All Products
Search
Document Center

Container Service for Kubernetes:Manage namespaces and resource quotas

Last Updated:Mar 18, 2025

Namespaces allow you to divide resources in the same cluster into different workspaces. This allows you to isolate resources and manage quotas, permissions, and ledgers. This reduces the costs of managing and maintaining Container Service for Kubernetes (ACK) clusters in multi-tenant scenarios.

Namespaces

In an ACK cluster, you can use namespaces as a mechanism to divide resources in the same cluster into isolated groups. If multiple users share a cluster, you can create namespaces to classify cluster resources that are used to complete different tasks and use resource quotas to limit and manage resource allocation in the namespaces.

By default, pods that are in the running state can consume the CPU and memory resources of nodes without limit. In this case, pods in a namespace may exhaust the resources of the cluster. You can configure multiple resource quotas for a namespace, including CPU, memory, and pod quotas.

Create a namespace

Use the ACK console

  1. Log on to the ACK console. In the left-side navigation pane, click Clusters.

  2. On the Clusters page, find the cluster that you want to manage and click its name. In the left-side navigation pane, click Namespaces and Quotas.

  3. Click Create. In the dialog box that appears, configure the name and label of the namespace and click OK.

Use kubectl

  1. Create a namespace.

    kubectl create namespace  test
  2. Verify that the namespace is created.

    kubectl get namespaces

    Expected output:

    NAME              STATUS   AGE
    default           Active   46h
    kube-node-lease   Active   46h
    kube-public       Active   46h
    kube-system       Active   46h
    test              Active   9s

    The command output indicates that the new namespace named test is in the list.

After you create a namespace, you can modify the configuration of the namespace, such as modify labels, set resource quotas and limits, delete the namespace, and perform other operations.

Configure resource quotas and limits

After you create a namespace, you can configure a quota and a limit range to control the resource usage and overheads of pods in the namespace.

  1. On the Namespace page, click Resource Quotas and Limits in the Actions column of the namespace that you want to manage.

  2. In the Resource Quotas and Limits dialog box, configure the resource quotas and the default resource limits.

    For more information about how to configure resource quotas and limits, see Resource Quotas and Configure Default Memory Requests and Limits for a Namespace.

    Note

    After you configure CPU and memory quotas for a namespace, you must specify CPU and memory limits when you create a pod. You can also configure the default resource limits for all containers in the namespace.

Suggestions for modifying the resource quotas of a namespace

  • We recommend that you perform modifications during off-peak hours. Check the resource usage of existing workloads before the operation.

  • Make sure that sufficient resources are reserved to support HPA auto scaling.

  • We recommend that you monitor the system for at least 30 minutes after the adjustment to ensure that HPA runs as expected.

Delete a namespace

Note
  • Built-in namespaces cannot be deleted.

  • To enable deletion protection for a namespace, choose image > Disable Deletion Protection in the Actions column.

  • When you delete a namespace, make sure that the resources in the namespace are cleared. If the namespace is in the Terminating status for a long period of time, you can forcibly delete the namespace. For more information, see What do I do if the namespace is in the Terminating status?

Use the ACK console

  1. On the Namespace page, find the namespace that you want to delete and click image > Delete in the Actions column.

  2. In the Confirm dialog box, confirm the associated resources in the namespace and click Confirm Deletion.

Use kubectl

Run the following command to delete a namespace:

kubectl delete namespace test

FAQ

What do I do if the namespace is in the Terminating status?

When you delete a namespace that has resources, the delete operation remains in the Terminating status for a long period of time. You can remove the finalizers field of the namespace to quickly terminate this status. This operation may cause the namespace resources to remain in the cluster. We recommend that you clean up the resources in the namespace before the operation.

When the array of the finalizers field is empty and the status is Terminating, Kubernetes automatically deletes the namespace. You can use one of the following methods to forcibly delete a namespace:

  1. Open a shell terminal. Run the following command to create a reverse proxy for your Kubernetes cluster:

    kubectl proxy

    Sample command output:

    Starting to serve on 127.0.0.1:8001
  2. Open a new shell terminal. Define environment variables to connect to the Kubernetes cluster. Then, run the curl command to check the connectivity and authorization.

    export TOKEN=$(kubectl describe secret $(kubectl get secrets | grep default | cut -f1 -d ' ') | grep -E '^token' | cut -f2 -d':' | tr -d '\t')
    curl http://localhost:8001/api/v1/namespaces --header "Authorization: Bearer $TOKEN" --insecure
  3. Query the configuration of a namespace. In this example, istio-system is used.

    kubectl get namespace istio-system -o json > istio-system.json
  4. Clear the array of the finalizers field and save the configuration.

        "spec": {
            "finalizers": [
            ]
        },
  5. Remove the finalizers field. In this example, the istio-system namespace is used.

    curl -X PUT --data-binary @istio-system.json http://localhost:8001/api/v1/namespaces/istio-system/finalize -H "Content-Type: application/json" --header "Authorization: Bearer $TOKEN" --insecure

References