Namespaces allow you to divide resources in the same cluster into different workspaces. This allows you to isolate resources and manage quotas, permissions, and ledgers. This reduces the costs of managing and maintaining Container Service for Kubernetes (ACK) clusters in multi-tenant scenarios.
Namespaces
In an ACK cluster, you can use namespaces as a mechanism to divide resources in the same cluster into isolated groups. If multiple users share a cluster, you can create namespaces to classify cluster resources that are used to complete different tasks and use resource quotas to limit and manage resource allocation in the namespaces.
By default, pods that are in the running state can consume the CPU and memory resources of nodes without limit. In this case, pods in a namespace may exhaust the resources of the cluster. You can configure multiple resource quotas for a namespace, including CPU, memory, and pod quotas.
Create a namespace
Use the ACK console
Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, find the cluster that you want to manage and click its name. In the left-side navigation pane, click Namespaces and Quotas.
Click Create. In the dialog box that appears, configure the name and label of the namespace and click OK.
Use kubectl
Create a namespace.
kubectl create namespace test
Verify that the namespace is created.
kubectl get namespaces
Expected output:
NAME STATUS AGE default Active 46h kube-node-lease Active 46h kube-public Active 46h kube-system Active 46h test Active 9s
The command output indicates that the new namespace named test is in the list.
After you create a namespace, you can modify the configuration of the namespace, such as modify labels, set resource quotas and limits, delete the namespace, and perform other operations.
Configure resource quotas and limits
After you create a namespace, you can configure a quota and a limit range to control the resource usage and overheads of pods in the namespace.
On the Namespace page, click Resource Quotas and Limits in the Actions column of the namespace that you want to manage.
In the Resource Quotas and Limits dialog box, configure the resource quotas and the default resource limits.
For more information about how to configure resource quotas and limits, see Resource Quotas and Configure Default Memory Requests and Limits for a Namespace.
NoteAfter you configure CPU and memory quotas for a namespace, you must specify CPU and memory limits when you create a pod. You can also configure the default resource limits for all containers in the namespace.
Suggestions for modifying the resource quotas of a namespace
We recommend that you perform modifications during off-peak hours. Check the resource usage of existing workloads before the operation.
Make sure that sufficient resources are reserved to support HPA auto scaling.
We recommend that you monitor the system for at least 30 minutes after the adjustment to ensure that HPA runs as expected.
Delete a namespace
Built-in namespaces cannot be deleted.
To enable deletion protection for a namespace, choose
> Disable Deletion Protection in the Actions column.
When you delete a namespace, make sure that the resources in the namespace are cleared. If the namespace is in the Terminating status for a long period of time, you can forcibly delete the namespace. For more information, see What do I do if the namespace is in the Terminating status?
Use the ACK console
On the Namespace page, find the namespace that you want to delete and click
> Delete in the Actions column.
In the Confirm dialog box, confirm the associated resources in the namespace and click Confirm Deletion.
Use kubectl
Run the following command to delete a namespace:
kubectl delete namespace test
FAQ
What do I do if the namespace is in the Terminating status?
When you delete a namespace that has resources, the delete operation remains in the Terminating status for a long period of time. You can remove the finalizers field of the namespace to quickly terminate this status. This operation may cause the namespace resources to remain in the cluster. We recommend that you clean up the resources in the namespace before the operation.
When the array of the finalizers field is empty and the status is Terminating, Kubernetes automatically deletes the namespace. You can use one of the following methods to forcibly delete a namespace:
Open a shell terminal. Run the following command to create a reverse proxy for your Kubernetes cluster:
kubectl proxy
Sample command output:
Starting to serve on 127.0.0.1:8001
Open a new shell terminal. Define environment variables to connect to the Kubernetes cluster. Then, run the curl command to check the connectivity and authorization.
export TOKEN=$(kubectl describe secret $(kubectl get secrets | grep default | cut -f1 -d ' ') | grep -E '^token' | cut -f2 -d':' | tr -d '\t') curl http://localhost:8001/api/v1/namespaces --header "Authorization: Bearer $TOKEN" --insecure
Query the configuration of a namespace. In this example, istio-system is used.
kubectl get namespace istio-system -o json > istio-system.json
Clear the array of the finalizers field and save the configuration.
"spec": { "finalizers": [ ] },
Remove the finalizers field. In this example, the istio-system namespace is used.
curl -X PUT --data-binary @istio-system.json http://localhost:8001/api/v1/namespaces/istio-system/finalize -H "Content-Type: application/json" --header "Authorization: Bearer $TOKEN" --insecure
References
For more information about cluster quotas and limits, such as cloud service and cluster configuration limits, individual cluster capacity limits, cluster quotas, and dependent cloud service quotas, see Quotas and limits.
For more information about how to configure quotas for a namespace, see Configure Quotas for API Objects.
You can use a Resource Access Management (RAM) user or a RAM role in combination with role-based access control (RBAC) permissions to implement fine-grained permission management for clusters or namespaces. For more information, see Use RAM to authorize access to clusters and cloud resources and Use RBAC to manage the operation permissions on resources in a cluster.