The Kubernetes scopes hierarchy is important for the scope resolution process. The scope resolution process finds the most specific scope in which a workload exists, and the scope then defines the policy to apply on the Kubernetes workload.
Scope Resolution for Kubernetes Workloads in Overlapping Scopes
Scopes are overlapping by design, which means that the workloads might belong to several overlapping scopes. However, each Kubernetes workload is associated with a single policy. By implementing a scope resolution logic, the system finds the policy that is related to the most specific scope for each workload.
By planning the scopes, you can determine which policy to apply to specific areas in your Kubernetes environment without affecting the rest of the system.
Scope Ranking
Scopes are ranked by specificity. Specific scopes take precedence over general scopes.
The following diagrams rank scopes. The diagrams display boxes in various colors for workloads in cluster groups and namespaces, and a green box for the scope that encompasses them. The most specific scope is at the top of the hierarchy.
Example Illustration of Scopes
| Ranking | Description |
|---|---|
| Resources in specific namespaces in specific clusters | The most specific definition of a scope for using a particular Kubernetes hardening policy. |
| Resources in specific namespaces in specific cluster groups | Only these particular namespaces inside cluster groups are covered. |
| Resources in specific clusters | All namespaces in a cluster are covered. Example scope: test-acme-app to test the application in an isolated testing cluster:
|
| Resources in specific namespaces in any cluster | Application scopes that are defined for a namespace and are valid for all clusters that contain the namespace. Example scope across the Kubernetes environment to cover the namespace: acme-app:
|
| Resources in specific cluster groups | This high-level scope covers groups of clusters. Example two scopes for Production and Testing environments:
|
| All resources - refer to the Any scope | The default Any scope contains all workloads in the system and overlaps with all other scopes. Scopes for specific Kubernetes resources take precedence over the default scope.
|
