Kubernetes (1)- Namespace

若在多個團隊共享底層(硬體)資源時

Namespace就是用來管理各個團隊的module/project的抽象化方法

每個module都是用cluster打包起來的

而Namespace就是抽象化的cluster

可以想像有個叫做cluster的包裝紙把module image包起來

而Namespace就是把包裝紙跟產品一起放進所定義的namespace箱子裡

所以對於K8S的其他使用者(and Admin)來說

module並不是用module name來存取

也不是用cluster存取

而是唯一認明namespace

如果沒有指定存放的namespace

所有的pod都會住在名為default的namespace

Namespace有唯一性

當Namespace被刪除時 底下的所有pod也會被刪除

不同Namespace間的物件無法互相存取

除非使用ExteralName的Service

以大到小的排序為

Cluster>Namespace(default)>Node>Pod(container)

而k8s中的資源配置就是根據namespace來劃分cluster

所以我們就可以用namespace將其劃分成不同的vitual cluster

而在不同的cluster下每台機器內運行的內容彼此是不能互相干擾的

When should one use multiple Kubernetes namespaces?

Small teams or smaller organizations may be perfectly content using the default namespace. This is particularly relevant if there is no need to isolate developers or users from each other. However, there are many useful benefits to having multiple namespaces, including:

  • Isolation. Large or growing teams can use namespaces to isolate their projects and microservices from each other. Teams can re-use the same resource names in different workspaces without a problem. Also, taking an action on items in one workspace never affects other workspaces.
  • Organization. Organizations that use a single cluster for development, testing, and production can use namespaces to sandbox dev and test environments. This ensures production code is not affected by changes that developers or testers make in their own namespaces throughout the application lifecycle.
  • Permissions. Namespaces enable the use of Kubernetes RBAC, so teams can define roles that group lists of permissions or abilities under a single name. This can ensure that only authorized users have access to resources in a given namespace.
  • Resource Control. Policy-driven resource limits can be set on namespaces by defining resource quotas for CPU or memory utilization. This can ensure that every project or namespace has the resources it needs to run, and that no one namespace is hogging all available resources.
  • Performance. Using namespaces can help improve performance of a given cluster. If a cluster is separated into multiple namespaces for different projects, the Kubernetes API will have fewer items to search when performing operations. This can reduce latency and speed overall application performance for each application running on the cluster.

When to use Multiple Namespace => clusters>10

What is namespace in k8s?

  • Kubernetes supports multiple virtual clusters backed by the same physical cluster. These virtual clusters are called namespaces.
  • Namespaces automatically separate resources in the cluster. So if you create a namespace A and B, then if you create a configmap in namespace A it will automatically be unavailable in namespace B.
  • A resource quota, defined by a ResourceQuota object, provides constraints that limit aggregate resource consumption per namespace. It can limit the quantity of objects that can be created in a namespace by type, as well as the total amount of compute resources that may be consumed by resources in that namespace.
  • Users create resources (pods, services, etc.) in the namespace, and the quota system tracks usage to ensure it does not exceed hard resource limits defined in a ResourceQuota.
  • If creating or updating a resource violates a quota constraint, the request will fail with HTTP status code 403 FORBIDDEN with a message explaining the constraint that would have been violated.
  • You can limit the total sum of compute resources that can be requested in a given namespace.
  • Note that resource quota divides up aggregate cluster resources, but it creates no restrictions around nodes: pods from several namespaces may run on the same node.
  • Enhancing role-based access controls (RBAC) by limiting users and processes to certain namespaces.

Life’s a Struggle But You Can Win