principlebashkubernetesTip
Namespaces: organize and isolate workloads in a shared cluster
Viewed 0 times
namespaceisolationmulti-tenancykubectl config set-contextkubenskubectxdefault namespacecluster scoperesource isolation
Problem
All workloads are deployed to the default namespace, causing resource name collisions, unclear ownership, and no isolation between teams or environments.
Solution
Use namespaces to partition the cluster. Create per-team, per-environment, or per-application namespaces.
Combine namespaces with: NetworkPolicy (network isolation), ResourceQuota (resource caps), RBAC (access control), LimitRange (resource defaults).
# Create namespaces
kubectl create namespace production
kubectl create namespace staging
kubectl create namespace monitoring
# Set default namespace for current context
kubectl config set-context --current --namespace=production
# Run commands in a specific namespace
kubectl get pods -n production
# Cross-namespace operations
kubectl get pods -A # all namespacesCombine namespaces with: NetworkPolicy (network isolation), ResourceQuota (resource caps), RBAC (access control), LimitRange (resource defaults).
Why
Namespaces are the primary isolation boundary in Kubernetes. They scope resource names, RBAC rules, ResourceQuotas, NetworkPolicies, and LimitRanges. They do not provide hard security isolation (that requires NetworkPolicies and PSS), but they organize workloads and enable per-team governance.
Gotchas
- Cluster-scoped resources (Nodes, PersistentVolumes, ClusterRoles) are not namespaced
- Services in the same namespace are reachable by short name; cross-namespace requires FQDN
- Deleting a namespace deletes ALL resources in it — including PVCs (which then depend on PV reclaim policy)
- kube-system namespace should not be used for application workloads — it is reserved for cluster components
- kubens tool (from kubectx) makes switching namespaces much faster:
kubens production
Context
Organizing workloads and enforcing governance in shared Kubernetes clusters
Revisions (0)
No revisions yet.