Article directory
- Namespaces
-
- Importance of namespaces
- Namespace usage scenarios
- initial namespace
- Common command operations
- Official website case: Create a namespace, configure memory and CPU quotas, and create a pod to use the namespace
-
- 1. Create a namespace
- 2. Create a resource quota object and assign a value to this resource object.
- 3. Bind the namespace and resource quota objects
- 4. View the resource quota object information corresponding to the namespace and output it in the form of yaml file
- 5.Create pod
- 6. After creating the pod, view the resource quota object again
- 7. Try to create a second pod
Namespaces
Namespace in Kubernetes is a mechanism for organizing and isolating resources within a cluster . A Namespace can be regarded as a virtual cluster , which divides the physical cluster into multiple logical parts, each part has its own set of resources (such as Pod, Service, ConfigMap, etc.).
Namespace is suitable for isolating resources created by different users
Used to classify, filter and manage any object group in the cluster . Every workload added to a Kubernetes cluster must be placed in a namespace.
Different businesses (web, database, message center) can be deployed in different namespaces to achieve business isolation, and resource quotas can be imposed on them to limit the use of resources such as CPU and memory.
Importance of namespaces
Namespaces give scope to object names in the cluster. Although names must be unique within a namespace, the same name can be used in different namespaces . This can be a big help for some scenarios. For example, if you use namespaces to divide application lifecycle environments (such as development, staging, production), you can maintain copies of the same objects with the same names in each environment.
Namespaces also allow users to easily apply policies to specific parts of the cluster . You can control resource usage by defining a ResourceQuota object, which sets limits on resource usage on a per-namespace basis. Similarly, when using a CNI (Container Network Interface) that supports network policy on the cluster, such as Calico or Canal (calico for policy, flannel for network). You apply NetworkPolicy to a namespace, where the rules define how pods communicate with each other. Different namespaces can have different policies.
One of the biggest benefits of using namespaces is the ability to take advantage of Kubernetes RBAC (role-based access control) . RBAC allows you to develop roles under a single name, thus grouping a list of permissions or capabilities. ClusterRole objects are used to define cluster-scale usage patterns, while role object types apply to specific namespaces, providing greater control and granularity. After a role is created, a RoleBinding can grant defined capabilities to specific specific users or user groups within the context of a single namespace. In this way, namespaces enable cluster operators to map identical policies to organized collections of resources.
Namespace usage scenarios
- Mapping namespaces to teams or projects
By providing dedicated namespaces to teams, you can use RBAC policies to delegate certain functions for self-management and automation. Setting resource quotas for teams and projects is also very useful. This way you can access resources appropriately based on your organization's business needs and priorities - Use namespaces to partition lifecycle environments.
Namespaces are ideal for partitioning development, staging, and production environments in a cluster. Typically we are advised to deploy production workloads into a completely separate cluster to ensure maximum isolation. - Use namespaces to isolate different consumers.
Segment workloads based on consumers. For example, if your cluster provides infrastructure for multiple customers, segmenting by namespace will allow you to manage each customer while tracking where bills go.
initial namespace
Kubernetes creates four initial namespaces when it starts:
-
default
Kubernetes includes this namespace so that you can start using a new cluster without creating a new namespace.
-
kube-node-lease
This namespace contains Lease objects that are used to associate with each node. Node leases allow the kubelet to send heartbeats so that the control plane can detect node failures.
-
kube-public
All clients (including unauthenticated clients) can read this namespace. This namespace is primarily reserved for cluster use so that certain resources need to be visible and readable across the cluster. The public attributes of this namespace are a convention, not a requirement.
-
kube-system
This namespace is used for objects created by the Kubernetes system.
Common command operations
1. View all namespaces
[root@k8s-master ~]# kubectl get namespace
NAME STATUS AGE
default Active 7d6h
kube-node-lease Active 7d6h
kube-public Active 7d6h
kube-system Active 7d6h
quota-mem-cpu-example Active 47h
You can see the four initial namespaces that come with k8s startup.
2. View namespace details
[root@k8s-master ~]# kubectl describe namespace kube-system
Name: kube-system
Labels: <none>
Annotations: <none>
Status: Active
No resource quota.
No LimitRange resource.
This command can see the resource quota objects for the namespace
3. Create a namespace
[root@k8s-master ~]# kubectl create namespace quota-mem-cpu-example
View namespace
[root@k8s-master ~]# kubectl get namespace
4. View the pods under a certain namespace
[root@k8s-master ~]# kubectl get pod -n kube-system
NAME READY STATUS RESTARTS AGE
calico-kube-controllers-6949477b58-m954m 1/1 Running 15 7d3h
calico-node-c55c9 1/1 Running 11 7d3h
calico-node-cxnbg 1/1 Running 9 7d3h
calico-node-pm4jp 1/1 Running 10 7d3h
coredns-7f89b7bc75-hl2tf 1/1 Running 9 7d6h
coredns-7f89b7bc75-wkf68 1/1 Running 10 7d6h
etcd-k8s-master 1/1 Running 11 7d6h
kube-apiserver-k8s-master 1/1 Running 14 7d6h
kube-controller-manager-k8s-master 1/1 Running 14 7d6h
kube-proxy-55krt 1/1 Running 11 7d6h
kube-proxy-5zjxj 1/1 Running 9 7d3h
kube-proxy-dnvgg 1/1 Running 10 7d3h
kube-scheduler-k8s-master 1/1 Running 11 7d6h
metrics-server-769f6c8464-wqwdd 1/1 Running 2 26h
Note: If you do not specify the -n namespace, the pods in the default namespace will be viewed by default. If you do not specify a namespace when creating a pod, the pod will only be created in the default namespace.
5. Delete namespace
[root@k8s-master ~]# kubectl delete namespace mem-example
Official website case: Create a namespace, configure memory and CPU quotas, and create a pod to use the namespace
Refer to the official website documentation: https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/manage-resources/quota-memory-cpu-namespace/
1. Create a namespace
[root@k8s-master ~]# kubectl create namespace quota-mem-cpu-example
View namespace
[root@k8s-master ~]# kubectl get namespace
2. Create a resource quota object and assign a value to this resource object.
[root@k8s-master ~]# vim quota-mem-cpu.yaml
apiVersion: v1
kind: ResourceQuota
metadata:
name: mem-cpu-demo
spec:
hard:
requests.cpu: "1"
requests.memory: 1Gi
limits.cpu: "2"
limits.memory: 2Gi
- apiversion, declares the apiserver version to be v1
- kind, object, creates resource quota object
- metadata, version data, specified name
- hard, hardware limitations
- requests.cpu: "1", apply for a cpu
- limits.cpu: "2", a maximum of 2 cpu can be used
3. Bind the namespace and resource quota objects
[root@k8s-master ~]# kubectl apply -f quota-mem-cpu.yaml --namespace=quota-mem-cpu-example
4. View the resource quota object information corresponding to the namespace and output it in the form of yaml file
[root@k8s-master ~]# kubectl get resourcequota mem-cpu-demo --namespace=quota-mem-cpu-example --output=yaml
ResourceQuota sets the following requirements in the quota-mem-cpu-example namespace:
- All containers for each Pod in the namespace must have memory requests and limits, as well as CPU requests and limits.
- The total memory requests of all Pods in the namespace cannot exceed 1 GiB.
- The total memory limit of all Pods in the namespace cannot exceed 2 GiB.
- The total CPU requests of all Pods in the namespace cannot exceed 1 cpu.
- The total CPU limit of all Pods in the namespace cannot exceed 2 cpu.
5.Create pod
Edit yaml file
[root@k8s-master ~]# vim quota-mem-cpu-pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: quota-mem-cpu-demo
spec:
containers:
- name: quota-mem-cpu-demo-ctr
image: nginx
resources:
limits:
memory: "800Mi"
cpu: "800m"
requests:
memory: "600Mi"
cpu: "400m"
Create pod
[root@k8s-master ~]# kubectl apply -f quota-mem-cpu-pod.yaml --namespace=quota-mem-cpu-example
View pods created in the specified namespace
[root@k8s-master ~]# kubectl get pod --namespace=quota-mem-cpu-example
NAME READY STATUS RESTARTS AGE
quota-mem-cpu-demo 1/1 Running 0 70s
6. After creating the pod, view the resource quota object again
[root@k8s-master ~]# kubectl get resourcequota mem-cpu-demo --namespace=quota-mem-cpu-example --output=yaml
After creating the pod, I found that the corresponding cpu and memory have been used.
7. Try to create a second pod
Edit yaml file
[root@k8s-master ~]# vim quota-mem-cpu-pod-2.yaml
apiVersion: v1
kind: Pod
metadata:
name: quota-mem-cpu-demo-2
spec:
containers:
- name: quota-mem-cpu-demo-2-ctr
image: redis
resources:
limits:
memory: "1Gi"
cpu: "800m"
requests:
memory: "700Mi"
cpu: "400m"
Create pod
[root@k8s-master ~]# kubectl apply -f quota-mem-cpu-pod-2.yaml --namespace=quota-mem-cpu-example
Error from server (Forbidden): error when creating "quota-mem-cpu-pod-2.yaml": pods "quota-mem-cpu-demo-2" is forbidden: exceeded quota: mem-cpu-demo, requested: requests.memory=700Mi, used: requests.memory=600Mi, limited: requests.memory=1Gi
In the manifest, you can see that the Pod's memory request is 700 MiB. Please note that the sum of new memory requests plus already used memory requests exceeds the memory request quota : 600 MiB + 700 MiB > 1 GiB
The second Pod cannot be created successfully. The output shows that creating a second Pod will cause the total memory requests to exceed the memory request quota .