Kubernetes Namespaces and Resource Quotas
Kubernetes clusters often host multiple teams, projects, or environments. To organize and isolate workloads, Kubernetes provides Namespaces. Namespaces allow logical separation of resources, while Resource Quotas ensure fair usage of cluster resources. Together, they enable multi-tenancy, governance, and efficient resource management.
Namespaces
A Namespace is a virtual cluster within a Kubernetes cluster. It provides a scope for names, ensuring that resources like Pods, Services, and ConfigMaps are unique within their namespace but can coexist across namespaces.
Key Features
- Isolation: Separate environments for dev, test, and prod.
- Organization: Group resources logically by team or project.
- Access Control: Apply RBAC policies at the namespace level.
- Resource Management: Combine with quotas to prevent resource hogging.
YAML Example: Namespace
apiVersion: v1
kind: Namespace
metadata:
name: dev-team
Explanation: This creates a namespace called dev-team for development workloads.
Resource Quotas
Resource Quotas limit the total amount of resources that can be consumed in a namespace. They prevent one team or application from exhausting cluster resources.
YAML Example: Resource Quota
apiVersion: v1
kind: ResourceQuota
metadata:
name: dev-quota
namespace: dev-team
spec:
hard:
requests.cpu: "2"
requests.memory: 4Gi
limits.cpu: "4"
limits.memory: 8Gi
pods: "10"
Explanation: This quota restricts the dev-team namespace to 10 Pods, 2 CPUs requested, and 4Gi memory requested, with maximum limits of 4 CPUs and 8Gi memory.
Flowchart: Namespace and Quota Workflow
Cluster ---> Multiple Namespaces ---> Each namespace has quotas
|
v
Teams deploy workloads ---> Scheduler enforces quotas ---> Fair resource usage
Real-Time Example
In a large enterprise:
- Namespaces: Separate environments for HR, Finance, and Engineering teams.
- Resource Quotas: HR namespace limited to 2 CPUs and 4Gi memory, while Engineering gets higher quotas for compute-heavy workloads.
- Outcome: Prevents one department from consuming all cluster resources.
Common Mistakes
- Not using namespaces, leading to cluttered resource management.
- Applying quotas too strictly, preventing workloads from scaling.
- Ignoring monitoring, causing teams to hit quotas unexpectedly.
- Confusing namespace isolation with network isolation (requires NetworkPolicies).
Interview Notes
Q1: What is the purpose of namespaces?
Answer: Namespaces organize and isolate resources within a cluster, enabling multi-tenancy and logical separation.
Q2: How do Resource Quotas work?
Answer: Resource Quotas enforce limits on CPU, memory, and object counts within a namespace to ensure fair usage.
Q3: Can namespaces provide complete isolation?
Answer: Namespaces provide logical isolation, but network isolation requires NetworkPolicies.
Q4: Example Interview Task
apiVersion: v1
kind: ResourceQuota
metadata:
name: prod-quota
namespace: production
spec:
hard:
requests.cpu: "10"
requests.memory: 20Gi
pods: "50"
Explanation: This quota ensures the production namespace can run up to 50 Pods with 10 CPUs and 20Gi memory requested.
Advanced Notes
- LimitRanges: Define default requests and limits for containers in a namespace.
- Cluster Resource Quotas: In multi-cluster setups, quotas can be applied across clusters.
- Best Practices: Use namespaces for logical separation, apply quotas for governance, and monitor usage with metrics.
- Integration: Combine with RBAC and NetworkPolicies for complete multi-tenancy control.
Summary
Kubernetes Namespaces and Resource Quotas provide structure and governance in multi-tenant clusters. Namespaces organize workloads, while quotas enforce fair resource usage. Together, they prevent resource contention, improve scalability, and support enterprise-grade deployments. Mastering these concepts is crucial for production environments and interview preparation.