Template 14: Namespace Isolation

Overview

This template implements complete namespace isolation using five layered NetworkPolicies: default-deny all ingress, allow intra-namespace communication, allow ingress from the ingress controller namespace, allow monitoring (Prometheus) scraping, and deny egress except DNS.

Security threat addressed: By default, pods in one namespace can freely communicate with pods in every other namespace. A breach in the dev namespace can directly reach production databases.

When to use: Apply to every namespace that requires network segmentation, especially production namespaces. Customize the ingress controller and monitoring namespace labels for your environment.

Threat Model

Cross-namespace lateral movement: Prevents a compromised pod in one namespace from reaching services in another.
Environment isolation: Dev, staging, and prod namespaces are fully isolated from each other.
Compliance requirements: Satisfies PCI-DSS, SOC2, and HIPAA network segmentation requirements.
Data exfiltration prevention: Egress deny-all with DNS-only exceptions prevents outbound data theft.

MITRE ATT&CK:

T1021 — Remote Services: Lateral movement via open service ports is blocked by namespace isolation.
T1046 — Network Service Scanning: Cross-namespace service discovery is prevented.

Real-world scenario: An attacker compromises a development application and attempts to connect to the production PostgreSQL database in another namespace. Namespace isolation blocks the connection at the network level.

YAML Source

# POLICY 1: Default deny all ingress
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-ingress
  namespace: production
  labels:
    app.kubernetes.io/name: k8s-security
    app.kubernetes.io/part-of: k8s-security-pro
    app.kubernetes.io/managed-by: k8s-security-pro
spec:
  podSelector: {}
  policyTypes:
    - Ingress
---
# POLICY 2: Allow intra-namespace communication
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-same-namespace
  namespace: production
  labels:
    app.kubernetes.io/name: k8s-security
    app.kubernetes.io/part-of: k8s-security-pro
    app.kubernetes.io/managed-by: k8s-security-pro
spec:
  podSelector: {}
  policyTypes:
    - Ingress
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: production
# ... truncated -- get ingress controller, monitoring, and egress policies at k8s-security.pro/pricing

Get the complete template with ingress controller access, Prometheus monitoring exceptions, and egress deny-all with DNS in the Professional tier.

Installation

kubectl:

kubectl apply -f 14_namespace_isolation.yaml

Helm:

helm install k8s-security ./charts/k8s-security -f values-prod.yaml

Kustomize:

kubectl apply -k kustomize/overlays/prod

Verification

# List all policies in the namespace
kubectl get networkpolicies -n production

# Test intra-namespace communication works
kubectl exec -n production <frontend-pod> -- wget -q -O- --timeout=2 http://<backend-service>:8080

# Test cross-namespace communication is blocked
kubectl exec -n dev <pod> -- wget -q -O- --timeout=2 http://<production-service>.production.svc:8080 2>&1
# Expected: timeout

# Verify monitoring can still scrape metrics
kubectl exec -n monitoring <prometheus-pod> -- wget -q -O- --timeout=2 http://<production-pod>.production.svc:9090/metrics

CIS Benchmark References

5.3.2 — Ensure that all Namespaces have NetworkPolicies defined. This template provides comprehensive per-namespace isolation policies.

MITRE ATT&CK References

T1021 — Remote Services: Namespace isolation blocks lateral movement between environments via open service ports.
T1046 — Network Service Scanning: Cross-namespace service discovery is prevented by default-deny ingress policies.

Namespace Isolation