Namespace Isolation and Network Segmentation

Creating a namespace feels like building a wall. You run kubectl create namespace team-alpha, deploy your workloads into it, and assume they're isolated from everything else in the cluster. They're not. A namespace is a naming scope, not a security boundary. Without additional controls, any pod in team-alpha can talk to any pod in team-beta, consume unbounded resources, and resolve DNS names across the entire cluster. Real isolation requires layers: namespaces define the scope, ResourceQuotas and LimitRanges enforce resource boundaries, network segmentation controls traffic, and RBAC governs access.

Isolation and segmentation is a core competency in the KCSA Kubernetes Security Fundamentals domain (22% of the exam). The exam tests whether you understand what namespaces actually isolate, how resource controls prevent abuse, and when namespace-per-tenant isolation breaks down. This article covers how those layers fit together: namespaces define the scope, ResourceQuotas and LimitRanges enforce resource boundaries, network segmentation controls traffic, and RBAC governs access.