Pinterest: Multi-Tenant Namespace Isolation — DevOps Interview Q&A (2026)

All Questions

Multi-Tenant Namespace Isolation

Pinterest ☯️ Medium Kubernetes

Beginner Mode

Start your terminal to use beginner mode.

Scenario

Two teams share a cluster and require strict isolation with specific exceptions for inter-team communication.

Task

Configure network isolation and resource constraints for both teams:

Create default deny NetworkPolicies for both namespaces (deny all ingress and egress traffic)
Create a NetworkPolicy allowing team-a pods to access team-b pods labeled app=api on port 8080 only
Create LimitRanges in both namespaces to enforce maximum resource limits per container

Requirements

Property	Value
Namespace 1	`team-a`
Namespace 2	`team-b`
Allowed communication	`team-a` → `team-b` pods with label `app=api` on port `8080` only
Default traffic	Deny all other cross-namespace traffic
Max CPU per container	`1`
Max Memory per container	`512Mi`

Note: Test pods are already deployed - client in team-a, and api + web in team-b.

Step 1: Create default deny NetworkPolicy for team-a

cat > /home/interview/team-a-deny-all.yaml <<'EOF'
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny
  namespace: team-a
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress
EOF

kubectl apply -f /home/interview/team-a-deny-all.yaml

Denies all ingress and egress traffic by default in team-a. The empty podSelector: {} applies to all pods in the namespace.

Step 2: Create default deny NetworkPolicy for team-b

cat > /home/interview/team-b-deny-all.yaml <<'EOF'
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny
  namespace: team-b
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress
EOF

kubectl apply -f /home/interview/team-b-deny-all.yaml

Denies all traffic in team-b by default.

Step 3: Allow ingress to team-b api pods from team-a

cat > /home/interview/allow-team-a-to-api.yaml <<'EOF'
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-team-a-to-api
  namespace: team-b
spec:
  podSelector:
    matchLabels:
      app: api
  policyTypes:
  - Ingress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: team-a
    ports:
    - protocol: TCP
      port: 8080
EOF

kubectl apply -f /home/interview/allow-team-a-to-api.yaml

Allows ingress to pods labeled app=api in team-b only from team-a namespace on port 8080. Uses namespaceSelector to match source namespace by its metadata label.

Step 4: Allow egress from team-a to team-b api pods

cat > /home/interview/allow-egress-to-api.yaml <<'EOF'
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-egress-to-api
  namespace: team-a
spec:
  podSelector: {}
  policyTypes:
  - Egress
  egress:
  - to:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: team-b
      podSelector:
        matchLabels:
          app: api
    ports:
    - protocol: TCP
      port: 8080
EOF

kubectl apply -f /home/interview/allow-egress-to-api.yaml

Allows all pods in team-a to send traffic to app=api pods in team-b on port 8080. Both ingress (Step 3) and egress (Step 4) policies are needed for bidirectional communication.

Step 5: Create LimitRange for team-a

cat > /home/interview/team-a-limits.yaml <<'EOF'
apiVersion: v1
kind: LimitRange
metadata:
  name: pod-limits
  namespace: team-a
spec:
  limits:
  - type: Container
    max:
      cpu: "1"
      memory: 512Mi
    default:
      cpu: "1"
      memory: 512Mi
    defaultRequest:
      cpu: 100m
      memory: 128Mi
EOF

kubectl apply -f /home/interview/team-a-limits.yaml

Sets maximum CPU to 1 core and memory to 512Mi per container. The default values are applied when containers don't specify limits, and defaultRequest sets resource requests.

Step 6: Create LimitRange for team-b

cat > /home/interview/team-b-limits.yaml <<'EOF'
apiVersion: v1
kind: LimitRange
metadata:
  name: pod-limits
  namespace: team-b
spec:
  limits:
  - type: Container
    max:
      cpu: "1"
      memory: 512Mi
    default:
      cpu: "1"
      memory: 512Mi
    defaultRequest:
      cpu: 100m
      memory: 128Mi
EOF

kubectl apply -f /home/interview/team-b-limits.yaml

Enforces the same resource limits in team-b namespace.

Step 7: Verify the configuration

# Check NetworkPolicies
kubectl get networkpolicies -n team-a
kubectl get networkpolicies -n team-b

# Check LimitRanges
kubectl get limitranges -n team-a
kubectl get limitranges -n team-b

All policies and limits should be present and active in their respective namespaces.

Terminal requires a larger screen

Open this page on a desktop or tablet (≥ 768px) to launch the terminal and practice hands-on.

Kubernetes Environment

Launch a live cluster to solve this challenge.

Track

	Question	Difficulty	Company	Access

Need more practice in this area? Explore more questions →