Custom NameSpace `PROD`

Resource Quotas
A resource quota helps in limiting the amount of CPU, memory, and other resources within the namespace to prevent excessive resource consumption by any one workload.

apiVersion: v1
kind: ResourceQuota
metadata:
  name: prod-quota
  namespace: production
spec:
  hard:
    requests.cpu: "1000m"
    requests.memory: "4Gi"
    limits.cpu: "2000m"
    limits.memory: "8Gi"
    pods: "50"
    services: "10"
    replicationcontrollers: "10"

LimitRange
A LimitRange sets default resource requests and limits for containers in the namespace to ensure that all containers have reasonable resource boundaries.

apiVersion: v1
kind: LimitRange
metadata:
  name: prod-limit-range
  namespace: production
spec:
  limits:
  - default:
      cpu: "500m"
      memory: "2Gi"
    defaultRequest:
      cpu: "250m"
      memory: "1Gi"
    type: Container

Network Policies
A NetworkPolicy controls the communication between pods within the namespace and other namespaces, enhancing security.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-prod-to-db
  namespace: production
spec:
  podSelector:
    matchLabels:
      role: app
  ingress:
  - from:
    - podSelector:
        matchLabels:
          role: db
    ports:
    - protocol: TCP
      port: 5432

ServiceAccount
Using a service account tied to production-specific roles for access control.

apiVersion: v1
kind: ServiceAccount
metadata:
  name: prod-service-account
  namespace: production

PodSecurityPolicy (PSP)
If PSPs are enabled in your cluster, you can use them to enforce security policies for your pods, like restricting privileged containers or controlling volume types.

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: prod-psp
spec:
  privileged: false
  volumes:
    - "configMap"
    - "secret"
  hostNetwork: false
  hostPID: false
  hostIPC: false
  runAsUser:
    rule: MustRunAsNonRoot
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: MustRunAs
  fsGroup:
    rule: MustRunAs

PodDisruptionBudget (PDB)
A PDB ensures that a certain number or percentage of pods are always available during voluntary disruptions (like node maintenance or pod updates).

apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
  name: prod-pdb
  namespace: production
spec:
  minAvailable: 2
  selector:
    matchLabels:
      app: prod-app

Taints and Tolerations
Taints can be applied to nodes, and tolerations ensure that only certain pods are allowed to run on those nodes. You can set a taint on your production nodes to ensure only production workloads are scheduled there.

apiVersion: v1
kind: Node
metadata:
  name: prod-node
spec:
  taints:
    - effect: NoSchedule
      key: "environment"
      value: "production"

Audit Logging
Set up audit logging for tracking the activities within the production namespace for security and compliance.

apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
  name: prod-audit-webhook
webhooks:
  - name: audit-prod.example.com
    clientConfig:
      service:
        name: audit-service
        namespace: production
        path: /audit
    rules:
      - operations: ["CREATE", "UPDATE", "DELETE"]
        apiGroups: ["apps"]
        apiVersions: ["v1"]
        resources: ["deployments"]

HorizontalPodAutoscaler (HPA)
Configure HPA to scale your production pods based on resource usage.

apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
  name: prod-hpa
  namespace: production
spec:
  scaleTargetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: prod-app
  minReplicas: 2
  maxReplicas: 10
  metrics:
    - type: Resource
      resource:
        name: cpu
        target:
          type: Utilization
          averageUtilization: 50

Topics List Alb Ingress

Custom NameSpace PROD

Custom NameSpace `PROD`