{"id":13846247,"url":"https://github.com/yahoo/k8s-namespace-guard","last_synced_at":"2026-03-05T23:14:13.140Z","repository":{"id":66000693,"uuid":"109158124","full_name":"yahoo/k8s-namespace-guard","owner":"yahoo","description":"K8s - Admission controller for  guarding namespace","archived":false,"fork":false,"pushed_at":"2021-03-20T01:06:51.000Z","size":14,"stargazers_count":37,"open_issues_count":6,"forks_count":9,"subscribers_count":22,"default_branch":"master","last_synced_at":"2024-12-31T07:28:14.693Z","etag":null,"topics":["kubernetes"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/yahoo.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2017-11-01T16:54:42.000Z","updated_at":"2024-08-30T03:18:51.000Z","dependencies_parsed_at":"2023-06-06T10:15:27.189Z","dependency_job_id":null,"html_url":"https://github.com/yahoo/k8s-namespace-guard","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yahoo%2Fk8s-namespace-guard","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yahoo%2Fk8s-namespace-guard/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yahoo%2Fk8s-namespace-guard/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/yahoo%2Fk8s-namespace-guard/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/yahoo","download_url":"https://codeload.github.com/yahoo/k8s-namespace-guard/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252451835,"owners_count":21749996,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["kubernetes"],"created_at":"2024-08-04T18:00:20.933Z","updated_at":"2026-03-05T23:14:08.109Z","avatar_url":"https://github.com/yahoo.png","language":"Go","funding_links":[],"categories":["Operators vs Controllers"],"sub_categories":["Admission"],"readme":"# k8s-namespace-guard\n\nk8s-namespace-guard provides an admission control policy that safeguards against accidental deletion of cluster namespaces.\n\n## Implementation\n\nThis is implemented as an [External Admission Webhook](https://kubernetes.io/docs/admin/extensible-admission-controllers/#external-admission-webhooks) with the k8s-namespace-guard service running as a deployment on each cluster.  \n\nThe webhook is configured to send admission review requests for *DELETE* operations on `namespace` resources to the k8s-namespace-guard service. \nThe k8s-namespace-guard service listens on a HTTPS port and on receiving such requests, it lists the workload resources defined under that namespace.\nThe DELETE operation is allowed to proceed only when the namespace does NOT contain such workload resources.\n\nThe following resources are currently checked for existence:\n- pods\n- services\n- replicasets\n- deployments\n- statefulsets\n- daemonsets\n- ingresses\n- horizontalpodautoscalers\n\nThe k8s-namespace-guard policy implementation enforces that the above listed resources under the namespace should be deleted before it can be removed.   \n\n## Basic Dev Setup\n\n1. Git clone to your local directory.\n2. Build binary:\n    - Mac os: `go build -i -o k8s-namespace-guard`\n    - Rhel: `env GOOS=linux GOARCH=amd64 go build -i -o k8s-namespace-guard`\n3. Run binary: `./k8s-namespace-guard`.\n4. Follow standard Go code format: `gofmt -w *.go`\n\n## Command Line Args\n\n```\nUSAGE:\n  --admitAll     bool    True to admit all namespace deletions without validation. (default false)\n  --certFile     string  The cert file for the https server. (default \"/var/lib/kubernetes/kubernetes.pem\")\n  --clientAuth   bool    True to verify client cert/auth during TLS handshake. (default false)\n  --clientCAFile string  The cluster root CA that signs the apiserver cert (default \"/var/run/secrets/kubernetes.io/serviceaccount/ca.crt\")\n  --keyFile      string  The key file for the https server. (default \"/var/lib/kubernetes/kubernetes-key.pem\")\n  --logFile      string  Log file name and full path. (default \"/var/log/nslifecycle.log\")\n  --logLevel     string  The log level. (default \"info\")\n  --port         string  Server port. (default \"443\")\n```\n\nCopyright 2017 Yahoo Holdings Inc. Licensed under the terms of the 3-Clause BSD License.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fyahoo%2Fk8s-namespace-guard","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fyahoo%2Fk8s-namespace-guard","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fyahoo%2Fk8s-namespace-guard/lists"}