IDENTITY-BASED MICROSEGMENTATION DOCUMENTATION

Create namespaces

About creating Microsegmentation namespaces

TIP

You may find it helpful to review basic Microsegmentation namespace concepts before continuing.

Currently, you just have one Microsegmentation namespace: your root namespace. It bears the name of your organization. For example, if we worked for Acme, Inc., our root namespace would be /acme.

You should deploy Kubernetes enforcers to grandchildren namespaces and host enforcers to great grandchildren namespaces. We need to create children, grandchildren, and great grandchildren namespaces before we can deploy our enforcers. Once an enforcer has registered in a namespace, you can’t move it to another namespace. You have to uninstall and reinstall the enforcer to switch namespaces.

We provide a wizard in the Microsegmentation section of the Prisma Cloud web interface to help you create your namespaces. Alternatively, you can use apoctl to create them, as described below.

1. Create child namespaces

Operators work in child-level namespaces, creating network policies and propagating them to the grandchildren, ensuring that the grandchildren conform to your organization’s security requirements.

In the following examples, we create environment variables containing the names of two different teams or projects. In our example, we use team-a and team-b.

export CHILD1=team-a
export CHILD2=team-b

Use the following command to create the first child namespace.

cat <<EOF | apoctl api create namespace -f -
name: $CHILD1
EOF

Next, create the second child namespace.

cat <<EOF | apoctl api create namespace -f -
name: $CHILD2
EOF

Confirm the creation.

apoctl api list namespace --output yaml

Repeat these steps to add other children as needed.

2. Create grandchild namespaces

In the following examples, we create grandchildren according to the security zones of the resources. We’ll call these dev and prod. Create environment variables as follows.

export GRANDCHILD1=dev
export GRANDCHILD2=prod

Use the following command to create the first grandchild namespace under team-a.

cat <<EOF | apoctl api create namespace -n $CHILD1 -f -
name: $GRANDCHILD1
EOF

Next, create the second grandchild namespace under team-a.

cat <<EOF | apoctl api create namespace -n $CHILD1 -f -
name: $GRANDCHILD2
EOF

Confirm the creation.

apoctl api list namespace -n $CHILD1 --output yaml

Now create the first grandchild namespace under team-b.

cat <<EOF | apoctl api create namespace -n $CHILD2 -f -
name: $GRANDCHILD1
EOF

Create the second grandchild namespace under team-b.

cat <<EOF | apoctl api create namespace -n $CHILD2 -f -
name: $GRANDCHILD2
EOF

Confirm the creation.

apoctl api list namespace -n $CHILD2 --output yaml

Repeat these steps to add other grandchildren, as desired.

3. Create great grandchild namespaces

If you just use Kubernetes or OpenShift, you can skip this step. If you plan to deploy enforcers to virtual machines, you need to create a great grandchild namespace for each host. In the following examples, we refer to them as vm1 and vm2. You should use names that describe your hosts.

export GREATGRANDCHILD1=vm1
export GREATGRANDCHILD2=vm2

Use the following command to create the first great grandchild namespace.

cat <<EOF | apoctl api create namespace -n $CHILD1/$GRANDCHILD1 -f -
name: $GREATGRANDCHILD1
EOF

Next, create the second great grandchild namespace.

cat <<EOF | apoctl api create namespace -n $CHILD1/$GRANDCHILD1 -f -
name: $GREATGRANDCHILD2
EOF

Confirm the creation.

apoctl api list namespace -n $CHILD1/$GRANDCHILD1 --output yaml

Repeat these steps to add other great grandchildren, until you have one for each of your VMs.

You should now have a very basic namespace structure and can proceed to deploy enforcers.