https://rancher.com/ logo
Title
h

hundreds-evening-84071

05/05/2023, 7:22 PM
I am posting here in general to get some inputs on how some of you guys deal with this issue... How can we possibly prevent users from accidentally deploying something in
kube-system
or
cattle-system
namespace? Yes by training is one, but accidents can happen. There is a way deploying to default namespace is disallowed; is there similar method for kube-system and cattle-system?
b

brainy-printer-12087

05/08/2023, 9:40 AM
you can either not allow the deployment by project/namespace or simply hide system namespaces from the preferences
in the latest version I’ve filtered out them pretty much like on the top
h

hundreds-evening-84071

05/08/2023, 10:04 PM
sorry - a newbie follow up question... do you have an example on where I can set the same filter(s)?
b

brainy-printer-12087

05/09/2023, 7:52 AM
If is a single user case and you can simply hint to disable it, hide the system namespaces is the easiest way
if instead you are configuring the users, you can sets some restrictions in the namespace or in the cluster, depends by yours needs
h

hundreds-evening-84071

05/09/2023, 6:49 PM
Thank you!
a

acoustic-sugar-94270

05/09/2023, 6:53 PM
Maybe late to the party… But since you are checking out NeuVector, yes, you can set admission control filters to block deployments to specific namespaces..
The “monitor” mode won’t block the image, but will report that it was violating the admission control rule… In “protect” mode, the image will not be allowed to schedule in the cluster (blocked)
👏 1
h

hundreds-evening-84071

05/09/2023, 7:03 PM
this is fantastic! I did try above filter with default namespace. For setting same filter on kube-system and cattle-system would it still allow future kubernetes upgrades which would update things in kube-system?