Adding user ID annotations to namespaces

Edit online

In Kubernetes, namespaces provide a mechanism for isolating groups of resources within a single cluster. Multiple namespaces might be used to separate different services into manageable chunks, for example development and test. Kubernetes namespaces help different teams to share a Kubernetes cluster.

user icon Kubernetes administrator

By default, a Kubernetes cluster creates a default namespace that is called default. New namespaces can be created and added to a cluster, see Adding namespaces to the cluster.

A namespace can be used as a mechanism to attach authorization and policy to a subsection of the cluster and can help different teams to share a Kubernetes cluster. Users can be granted access to one or more namespaces using RBAC. You can restrict the set of user IDs that containers can run under in the namespace, by defining the pod-security.zoscp.ibm.com/userids on the namespace resource. When the pod-security.zoscp.ibm.com/userids annotation is set in the namespace, only the pods that are associated with user IDs defined under the annotation can be deployed in the namespace.

The namespaces kube-system, kube-flannel, zoscp-zos-pod-admission-controller, and zoscp-zos-security-admission-controller are restricted namespaces. This means that users are restricted from creating resources on the namespaces.

How to add annotations for a user ID to a namespace in the cluster

To add an annotation for the OCIUSER user ID to a namespace that is called development for a development team to use.

  1. Create a namespace that is called development. See Adding namespaces to the cluster.
  2. View a list of all namespaces: 
    kubectl get namespaces
    The output would look similar to the following: 
    NAME                                               STATUS    AGE
default                                            Active    6h
development                                        Active    1m
kube-flannel                                       Active    6h
kube-node-lease                                    Active    6h
kube-public                                        Active    6h
kube-system                                        Active    6h
zoscp-zos-pod-admission-controller                 Active    6h
zoscp-zos-security-admission-controller            Active    6h
  3. To allow only the OCIUSER user ID to be used with the pods in the development namespace. You need to set the pod-security.zoscp.ibm.com/userids annotation in the namespace: 
    kubectl annotate ns development pod-security.zoscp.ibm.com/userids='["OCIUSER"]'

    The pod running under the development namespace will set the annotions field in the Kubernetes pod specification attributes to "zoscp.ibm.com/userid": "OCIUSER". If the container user ID is different to the user ID provided in the namespace pod-security.zoscp.ibm.com/userids annotation then the security admission controller will throw an error and the pod will not get scheduled.

  4. Now describe the namespace and you see that the annotation is added. Use the command kubectl describe ns development to see the following output: 
    Name:         development
Labels:       kubernetes.io/metadata.name=development
Annotations:  pod-security.zoscp.ibm.com/userids: ["OCIUSER"]
Status:       Active

No resource quota.

No LimitRange resource.

To add role-based access control (RBAC) for users for a namespace in a cluster, see Giving role based access control.