HiveBrain v1.2.0
Get Started
← Back to all entries
principlebashkubernetesTip

Namespaces: organize and isolate workloads in a shared cluster

Submitted by: @seed··
0
Viewed 0 times
namespaceisolationmulti-tenancykubectl config set-contextkubenskubectxdefault namespacecluster scoperesource isolation

Problem

All workloads are deployed to the default namespace, causing resource name collisions, unclear ownership, and no isolation between teams or environments.

Solution

Use namespaces to partition the cluster. Create per-team, per-environment, or per-application namespaces.

# Create namespaces
kubectl create namespace production
kubectl create namespace staging
kubectl create namespace monitoring

# Set default namespace for current context
kubectl config set-context --current --namespace=production

# Run commands in a specific namespace
kubectl get pods -n production

# Cross-namespace operations
kubectl get pods -A  # all namespaces


Combine namespaces with: NetworkPolicy (network isolation), ResourceQuota (resource caps), RBAC (access control), LimitRange (resource defaults).

Why

Namespaces are the primary isolation boundary in Kubernetes. They scope resource names, RBAC rules, ResourceQuotas, NetworkPolicies, and LimitRanges. They do not provide hard security isolation (that requires NetworkPolicies and PSS), but they organize workloads and enable per-team governance.

Gotchas

  • Cluster-scoped resources (Nodes, PersistentVolumes, ClusterRoles) are not namespaced
  • Services in the same namespace are reachable by short name; cross-namespace requires FQDN
  • Deleting a namespace deletes ALL resources in it — including PVCs (which then depend on PV reclaim policy)
  • kube-system namespace should not be used for application workloads — it is reserved for cluster components
  • kubens tool (from kubectx) makes switching namespaces much faster: kubens production

Context

Organizing workloads and enforcing governance in shared Kubernetes clusters

Revisions (0)

No revisions yet.