Create namespaces

About creating Microsegmentation namespaces

Before proceeding, we recommend reviewing basic Microsegmentation namespace concepts.
You have one parent namespace, represented by the name of your organization. For example: /acme. You need to create children namespaces according to your desired namespace scheme. We recommend creating children namespaces to represent cloud accounts, bare metal infrastructure, projects, teams, or security zones.
To create children namespaces, you must have
namespace editor
privileges in the parent namespace. Once you have your children namespaces created, you must create grandchildren namespaces before deploying your enforcers. After an enforcer has registered in a namespace, you can’t move it to another namespace. You have to uninstall and reinstall the enforcer to switch namespaces.
Create one grandchild namespace for each Kubernetes/OpenShift cluster. You should not have multiple Kubernetes/OpenShift clusters in a single Microsegmentation namespace. For the virtual machines, you can create one namespace per host, or group them together as desired.
You can use the Microsegmentation Console web interface to create your namespaces. Alternatively, you can use apoctl to create them, as described below.

Set environment variables

Copy your parent namespace from the web interface, as shown below.
Set a PARENT environment variable and paste in the value you copied.
export PARENT=/acme
If you have children namespaces that already exist, create CHILD environment variables containing their names. In the example below, we use aws-dev and aws-prod.
export CHILD1=aws-dev export CHILD2=aws-prod

Create child namespaces

Set CHILD environment variables containing the desired names for the children namespaces.
export CHILD3=my-private-cloud export CHILD4=bare-metal-infra
Use the following command to create the first child namespace.
cat <<EOF | apoctl api create namespace -n $PARENT -f - name: $CHILD3 type: CloudAccount defaultPUIncomingTrafficAction: Allow defaultPUOutgoingTrafficAction: Allow EOF
Next, create the second child namespace.
cat <<EOF | apoctl api create namespace -n $PARENT -f - name: $CHILD4 type: CloudAccount defaultPUIncomingTrafficAction: Allow defaultPUOutgoingTrafficAction: Allow EOF
Confirm the creation.
apoctl api list namespace -n $PARENT --output yaml
Repeat these steps to add other children as needed.

Create grandchild namespaces

Create environment variables containing the desired names for your grandchild namespaces. An example follows.
export GRANDCHILD1=k8s export GRANDCHILD2=vm
Use the following command to create the first grandchild namespace under aws-dev.
cat <<EOF | apoctl api create namespace -n $PARENT/$CHILD1 -f - name: $GRANDCHILD1 type: Group defaultPUIncomingTrafficAction: Allow defaultPUOutgoingTrafficAction: Allow EOF
Next, create the second grandchild namespace under aws-dev.
cat <<EOF | apoctl api create namespace -n $PARENT/$CHILD1 -f - name: $GRANDCHILD2 type: Group defaultPUIncomingTrafficAction: Allow defaultPUOutgoingTrafficAction: Allow EOF
Confirm the creation.
apoctl api list namespace -n $PARENT/$CHILD1 --output yaml
Now create the first grandchild namespace under aws-prod.
cat <<EOF | apoctl api create namespace -n $PARENT/$CHILD2 -f - name: $GRANDCHILD1 type: Group defaultPUIncomingTrafficAction: Allow defaultPUOutgoingTrafficAction: Allow EOF
Create the second grandchild namespace under aws-prod.
cat <<EOF | apoctl api create namespace -n $PARENT/$CHILD2 -f - name: $GRANDCHILD2 type: Group defaultPUIncomingTrafficAction: Allow defaultPUOutgoingTrafficAction: Allow EOF
Confirm the creation.
apoctl api list namespace -n $PARENT/$CHILD2 --output yaml
Repeat these steps to add other grandchildren, as desired. You should now have a basic namespace structure and can proceed to deploy enforcers.

Recommended For You