Kubernetes Namespaces

Default Kubernetes Namespaces

Get a list of current namespaces:

kubectl get namespaces
NAME STATUS AGE
default Active 11d
kube-public Active 11d
kube-system Active 11d

Create Two Namespaces

We are now going to create two new namespaces so that we can create Kubernetes objects in it — to see how the separation works.

nano dev-namespace.yamlkind: Namespace
apiVersion: v1
metadata:
name: development
labels:
name: development
nano tutorials-namespace.yamlkind: Namespace
apiVersion: v1
metadata:
name: tutorials
labels:
name: tutorials
kubectl create -f dev-namespace.yamlkubectl create -f tutorials-namespace.yaml
kubectl get namespaces --show-labels
NAME STATUS AGE LABELS
default Active 11d <none>
development Active 3m48s name=development
kube-public Active 11d <none>
kube-system Active 11d <none>
tutorials Active 9s name=tutorials

Set-Context to Switch between Namespaces

In order to easily switch between Namespaces we use the concept of switching context.

kubectl config viewapiVersion: v1
clusters:
- cluster:
certificate-authority: C:\Users\alwyn\.minikube\ca.crt
server: https://192.168.99.117:8443
name: minikube
contexts:
- context:
cluster: minikube
user: minikube
name: minikube
current-context: minikube
kind: Config
preferences: {}
users:
- name: minikube
user:
client-certificate: C:\Users\alwyn\.minikube\client.crt
client-key: C:\Users\alwyn\.minikube\client.key
kubectl config current-contextminikube
kubectl config set-context development --namespace=development --cluster=minikube --user=minikubeContext "development" created.kubectl config set-context tutorials --namespace=tutorials --cluster=minikube --user=minikubeContext "tutorials" created.
kubectl config viewapiVersion: v1
clusters:
- cluster:
certificate-authority: C:\Users\alwyn\.minikube\ca.crt
server: https://192.168.99.117:8443
name: minikube
contexts:
- context:
cluster: minikukbe
namespace: development
user: minikube
name: dev

- context:
cluster: minikube
namespace: development
user: minikube
name: development
- context:
cluster: minikube
user: minikube
name: minikube
- context:
cluster: minikube
namespace: tutorials
user: minikube
name: tutorials
- context:
cluster: minikukbe
namespace: tutorials
user: minikube
name: tuts
current-context: minikube
kind: Config
preferences: {}
users:
- name: minikube
user:
client-certificate: C:\Users\alwyn\.minikube\client.crt
client-key: C:\Users\alwyn\.minikube\client.key
kubectl config current-contextminikube
nano myNamespacedPod-3.yamlapiVersion: v1
kind: Pod
metadata:
name: my-minikube-pod
labels:
app: myapp
spec:
containers:
- name: myapp-container
image: busybox
command: ['sh', '-c', 'echo The Pod is running ... now sleeping && sleep 3600']
kubectl create -f myNamespacedPod-3.yaml 

pod/my-minikube-pod created
kubectl get po 

NAME READY STATUS RESTARTS AGE
my-minikube-pod 1/1 Running 0 22s

Create Pod in Development Namespace

Let’s switch context to development and create a Pod there.

kubectl config use-context development Switched to context "development".
nano myNamespacedPod-1.yamlapiVersion: v1
kind: Pod
metadata:
name: my-development-pod
labels:
app: myapp
spec:
containers:
- name: myapp-container
image: busybox
command: ['sh', '-c', 'echo The Pod is running ... now sleeping && sleep 3600']
kubectl create -f myNamespacedPod-1.yaml 

pod/my-development-pod created
kubectl get poNAME                 READY   STATUS    RESTARTS   AGE
my-development-pod 1/1 Running 0 7s

Create Pod in Tutorials Namespace

For experience let us create one Pod in our last context : tutorials .

kubectl config use-context tutorials Switched to context "tutorials".
nano myNamespacedPod-2.yamlapiVersion: v1
kind: Pod
metadata:
name: my-tutorials-pod
labels:
app: myapp
spec:
containers:
- name: myapp-container
image: busybox
command: ['sh', '-c', 'echo The Pod is running ... now sleeping && sleep 3600']
kubectl create -f myNamespacedPod-2.yaml 

pod/my-tutorials-pod created
kubectl get poNAME                 READY   STATUS    RESTARTS   AGE
my-tutorials-pod 1/1 Running 0 7s

Using Namespaces

To separate your Kubernetes resources just switch context and do your work there. Objects automatically created in your current context.

kubectl config use-context tutorials
Switched to context "tutorials".
kubectl get poNAME READY STATUS RESTARTS AGE
my-tutorials-pod 1/1 Running 0 78s
kubectl config use-context developmentSwitched to context "development".kubectl get po
NAME READY STATUS RESTARTS AGE
my-development-pod 1/1 Running 0 2m48s
kubectl config use-context minikube
Switched to context "minikube".
kubectl get po
NAME READY STATUS RESTARTS AGE
my-minikube-pod 1/1 Running 0 10m

Kubectl api-resources in Namespaces

Not all Kubernetes resources are in a Namespace.

kubectl api-resources --namespaced=true
NAME                        SHORTNAMES   APIGROUP                    NAMESPACED   KIND
bindings true Binding
configmaps cm true ConfigMap
endpoints ep true Endpoints
events ev true Event
limitranges limits true LimitRange
persistentvolumeclaims pvc true PersistentVolumeClaim
pods po true Pod
podtemplates true PodTemplate
replicationcontrollers rc true ReplicationController
resourcequotas quota true ResourceQuota
secrets true Secret
serviceaccounts sa true ServiceAccount
services svc true Service
controllerrevisions apps true ControllerRevision
daemonsets ds apps true DaemonSet
deployments deploy apps true Deployment
replicasets rs apps true ReplicaSet
statefulsets sts apps true StatefulSet
localsubjectaccessreviews authorization.k8s.io true LocalSubjectAccessReview
horizontalpodautoscalers hpa autoscaling true HorizontalPodAutoscaler
cronjobs cj batch true CronJob
jobs batch true Job
leases coordination.k8s.io true Lease
events ev events.k8s.io true Event
daemonsets ds extensions true DaemonSet
deployments deploy extensions true Deployment
ingresses ing extensions true Ingress
networkpolicies netpol extensions true NetworkPolicy
replicasets rs extensions true ReplicaSet
networkpolicies netpol networking.k8s.io true NetworkPolicy
poddisruptionbudgets pdb policy true PodDisruptionBudget
rolebindings rbac.authorization.k8s.io true RoleBinding
roles rbac.authorization.k8s.io true Role
kubectl api-resources --namespaced=false
NAME                              SHORTNAMES   APIGROUP                       NAMESPACED   KIND
componentstatuses cs false ComponentStatus
namespaces ns false Namespace
nodes no false Node
persistentvolumes pv false PersistentVolume
mutatingwebhookconfigurations admissionregistration.k8s.io false MutatingWebhookConfiguration
validatingwebhookconfigurations admissionregistration.k8s.io false ValidatingWebhookConfiguration
customresourcedefinitions crd,crds apiextensions.k8s.io false CustomResourceDefinition
apiservices apiregistration.k8s.io false APIService
tokenreviews authentication.k8s.io false TokenReview
selfsubjectaccessreviews authorization.k8s.io false SelfSubjectAccessReview
selfsubjectrulesreviews authorization.k8s.io false SelfSubjectRulesReview
subjectaccessreviews authorization.k8s.io false SubjectAccessReview
certificatesigningrequests csr certificates.k8s.io false CertificateSigningRequest
podsecuritypolicies psp extensions false PodSecurityPolicy
podsecuritypolicies psp policy false PodSecurityPolicy
clusterrolebindings rbac.authorization.k8s.io false ClusterRoleBinding
clusterroles rbac.authorization.k8s.io false ClusterRole
priorityclasses pc scheduling.k8s.io false PriorityClass
storageclasses sc storage.k8s.io false StorageClass
volumeattachments storage.k8s.io false VolumeAttachment
  • nodes / servers running Kubernetes — must be visible in all Namespaces
  • Namespaces itself must be visible in all Namespaces — otherwise switching would be impossible
  • PersistentVolumes must be visible everywhere
  • same for the full list of other resources NOT in a Namespaces
kubectl get nsNAME          STATUS   AGE
default Active 12d
development Active 16m
kube-public Active 12d
kube-system Active 12d
tutorials Active 16m
kubectl get noNAME STATUS ROLES AGE VERSION
minikube Ready master 12d v1.12.4

Namespaces Are Not a Secure Feature

As you have just seen I can easily create contexts and use it to switch Namespaces.

kubectl get po --all-namespaces=trueNAMESPACE     NAME                                    READY   STATUS    RESTARTS   AGE
default my-minikube-pod 1/1 Running 2 134m
development my-development-pod 1/1 Running 2 126m
kube-system coredns-576cbf47c7-28l4x 1/1 Running 16 12d
kube-system coredns-576cbf47c7-6lh8g 1/1 Running 16 12d
kube-system etcd-minikube 1/1 Running 8 7d19h
kube-system kube-addon-manager-minikube 1/1 Running 17 12d
kube-system kube-apiserver-minikube 1/1 Running 0 3h48m
kube-system kube-controller-manager-minikube 1/1 Running 0 3h48m
kube-system kube-proxy-dh4vs 1/1 Running 0 3h47m
kube-system kube-scheduler-minikube 1/1 Running 17 12d
kube-system kubernetes-dashboard-5bff5f8fb8-h25d5 1/1 Running 48 12d
kube-system storage-provisioner 1/1 Running 48 12d
tutorials my-tutorials-pod 1/1 Running 2 125m
kubectl get po --all-namespaces=true | grep -v systemNAMESPACE     NAME                                    READY   STATUS    RESTARTS   AGE
default my-minikube-pod 1/1 Running 2 136m
development my-development-pod 1/1 Running 2 128m
tutorials my-tutorials-pod 1/1 Running 2 127m

Clean Up

Our previous command showed we have 3 Pods running.

kubectl config use-context minikubekubectl delete pod/my-minikube-podkubectl config use-context development kubectl delete pod/my-development-podkubectl config use-context tutorials  kubectl delete pod/my-tutorials-pod
kubectl config use-context minikube
kubectl config delete-context development
kubectl config delete-context tutorials
kubectl delete namespaces development
kubectl delete namespaces tutorials

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Alibaba Cloud

Alibaba Cloud

Follow me to keep abreast with the latest technology news, industry insights, and developer trends. Alibaba Cloud website:https://www.alibabacloud.com