Updated on 2022-12-01 GMT+08:00

Namespace for Grouping Resources

Why We Need Namespaces

Although labels are simple and efficient, too many labels can cause chaos and make querying inconvenient. Labels can overlap with each other, which is not suitable for certain scenarios. This is where namespace comes in. Namespaces allow you to isolate and manage resources in a more systematic way. Multiple namespaces can divide systems that contain multiple components into different non-overlapped groups. Namespaces also enable you to divide cluster resources between users. In this way, multiple teams can share one cluster.

Resources can share the same name as long as they are in different namespaces. Unlike most resources in Kubernetes can be managed by namespace, global resources such as worker nodes and PVs do not belong to a specific namespace. Later sections will discuss this topic in detail.

Run the following command to query namespaces in the current cluster:

$ kubectl get ns
NAME               STATUS   AGE
default            Active   36m
kube-node-realease Active   36m
kube-public        Active   36m
kube-system        Active   36m

By now, we are performing operations in the default namespace. When kubectl get is used but no namespace is specified, the default namespace is used by default.

You can run the following command to view resources in namespace kube-system.

$ kubectl get po --namespace=kube-system
NAME                                      READY   STATUS    RESTARTS   AGE
coredns-7689f8bdf-295rk                   1/1     Running   0          9m11s
coredns-7689f8bdf-h7n68                   1/1     Running   0          11m
everest-csi-controller-6d796fb9c5-v22df   2/2     Running   0          9m11s
everest-csi-driver-snzrr                  1/1     Running   0          12m
everest-csi-driver-ttj28                  1/1     Running   0          12m
everest-csi-driver-wtrk6                  1/1     Running   0          12m
icagent-2kz8g                             1/1     Running   0          12m
icagent-hjz4h                             1/1     Running   0          12m
icagent-m4bbl                             1/1     Running   0          12m

You can see that there are many pods in kube-system. coredns is used for service discovery, everest-csi for connecting to storage services, and icagent for connecting to the monitoring system.

These general, must-have applications are put in the kube-system namespace to isolate them from other pods. They are invisible to and free from being affected by resources in other namespaces.

Creating a Namespace

Define a namespace.

apiVersion: v1 
kind: Namespace 
metadata: 
  name: custom-namespace 

Run the kubectl command to create it.

$ kubectl create -f custom-namespace.yaml
namespace/custom-namespace created 

You can also run the kubectl create namespace command to create a namespace.

$ kubectl create namespace custom-namespace 
namespace/custom-namespace created 

Create resources in the namespace.

$ kubectl create -f nginx.yaml -n custom-namespace 
pod/nginx created 

By now, custom-namespace has a pod named nginx.

The Isolation function of Namespaces

Namespaces are used to group resources only for organization purposes. Running objects in different namespaces are not essentially isolated. For example, if pods in two namespaces know the IP address of each other and the underlying network on which Kubernetes depends does not provide network isolation between namespaces, the two pods can access each other.