HNC has been archived
#SRGThe Service Reliability Group mainly provides cross-sectional support for the infrastructure of our media services, and is responsible for improving existing services, launching new ones, and contributing to OSS.
Hierarchical Namespaces Controller(HNC)IntroductionWhat is HNC?History of the archiveTechnical impactAlternatives and future responsesShort-term solution: Transition to ECRMid- to long-term measures: Consider transitioning to alternative technologiesConclusion
Introduction
Hierarchical Namespaces Controller(以下、HNC)
HNC is a convenient controller that enables hierarchical management of Namespaces, and we have used it at our company for tenant isolation, etc. It was a very useful tool in the context of platform engineering, so many people will be surprised.
gcr.ioWhat is HNC?
HNC is a tool for hierarchically managing Namespaces within a Kubernetes cluster. It allows various policies, such as RBAC and NetworkPolicy, to be propagated from parent to child between Namespaces, and is widely used for efficiently managing large-scale multi-tenant environments and complex microservice configurations.
for example:
team-a-stg
- RBAC and NetworkPolicy configured in the parent namespace can be automatically applied to child namespaces.
It can be used like this.
At our company
- Manages common components for ArgoCD and cert-manager
- Create and separate namespaces for each product
- Delegating Namespace Administration to Developers
It was a convenient system that allowed us to easily and safely manage multi-tenant configurations.
Our use cases
History of the archive
Further discussion on the HNC archive took place in the following GitHub issue:
Here we will introduce the main points of the content.
- At the SIG Auth meeting held on February 26, 2025, it was officially decided to archive the HNC project.
- The main reasons are a lack of maintainers and a lack of adoption.
- SIG Auth Meeting Note:
Conclusion: Archive HNC and start a new project
Reason: It seems impractical to revive the existing HNC project and hand it over to a new maintainer.
- Q&A
- Will HNC be integrated into Kubernetes core?
- There are no such plans
- Why didn't you join the core?
- To be included in the core, it had to be orders of magnitude more widespread than it is now.
- alternative plan
- Kubernetes multitenancy functionality varies by vendor
- Kubernetes core prioritizes providing extension points over contentious features like multitenancy
To date, no official forks have been confirmed.
However, there is a possibility that it may be restarted as an unofficial fork or a separate project by volunteers, so please continue to keep an eye on it.
Technical impact
As is the case with many OSS projects, archived does not mean that it will no longer be usable.
However, there is another issue with HNC this time.
Google Container RegistryGoogle Container Registry- March 18, 2025: New image writing will cease
- April 22, 2025: Stop reading existing images← This is important!
Artifact Registry
hnc-managerAlternatives and future responses
Short-term solution: Transition to ECR
hnc-managerMid- to long-term measures: Consider transitioning to alternative technologies
AccurateCapsuleThere are also options such as creating in-house tools or using original scripts, but the balance with maintenance costs needs to be considered.
Conclusion
In this article, we covered the following points:
- HNC will be officially archived on April 17, 2025
- The latest version of HNC depends on GCR, but GCR itself will become unreadable from next Tuesday (April 22, 2025).
- As a short-term measure, we recommend immediate migration to separate registries such as ECR.
- As a mid- to long-term measure, we recommend adopting alternative technologies such as Accurate or considering a unique operating method.
We ask that those who use HNC take action and share information.
SRG is looking for people to work with us.
If you're interested, please contact us here.