# Namespace Isolation Configuration
# Network Policies and RBAC for shared clusters

apiVersion: v1
kind: Namespace
metadata:
  name: shared-services
  labels:
    name: shared-services
    type: shared
---
# Network Policy: Allow ingress from shared-services namespace
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-from-shared-services
  namespace: default
spec:
  podSelector: {}
  policyTypes:
    - Ingress
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              name: shared-services
---
# RBAC: Service Account for shared services
apiVersion: v1
kind: ServiceAccount
metadata:
  name: shared-services-sa
  namespace: shared-services
---
# Role: Limited permissions for shared services
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: shared-services-role
  namespace: shared-services
rules:
  - apiGroups: [""]
    resources: ["pods", "services"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["apps"]
    resources: ["deployments"]
    verbs: ["get", "list", "watch"]
---
# RoleBinding: Bind role to service account
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: shared-services-binding
  namespace: shared-services
subjects:
  - kind: ServiceAccount
    name: shared-services-sa
    namespace: shared-services
roleRef:
  kind: Role
  name: shared-services-role
  apiGroup: rbac.authorization.k8s.io