Namespaces
“https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/”
- provide a mechanism for isolating groups of resources within a single cluster.
- Names of resources need to be unique within a namespace, but not across namespaces.
- Namespace-based scoping is applicable only for namespaced objects (e.g. Deployments, Services, etc.) and not for cluster-wide objects (e.g. StorageClass, Nodes, PersistentVolumes, etc.).
For a production cluster, consider not using the
defaultnamespace. Instead, make other namespaces and use those.
Namespaced resources
kubectl api-resources --namespaced=true
| NAME | SHORTNAMES | APIVERSION | NAMESPACED | KIND |
|---|---|---|---|---|
| bindings | v1 | true | Binding | |
| configmaps | cm | v1 | true | ConfigMap |
| endpoints | ep | v1 | true | Endpoints |
| events | ev | v1 | true | Event |
| limitranges | limits | v1 | true | LimitRange |
| persistentvolumeclaims | pvc | v1 | true | PersistentVolumeClaim |
| pods | po | v1 | true | Pod |
| podtemplates | v1 | true | PodTemplate | |
| replicationcontrollers | rc | v1 | true | ReplicationController |
| resourcequotas | quota | v1 | true | ResourceQuota |
| secrets | v1 | true | Secret | |
| serviceaccounts | sa | v1 | true | ServiceAccount |
| services | svc | v1 | true | Service |
| controllerrevisions | apps/v1 | true | ControllerRevision | |
| daemonsets | ds | apps/v1 | true | DaemonSet |
| deployments | deploy | apps/v1 | true | Deployment |
| replicasets | rs | apps/v1 | true | ReplicaSet |
| statefulsets | sts | apps/v1 | true | StatefulSet |
| localsubjectaccessreviews | authorization.k8s.io/v1 | true | LocalSubjectAccessReview | |
| horizontalpodautoscalers | hpa | autoscaling/v2 | true | HorizontalPodAutoscaler |
| cronjobs | cj | batch/v1 | true | CronJob |
| jobs | batch/v1 | true | Job | |
| leases | coordination.k8s.io/v1 | true | Lease | |
| endpointslices | discovery.k8s.io/v1 | true | EndpointSlice | |
| events | ev | events.k8s.io/v1 | true | Event |
| ingresses | ing | networking.k8s.io/v1 | true | Ingress |
| networkpolicies | netpol | networking.k8s.io/v1 | true | NetworkPolicy |
| poddisruptionbudgets | pdb | policy/v1 | true | PodDisruptionBudget |
| rolebindings | rbac.authorization.k8s.io/v1 | true | RoleBinding | |
| roles | rbac.authorization.k8s.io/v1 | true | Role | |
| csistoragecapacities | storage.k8s.io/v1 | true | CSIStorageCapacity |
Non Namespaced resources
kubectl api-resources --namespaced=false
| NAME | SHORTNAMES | APIVERSION | NAMESPACED | KIND |
|---|---|---|---|---|
| componentstatuses | cs | v1 | false | ComponentStatus |
| namespaces | ns | v1 | false | Namespace |
| nodes | no | v1 | false | Node |
| persistentvolumes | pv | v1 | false | PersistentVolume |
| mutatingwebhookconfigurations | admissionregistration.k8s.io/v1 | false | MutatingWebhookConfiguration | |
| validatingadmissionpolicies | admissionregistration.k8s.io/v1 | false | ValidatingAdmissionPolicy | |
| validatingadmissionpolicybindings | admissionregistration.k8s.io/v1 | false | ValidatingAdmissionPolicyBinding | |
| validatingwebhookconfigurations | admissionregistration.k8s.io/v1 | false | ValidatingWebhookConfiguration | |
| customresourcedefinitions | crd,crds | apiextensions.k8s.io/v1 | false | CustomResourceDefinition |
| apiservices | apiregistration.k8s.io/v1 | false | APIService | |
| selfsubjectreviews | authentication.k8s.io/v1 | false | SelfSubjectReview | |
| tokenreviews | authentication.k8s.io/v1 | false | TokenReview | |
| selfsubjectaccessreviews | authorization.k8s.io/v1 | false | SelfSubjectAccessReview | |
| selfsubjectrulesreviews | authorization.k8s.io/v1 | false | SelfSubjectRulesReview | |
| subjectaccessreviews | authorization.k8s.io/v1 | false | SubjectAccessReview | |
| certificatesigningrequests | csr | certificates.k8s.io/v1 | false | CertificateSigningRequest |
| flowschemas | flowcontrol.apiserver.k8s.io/v1 | false | FlowSchema | |
| prioritylevelconfigurations | flowcontrol.apiserver.k8s.io/v1 | false | PriorityLevelConfiguration | |
| ingressclasses | networking.k8s.io/v1 | false | IngressClass | |
| runtimeclasses | node.k8s.io/v1 | false | RuntimeClass | |
| clusterrolebindings | rbac.authorization.k8s.io/v1 | false | ClusterRoleBinding | |
| clusterroles | rbac.authorization.k8s.io/v1 | false | ClusterRole | |
| priorityclasses | pc | scheduling.k8s.io/v1 | false | PriorityClass |
| csidrivers | storage.k8s.io/v1 | false | CSIDriver | |
| csinodes | storage.k8s.io/v1 | false | CSINode | |
| storageclasses | sc | storage.k8s.io/v1 | false | StorageClass |
| volumeattachments | storage.k8s.io/v1 | false | VolumeAttachment |
Gotchas
- Namespaces are intended for use in environments with many users spread across multiple teams, or projects. For clusters with a few to tens of users, you should not need to create or think about namespaces at all. Start using namespaces when you need the features they provide.
- It is not necessary to use multiple namespaces to separate slightly different resources, such as different versions of the same software: use labels to distinguish resources within the same namespace.
- Avoid creating namespaces with the prefix
kube-, since it is reserved for Kubernetes system namespaces.