Each FKS namespace is backed by its own Fly App. Be default, such apps are created in an organization’s default private network (6PN) and can reach all other apps within this network.
If you are running untrusted workloads in your FKS cluster or simply want to isolate one workload from another in a multi-tenant cluster, you can now create namespaces backed by Fly App in a custom private network.
To create a namespace like this, submit a Namespace
object with fly.io/isolated-namespace: "true"
annotation to FKS:
apiVersion: v1
kind: Namespace
metadata:
name: isolated
annotations:
"fly.io/isolated-namespace": "true"
For now, pods running in network-isolated namespaces don’t have access to k8s API.