Kubernetes (K8s) namespaces are a way to isolate, group, and organize resources within a Kubernetes cluster.
For many use cases, creating Kubernetes namespaces can help you streamline operations,
improve security, and even enhance performance.
To help you get the most out of Kubernetes namespaces, in this article we’ll take an in-depth look at
what they are, how they work, and when it makes sense to use them. Additionally, we’ll provide some practical
examples you can follow to get hands-on with Kubernetes namespaces.
Kubernetes namespaces: The Basics
Before we jump into the technical details, let’s start with the basics. First, here is
a breakdown of the high-level features and benefits of Kubernetes namespaces (don’t worry, we’ll go deeper in a bit).
Feature
Benefit
Role-based access control (RBAC) per namespace
Enhanced security
Resource isolation, Fewer API operations per namespace in large clusters
Improved performance
Resource quotas per namespace
Better capacity management
Name scoping provided by namespace
Efficient organization
While those features and benefits are important, they don’t tell you much
about where namespaces fit within Kubernetes architecture. You can think of
namespaces as a type of “virtual cluster” or “sub-cluster” that provide a scope for names
within a Kubernetes cluster. Names of resources need to be unique within a namespace, but not across namespaces.
Use machine-learning algorithms to configure cloud resources based on workload patterns
Let algorithms select the optimal cloud configuration from thousands of catalog options
Integrate to ITSM and CI/CD pipelines to provide transparency and automation
Here are a few important concepts to keep in mind when working with namespaces:
Resources inside namespaces are logically separated from each other but they can still communicate
Namespaces dont provide true multi-tenancy the way other solutions
do ( such as public cloud virtual infrastructure or Openstack Private Cloud )
There is a single default Kubernetes namespace, but you can create as many namespaces as needed within a cluster
Namespaces cannot be nested within each other.
Identifying namespaced Kubernetes resources
Most Kubernetes resources reside in a namespace, but there are some exceptions. For example,
some objects exist at the cluster level and don’t reside in a namespace. To view api-resources and
see which are namespaced in a Kubernetes cluster, you can use the kubectl command.
In our example below, you’ll notice that some resources, like nodes and persistent volumes, are not namespaced.
Pick the ideal instance type for your workload using an ML-powered visual catalog map
There are many reasons why you will need to use separate namespaces instead of placing all resources
in a single (default) namespace. At a high level, using a single namespace can create naming conflicts
for Kubernetes resources like deployments, services, and other objects.
These conflicts can lead to problems such as environment variables and secrets being visible
across different application pods. Using namespaces can help you avoid these problems.
When to use Kubernetes namespaces
With that in mind, let’s take a look at some common use cases for Kubernetes namespaces.
Large teams can use namespaces to isolate their microservices.
Teams can re-use the same resource names in different workspaces without conflicts.
Additionally, taking action on items in one workspace never affects other workspaces.
Organizations that use a single cluster for development, testing, and production can use
namespaces to isolate environments. This practice ensures production code is not affected by changes
that developers make in their own namespaces.
Namespaces enable the use of RBAC, so teams can define roles that group lists of permissions.
RBAC can ensure that only authorized users have access to resources in a given namespace.
Users can set resource limits on namespaces by defining resource quotas. These quotas can
ensure that every project has the resources it needs to run and that one
namespace is not hogging all available resources.
Namespaces can improve performance by limiting API search items. If a cluster
is separated into multiple namespaces for different projects, the Kubernetes API
will have fewer items to search when performing operations. As a result, teams
can see performance gains within their Kubernetes clusters.
Working with Kubernetes namespaces
Now that we’ve covered what namespaces are and when to use them, let’s jump into working with them.
The default namespaces in Kubernetes
Most Kubernetes distributions will create three namespaces by default. You can see
these default Kubernetes namespaces when you create a new cluster by using kubectl command.
Here is a breakdown of what each of those automatically created namespaces is:
default- used by user apps by default, until there are other custom namespaces
kube-public- used by public Kubernetes resources, not recommended to be used by cluster users
kube-system- used by Kubernetes control plane, and must not be used by cluster users
Creating and deleting Kubernetes Namespaces
You can use the kubectl create command or kubectl apply/create
with a YAML manifest to create Kubernetes namespaces. For listing namespaces, use kubectl get command.
Get the list of current namespaces:
Identify under/over-provisioned K8s resources and use Terraform to auto-optimize
See the new namespace is created by getting the new updated list:
Finally, delete the namespace
Kubernetes namespaces and the kubectl context
The default kubectl context points to the namespace “default”. When you work
with a cluster that has multiple namespaces, you will need to switch context to work with
each namespace. You can switch between namespace contexts using this command:
You can validate that the command worked with this command:
Creating, listing, and deleting resources inside namespaces
When the current context is not pointing to the namespace you are working with, you can use
the namespace flag to make sure your command is launched against your desired namespace.
First, create an app in test namespace:
A free 30-day trial for cloud & Kubernetes resource control. Experience in your environment or use sample data. See optimization potential in 48 hours. No card required.
When you use the kubernetes yaml to create a deployment , you can use the metadata section to
specify the namespace in which the deployment and its resources/pods should be created. For example:
To get a list of pods in test namespace:
To get a list of pods in all namespaces:
Namespaces and Resource Quotas
You can implement Resource Quotas on a namespace so that cluster resources are allocated
the way you need them to be. You can define a resource quota object
on your desired namespace. For example, this manifest will create a CPU quota for the namespace demo.
This means that once the quota is created, pods
created and running inside the demo namespace will be limited to the above requests and limits.
Once the limit is reached, no more pods can be created inside the demo namespace.
Namespace and Kubernetes DNS/service discovery
Kubernetes services that are defined in separate namespaces can’t directly talk to
each other using short names the way they do inside the same namespace. For cross-namespace communication,
will need to use fully qualified domain names (FQDNs) so that the name contains the namespace qualifier.
Conclusion
Namespaces are a powerful mechanism for isolating Kubernetes resources. With a solid understanding of
how they work, you can use Kubernetes namespaces to enhance security, simplify management, and improve cluster performance.
Discover the benefits of optimized cloud & container resources. Try Densify for free for 30 days!
We’re glad you are here! Densify customizes your experience by enabling cookies that help us understand your interests and recommend related information. By using our sites, you consent to our use of cookies. Learn more.