Namespaces

Logical partitions in Kubernetes to divide cluster resources among multiple users.

In Kubernetes, a Namespace is a mechanism to partition and isolate resources within the same cluster, acting like a virtual cluster inside the actual Kubernetes cluster. It allows for the organization, segregation, and allocation of resources among different workloads and is pivotal in maintaining resource equilibrium and security within the cluster environment.

Characteristics:

  • Resource Isolation: Resources like Pods, Services, and Deployments can coexist in different namespaces with identical names but are separate and isolated.
  • Resource Allocation: Namespaces enable the allocation of resources such as CPU and memory to different workloads, ensuring balanced and efficient use of cluster resources.
  • Access Control: Utilizing Role-Based Access Control (RBAC), administrators can regulate access to resources at a namespace level, fortifying security and compliance.

Use Cases:

  • Multi-Tenancy: For projects or teams sharing the same cluster, namespaces offer a level of isolation and resource management, enabling smooth multi-tenancy operations.
  • Environment Segregation: They are instrumental for segregating environments like development, staging, and production within the same cluster.
  • Resource Management: They help in maintaining resource equilibrium, preventing one workload from monopolizing cluster resources and causing starvation for others.
  • Security and Access Control: By leveraging RBAC with namespaces, granular control over resource access can be achieved, enhancing the security posture of the cluster.

Practical Example:

Creating a namespace is straightforward. You create a YAML file within which you declare your namespace settings; see example below creating a namespace named “development”. You then apply the YAML file using kubectl with this command kubectl apply -f development-namespace.yaml.

apiVersion: v1
kind: Namespace
metadata:
 name: development

This namespace can then host various resources, allowing the resources to be organized, managed, and accessed distinctly from resources in other namespaces. For instance, deploying a Pod in the “development” namespace would involve setting the metadata.namespace field in the Pod’s YAML to “development”.

Implications:

  • Resource Optimization: Through efficient resource allocation and management within namespaces, cluster resources can be optimized, avoiding wastage and ensuring equitable distribution among workloads.
  • Enhanced Security: Namespaces, coupled with RBAC, solidify cluster security by constraining access to resources, reducing the risk of unauthorized access or modification.
  • Operational Efficiency: They streamline cluster operations and management by logically grouping and isolating related resources, reducing complexity and enhancing clarity.

AKS default Namespaces

When using Azure Kubernetes Service (AKS), certain namespaces are created by default, representing standardized elements of most Kubernetes cluster setups. These namespaces serve specific purposes in the organization and operation of cluster resources.

|default|This is the namespace where resources like pods and services will be placed if no other namespace is explicitly specified during their deployment. It serves as a general-purpose namespace for resources not assigned to any other specific namespace. But it is a security best practice to not use the default namespace for your workloads and to always create your own. |kube-system|This namespace is vital for the proper functioning of Kubernetes. It harbors the system components that Kubernetes necessitates to operate accurately, housing various controller components, DNS service (either CoreDNS or kube-dns), and other indispensable services. |kube-public|The resources within this namespace are universally accessible across the entire cluster. This namespace is typically employed for resources and settings that apply cluster-wide. A prevalent object in this namespace is the cluster-info ConfigMap which holds information about the cluster’s configuration. |kube-node-lease|This namespace contains Lease objects related to each node in the cluster. These objects aid the node controller in detecting the healthiness of nodes, acting as an effective mechanism to enhance the performance of node heartbeats as the number of nodes in the cluster grows. |gatekeeper-system|This namespace is integral for the operation of the Open Policy Agent (OPA) Gatekeeper. OPA Gatekeeper is an influential open-source project allowing users to define and enforce policies coherently in a Kubernetes environment, contributing to the secure and compliant configuration of Kubernetes resources.

Last modified July 21, 2024: update (e2ae86c)