Kubernetes_namespaces
Chapter 24: Kubernetes Namespaces - Logical Isolation
Section titled “Chapter 24: Kubernetes Namespaces - Logical Isolation”Table of Contents
Section titled “Table of Contents”- Introduction to Namespaces
- Why Use Namespaces?
- Working with Namespaces
- Resource Quotas
- LimitRanges
- Namespace Isolation
- Best Practices
- Hands-on Lab
- Summary
Introduction to Namespaces
Section titled “Introduction to Namespaces”What is a Namespace?
Section titled “What is a Namespace?”Namespaces provide a mechanism for isolating groups of resources within a single cluster. They provide a way to divide cluster resources between multiple users or teams.
┌─────────────────────────────────────────────────────────────────────────────┐│ KUBERNETES NAMESPACES │├─────────────────────────────────────────────────────────────────────────────┤│ ││ ┌───────────────────────────────────────────────────────────────────┐ ││ │ KUBERNETES CLUSTER │ ││ │ │ ││ │ ┌──────────────────┐ ┌──────────────────┐ ┌──────────────┐ │ ││ │ │ development │ │ staging │ │ production │ │ ││ │ │ │ │ │ │ │ │ ││ │ │ ┌────────────┐ │ │ ┌────────────┐ │ │ ┌──────────┐ │ │ ││ │ │ │ Deployment │ │ │ │ Deployment │ │ │ │Deployment│ │ │ ││ │ │ │ myapp │ │ │ │ myapp │ │ │ │ myapp │ │ │ ││ │ │ └────────────┘ │ │ └────────────┘ │ │ └──────────┘ │ │ ││ │ │ │ │ │ │ │ │ ││ │ │ ┌────────────┐ │ │ ┌────────────┐ │ │ ┌──────────┐ │ │ ││ │ │ │ Service │ │ │ │ Service │ │ │ │ Service │ │ │ ││ │ │ └────────────┘ │ │ └────────────┘ │ │ └──────────┘ │ │ ││ │ │ │ │ │ │ │ │ ││ │ │ ┌────────────┐ │ │ ┌────────────┐ │ │ ┌──────────┐ │ │ ││ │ │ │ ConfigMap│ │ │ │ ConfigMap │ │ │ │ ConfigMap│ │ │ ││ │ │ └────────────┘ │ │ └────────────┘ │ │ └──────────┘ │ │ ││ │ │ │ │ │ │ │ │ ││ │ └──────────────────┘ └──────────────────┘ └──────────────┘ │ ││ │ │ ││ └───────────────────────────────────────────────────────────────────┘ ││ ││ Each namespace is logically isolated with its own: ││ • Resources (Pods, Services, Deployments, etc.) ││ • Policies (RBAC, Network Policies) ││ • Quotas and Limits ││ │└─────────────────────────────────────────────────────────────────────────────┘Default Namespaces
Section titled “Default Namespaces”# List namespaceskubectl get ns
# Output:# NAME STATUS AGE# default Active 24d# kube-node-lease Active 24d# kube-public Active 24d# kube-system Active 24d- default - Default namespace for user resources
- kube-system - System-created resources
- kube-public - Publicly readable resources
- kube-node-lease - Node heartbeat/lease objects
Why Use Namespaces?
Section titled “Why Use Namespaces?”Use Cases
Section titled “Use Cases”┌─────────────────────────────────────────────────────────────────────────────┐│ WHY USE NAMESPACES │├─────────────────────────────────────────────────────────────────────────────┤│ ││ 1. MULTI-TENANT ISOLATION ││ ────────────────────────── ││ • Separate environments (dev, staging, prod) ││ • Different teams or projects ││ • Customer isolation ││ ││ 2. RESOURCE MANAGEMENT ││ ────────────────────── ││ • Apply quotas per namespace ││ • Limit resources per team ││ • Cost allocation ││ ││ 3. ACCESS CONTROL ││ ───────────────── ││ • Role-based access per namespace ││ • Team-specific permissions ││ • Security boundaries ││ ││ 4. ORGANIZATION ││ ────────────── ││ • Logical grouping of resources ││ • Easy resource management ││ • Clear separation of concerns ││ ││ 5. ENVIRONMENT ISOLATION ││ ──────────────────────── ││ • Different configs per environment ││ • Separate database instances ││ • Independent deployments ││ │└─────────────────────────────────────────────────────────────────────────────┘Working with Namespaces
Section titled “Working with Namespaces”Creating Namespaces
Section titled “Creating Namespaces”# Create namespacekubectl create namespace development
# Or using YAMLkubectl apply -f - <<EOFapiVersion: v1kind: Namespacemetadata: name: developmentEOFSwitching Namespaces
Section titled “Switching Namespaces”# View current namespacekubectl config view | grep namespace
# Switch namespacekubectl config set-context --current --namespace=development
# Or use kubens (if installed)kubens development
# Get resources in specific namespacekubectl get pods -n development
# Get resources in all namespaceskubectl get pods --all-namespaceskubectl get pods -ADeleting Namespaces
Section titled “Deleting Namespaces”# Delete namespace (deletes all resources in namespace)kubectl delete namespace development
# Delete all resources in namespace but keep namespacekubectl delete all --all -n developmentResource Quotas
Section titled “Resource Quotas”What is a ResourceQuota?
Section titled “What is a ResourceQuota?”A ResourceQuota object provides constraints that limit aggregate resource consumption per namespace.
apiVersion: v1kind: ResourceQuotametadata: name: development-quotaspec: hard: requests.cpu: "10" requests.memory: 20Gi limits.cpu: "20" limits.memory: 40Gi pods: "50" services: "10" secrets: "20" configmaps: "30" persistentvolumeclaims: "20"Quota Enforcement
Section titled “Quota Enforcement”┌─────────────────────────────────────────────────────────────────────────────┐│ RESOURCE QUOTA ENFORCEMENT │├─────────────────────────────────────────────────────────────────────────────┤│ ││ ┌───────────────────────────────────────────────────────────────────┐ ││ │ RESOURCEQUOTA │ ││ │ name: team-quota │ ││ │ │ ││ │ hard: │ ││ │ pods: "20" │ ││ │ services: "10" │ ││ │ secrets: "30" │ ││ │ requests.cpu: "10" │ ││ │ requests.memory: 20Gi │ ││ │ │ ││ └───────────────────────────────────────────────────────────────────┘ ││ │ ││ ▼ ││ ┌───────────────────────────────────────────────────────────────────┐ ││ │ ENFORCEMENT │ ││ │ │ ││ │ User tries to create 21st pod │ ││ │ ┌─────────────────────────────────────────────────────────┐ │ ││ │ │ Error: pods "exceeds quota" │ │ ││ │ │ │ │ ││ │ │ Request rejected! │ │ ││ │ └─────────────────────────────────────────────────────────┘ │ ││ │ │ ││ └───────────────────────────────────────────────────────────────────┘ ││ │View Quota Usage
Section titled “View Quota Usage”# Get quotakubectl get resourcequota -n development
# Describe quota (shows usage)kubectl describe resourcequota -n developmentLimitRanges
Section titled “LimitRanges”What is a LimitRange?
Section titled “What is a LimitRange?”A LimitRange provides constraints that can limit the resource consumption for individual Pods or Containers in a namespace.
apiVersion: v1kind: LimitRangemetadata: name: development-limitsspec: limits: # Default limits for containers - max: cpu: "2" memory: 1Gi min: cpu: 100m memory: 128Mi default: cpu: 500m memory: 512Mi defaultRequest: cpu: 200m memory: 256Mi type: Container
# Default limits for pods - max: cpu: "4" memory: 2Gi min: cpu: 100m memory: 128Mi type: PodHow LimitRanges Work
Section titled “How LimitRanges Work”┌─────────────────────────────────────────────────────────────────────────────┐│ LIMITRANGE BEHAVIOR │├─────────────────────────────────────────────────────────────────────────────┤│ ││ LimitRange Rules: ││ ───────────────── ││ ││ ┌─────────────────────────────────────────────────────────────────────┐ ││ │ If container has NO requests/limits specified: │ ││ │ ──────────────────────────────────────────────────── │ ││ │ │ ││ │ Container Spec: Applied: │ ││ │ containers: requests.cpu: 200m │ ││ │ - name: app requests.memory: 256Mi │ ││ │ image: nginx limits.cpu: 500m │ ││ │ limits.memory: 512Mi │ ││ │ │ ││ │ DefaultRequest values are used! │ ││ └─────────────────────────────────────────────────────────────────────┘ ││ ││ ┌─────────────────────────────────────────────────────────────────────┐ ││ │ If container requests MORE than max: │ ││ │ ───────────────────────────────────── │ ││ │ │ ││ │ Container Spec: Error: │ ││ │ resources: "Container exceeded maximum │ ││ │ limits: cpu limit of 2" │ ││ │ cpu: "4" │ ││ │ │ ││ │ Rejected! │ ││ └─────────────────────────────────────────────────────────────────────┘ ││ │Namespace Isolation
Section titled “Namespace Isolation”Network Policies
Section titled “Network Policies”apiVersion: networking.k8s.io/v1kind: NetworkPolicymetadata: name: deny-all-ingressspec: podSelector: {} policyTypes: - IngressRBAC per Namespace
Section titled “RBAC per Namespace”apiVersion: rbac.authorization.k8s.io/v1kind: Rolemetadata: namespace: development name: developerrules:- apiGroups: [""] resources: ["pods", "services", "configmaps"] verbs: ["get", "list", "watch", "create", "update", "delete"]- apiGroups: ["apps"] resources: ["deployments", "replicasets"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]Best Practices
Section titled “Best Practices”┌─────────────────────────────────────────────────────────────────────────────┐│ NAMESPACE BEST PRACTICES │├─────────────────────────────────────────────────────────────────────────────┤│ ││ ✓ DO: ││ ───────────────────────────────────────────────────────────────────── ││ • Create separate namespaces for each environment ││ • Use consistent naming conventions ││ • Set ResourceQuotas for all namespaces ││ • Use LimitRanges to enforce resource limits ││ • Apply RBAC policies per namespace ││ • Use NetworkPolicies to restrict traffic ││ ││ ✗ DON'T: ││ ───────────────────────────────────────────────────────────────────── ││ • Don't use default namespace for production ││ • Don't skip quotas - they prevent resource exhaustion ││ • Don't allow all traffic between namespaces without consideration ││ ││ Recommended Namespace Structure: ││ ──────────────────────────────── ││ ││ ┌─────────────────────────────────────────────────────────────────┐ ││ │ kubernetes.io/metadata.name: default │ ││ │ ├── production │ ││ │ ├── staging │ ││ │ ├── development │ ││ │ ├── kube-system (system) │ ││ │ └── monitoring (for monitoring tools) │ ││ └─────────────────────────────────────────────────────────────────┘ ││ │└─────────────────────────────────────────────────────────────────────────────┘Hands-on Lab
Section titled “Hands-on Lab”Lab: Working with Namespaces
Section titled “Lab: Working with Namespaces”In this hands-on lab, we’ll create and manage namespaces.
Prerequisites
Section titled “Prerequisites”- A running Kubernetes cluster
Lab Steps
Section titled “Lab Steps”# Step 1: Create namespaceskubectl create namespace developmentkubectl create namespace staging
# Step 2: List namespaceskubectl get namespaces
# Step 3: Create a ResourceQuotakubectl apply -f - <<EOFapiVersion: v1kind: ResourceQuotametadata: name: dev-quota namespace: developmentspec: hard: pods: "10" requests.cpu: "2" requests.memory: 4GiEOF
# Step 4: View quotakubectl get resourcequota -n development
# Step 5: Create a LimitRangekubectl apply -f - <<EOFapiVersion: v1kind: LimitRangemetadata: name: dev-limits namespace: developmentspec: limits: - default: cpu: 500m memory: 512Mi defaultRequest: cpu: 200m memory: 256Mi max: cpu: "2" memory: 2Gi min: cpu: 50m memory: 64Mi type: ContainerEOF
# Step 6: Deploy to specific namespacekubectl create deployment nginx --image=nginx -n development
# Step 7: Switch default namespacekubectl config set-context --current --namespace=development
# Step 8: Clean upkubectl delete namespace development stagingSummary
Section titled “Summary”Key Takeaways
Section titled “Key Takeaways”- Namespaces - Logical isolation for resources
- ResourceQuotas - Limit total resources per namespace
- LimitRanges - Set defaults and limits for containers
- RBAC - Access control per namespace
- NetworkPolicies - Traffic isolation
Quick Reference
Section titled “Quick Reference”# Create namespacekubectl create namespace my-namespace
# Get resources in namespacekubectl get pods -n my-namespace
# Switch namespacekubectl config set-context --current --namespace=my-namespace
# Apply quotakubectl apply -f quota.yaml -n my-namespace
# Apply limit rangekubectl apply -f limitrange.yaml -n my-namespaceNext Steps
Section titled “Next Steps”In the next chapter, we’ll explore Kubernetes Labels and Selectors (Chapter 25), covering:
- Label syntax and usage
- Label selectors
- Annotations