a Kubernetes cluster is by creating Namespaces. However, these are little more than a way of grouping resources and applying things such as:

Limits
Quotas
RBAC rules

Namespaces do not prevent compromised workloads in one Namespace from impacting workloads in other Namespaces. This means we should never run hostile workloads on the same Kubernetes cluster. ...

Kubernetes Primer

Kubernetes Principles of Operation

Getting Kubernetes

Working With Pods: Theory

Working with Pods: Hands-On

Virtual Clusters with Namespaces

Kubernetes Deployments

Kubernetes Services: Theory

Kubernetes Services: Hands-On

Ingress

WebAssembly on Kubernetes

Service Discovery Deep Dive

Kubernetes Storage

ConfigMaps

StatefulSets

API Security and RBAC

Kubernetes API

Threat Modeling Kubernetes

Real-World Kubernetes Security

Conclusion

Workload Isolation

Cluster-level workload isolation