Skip to main content

Kubernetes

Namespace Definition

Every namespace carries the full semantic key as labels, plus Backstage and ArgoCD traceability labels.

apiVersion: v1
kind: Namespace
metadata:
  name: payments-prod-api
  labels:
    # Convention segments
    project: payments
    env: prod
    service: api
    team: team-payments

    # Backstage semantic labels
    backstage.io/domain: payments
    backstage.io/system: gateway
    backstage.io/component: gateway-api

    # ArgoCD traceability
    argocd/app: gateway-api-prod
    argocd/app-set: gateway
    argocd/project: payments

Querying Across Dimensions

kubectl get ns -l project=payments                         # all namespaces for a domain
kubectl get ns -l env=prod                                 # all prod namespaces
kubectl get ns -l backstage.io/component=gateway-api       # all envs for a component
kubectl get ns -l argocd/app=gateway-api-prod              # namespace owned by an Application
kubectl get ns --show-labels                               # full label view

NetworkPolicy — Isolate by Project

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-isolation
  namespace: payments-prod-api
spec:
  podSelector: {}
  policyTypes: [Ingress, Egress]
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              project: payments
    - from:
        - namespaceSelector:
            matchLabels:
              project: platform
              service: ingress
  egress:
    - to:
        - namespaceSelector:
            matchLabels:
              project: payments
    - to:
        - namespaceSelector:
            matchLabels:
              project: platform
    - ports:
        - {protocol: UDP, port: 53}
        - {protocol: TCP, port: 53}

ResourceQuota — Sized by Environment

Generated automatically by the create-service template:

EnvCPU reqMem reqCPU limitMem limitPods
dev500m512Mi11Gi5
staging24Gi48Gi10
prod48Gi816Gi20

Workload Security Defaults

Every Deployment generated by create-service includes:

spec.securityContext:
  runAsNonRoot: true
  runAsUser: 1000
  fsGroup: 1000

containers[*].securityContext:
  allowPrivilegeEscalation: false
  readOnlyRootFilesystem: true
  capabilities:
    drop: [ALL]

HPA auto-scales replicas per env (dev: 1→2, staging: 2→5, prod: 3→10). PodDisruptionBudget (minAvailable: 1) is applied on prod. ignoreDifferences on /spec/replicas prevents ArgoCD from overwriting HPA.