To enable a basic layer of isolation between namespaces, there is a Helm chart shown as recommended app for your clusters which is called
isolation-templates. Installing this app into your cluster, will install a cluster-wide PodSecurityPolicy as well as some templates for NetworkPolicies and LimitRanges for resource limits.
isolation-templates chart installs a cluster-wide PodSecurityPolicy (see YAML template on GitHub).
It is highly recommended to have a PodSecurityPolicy in your cluster.
isolation-templates chart installs 4 templates for Network Policies:
deny-default: forbids all network traffic (see YAML template on GitHub)
allow-same-namespace: allows traffic only within this namespace (see YAML template on GitHub)
allow-dns: if the space should be able to resolve domain names (see YAML template on GitHub)
allow-internet: allows internet traffic for this namespace (see YAML template on GitHub)
It is recommended to enforce all network policies provided by the
isolation-templates chart. Learn how to enforce a template for your cluster accounts.
If you want to use one of the network policies, you should always use
deny-default and combine it with any other
allow-* policies you want to use. Just using one or multiple
allow-* policies will not have any effect if you do not use the
isolation-templates chart installs one template that shows you how to configure a LimitRange (see YAML template on GitHub).
The LimitRange defined by the template within the
isolation-templates chart is just an example. It is strongly recommended that you define additional templates with additional LimitRanges and then enforce these templates for your cluster accounts. Learn how to enforce a template for your cluster accounts.