3

In this example on the Kubernetes Ingress git repo, I see that the default-backend service and the Nginx Ingress controller are deployed in the kube-system namespace. But in this example regarding static-ip, they don't specify the kube-system namespace.

And for both of those examples, I've found that placing Ingress itself (nginx-ingress.yaml) in the default namespace works.

Should I be putting things in the kube-system namespace? And more generally, what is the significance of the kube-system namespace?

This other StackOverflow question is the only other thing I've found talking about the kube-system namespace.

gunit
  • 3,700
  • 4
  • 31
  • 42

1 Answers1

1

kube-system is just a namespace as any other. It is usualy created by default though, and most people put cluster related stuff in it. Although ie. you will fine a kubernetes.default service anyway.

Radek 'Goblin' Pieczonka
  • 21,554
  • 7
  • 52
  • 48
  • this is not correct, https://kubernetes.io/docs/tasks/administer-cluster/securing-a-cluster/#review-third-party-integrations-before-enabling-them – risail Mar 14 '22 at 16:31
  • this in no way undermines my claim that `kube-system` is a namespace as any other. The same security considerations apply to *any* namespace you're deploying to – Radek 'Goblin' Pieczonka Mar 15 '22 at 13:53
  • It's not just a namespace, any more than /bin is "just a folder". there are specific security implications of putting new objects into that NS. "most people put cluster-related stuff in it" then most people would be wrong. – risail Mar 15 '22 at 17:35
  • 1
    Putting something into the `kube-system` namespace does not give it any elevated access. For example default service account of the namespace has exactly the same access level as default SA in any other namespace. If you have access rights to mess with SAs, you can do as much harm from any other namespace. That is not to say you should indiscriminately deploy everything to that namespace, you have namespaces to organize and simplify mgmt (sec incl.), in that I agree. Also, technically you can provision a working cluster that does not have this NS at all (not that you should) – Radek 'Goblin' Pieczonka Mar 16 '22 at 10:43
  • 1
    oh, and by the way, I just noticed it's a damn old question/response, RBAC was made GA only that year with 1.6 release and many of the clusters in the wild did not have it even rolled out yet -_-. So I do agree there is more to it then there was back then. – Radek 'Goblin' Pieczonka Mar 16 '22 at 10:53