Kubernetes - Namespace
Kubernetes NAMESPACE is a virtual cluster for organizing and structuring Kubernetes objects.
Not all objects are in a namespace. Most Kubernetes resources (e.g. pods, services, replication controllers) are in some namespaces. We are referring to the such object as namespaced Kubernetes object here. However, namespace resources are not themselves in a namespace. and low-level resources, such as nodes and persistent volumes, are not in any namespace.
There are three pre-configured namespaces created by Kubernetes -
Default Namespace: Every namespaced Kubernetes object that is created without specifying a namespace goes to the Default Namespace.
Kube-System Namespace: This Namespace is used for system processes like etcd, kube-scheduler, etc. Do not modify or create any objects in this Namespace, as it is not meant for users.
Kube-public Namespace: This namespace houses publicly accessible data, including a ConfigMap which stores cluster information like the cluster’s public certificate for communicating with the Kubernetes API.
Create new namespaces
kubectl create namespace ns-development
Viewing Namespaces
kubectl get namespace
--or
kubectl get ns
Setting ns-development namespace as current namespace
kubectl config set-context --current --namespace=ns-development
Creating Resources in the Namespace
Let’s take a look at a simple YAML to create a Pod:
apiVersion: v1
kind: Pod
metadata:
name: mypod
labels:
name: mypod
spec:
containers:
- name: mypod
image: nginx
You might notice that there is no mention of namespaces anywhere. If you run a kubectl apply on this file, it will create the Pod in the current active namespace. This will be the “default” namespace unless you change it.
There are two ways to explicitly tell Kubernetes in which Namespace you want to create your resources. One way is to set the “namespace” flag when creating the resource:
kubectl apply -f pod.yaml --namespace=test
If you specify a namespace in the YAML declaration, the resource will always be created in that namespace. If you try to use the “namespace” flag to set another namespace, the command will fail.
apiVersion: v1
kind: Pod
metadata:
name: mypod
namespace: test
labels:
name: mypod
spec:
containers:
- name: mypod
image: nginx
Connectivity in Namespaces
A Kubernetes object can directly access another object in the same Namespace using its name. For example, a Pod can access a Service in the same Namespace using the name of the Service.
Cross Namespace communication
Namespaces are “hidden” from each other, but they are not fully isolated by default. A service in one Namespace can talk to a service in another Namespace. This can often be very useful, for example, to have your team’s service in your Namespace communicate with another team’s service in another Namespace.
When your app wants to access a Kubernetes Service, you can use the built-in DNS service discovery and just point your app at the Service’s name. Services in Kubernetes expose their endpoint using a common DNS pattern. It looks like this:
<Service Aame>.<Namespace Name>.svc.cluster.local
For example, if you want to connect to the “database” service in the “test” namespace, you can use the following address:
database.test
If you want to connect to the “database” service in the “production” namespace, you can use the following address:
database.production
Note: If you do want to isolate Namespaces, you should use Network Policies to accomplish this.
Namespaces Resource Quota
Each Namespace can be configured to have its policy on who can modify, create, or edit an object in the namespace. The permission management model behind this is called RBAC (Role-Based Access Control). Individual role assignments allow different teams to use Namespaces in a shared cluster. Resource limits can also be assigned to a Namespace which will control memory and CPU requests and operations.
apiVersion: v1
kind: ResourceQuota
metadata:
name: dev-cpu-quota
namespace: ns-development
spec:
hard:
requests.cpu: "100m"
limits.cpu: "200m"
