Certified Kubernetes Administrator - Namespace


Introduction to Namespaces

Linux  namespaces allow for the isolation of global system resources between processes. The following table shows the namespace types available on Linux with their isolations.

Cgroup Cgroup root directory
IPC System V IPC, POSIX message queues
Network Network devices, stacks, ports, etc.
Mount Mount points
PID Process IDs
User User and group IDs
UTS Hostname and NIS domain name

Changes to the global resource are visible only the process that member of the namespace, but are invisible to the others. Each process running on the Linux machine has a PID that assigned to a namespace. The  PID on the same namespace can have access to others. This concept is the fundamental technology behind container implementations and describes why any process running in a container cannot access other processes information in spite of running at the same host.

Namespace doesn't restrict access to physical resources like CPU, memory, disk. These types of resources are restricted by a feature called Cgroups on Linux kernel. You can read more about Cgroups from RedHat documentation.  I want to show a use case of the namespace on the Linux server. "unshare" command allows to run commands with a namespace that restrict parent process access. 

Isolate Application by Setting  Linux Namespace

Step 1: Use the unshare command and run "bash"

# unshare -m /bin/bash
# secret_dir=`mktemp -d --tmpdir=/tmp`
# echo $secret_dir
/tmp/tmp.SpfZ93Jf56
# mount -n -o size=1m -t tmpfs tmpfs $secret_dir
# df -hT
Filesystem     Type      Size  Used Avail Use% Mounted on
tmpfs          tmpfs     1,0M     0  1,0M   0% /tmp/tmp.SpfZ93Jf56
# cd /tmp/tmp.SpfZ93Jf56/
# touch filehidden1
# touch filehidden2
# ls  -lrt
total 0
-rw-r--r-- 1 root root 0 Oca  4 13:11 filehidden1
-rw-r--r-- 1 root root 0 Oca  4 13:11 filehidden2

 

Step 2: Open another terminal-session that check if these files exist.

We have restricted to these files with a namespace that the parent process has no access.

# df -h   /tmp/tmp.SpfZ93Jf56/
Filesystem      Size  Used Avail Use% Mounted on
/dev/sda5        62G   12G   47G  21% /
# whoami 
root
# cd  /tmp/tmp.SpfZ93Jf56/
# pwd
/tmp/tmp.SpfZ93Jf56
# ls  -lrt
total 0

Kubernetes Namespace

For Kubernetes(K8s), namespaces are a way to divide cluster resources between multiple users. Kubernetes uses namespaces to help address the complexity of organizing objects within a cluster. You can group objects to manage and filter with the namespace. This feature makes easy to apply policies to a specific part of your cluster.

View Existing Namespaces

To display all namespaces existing on a cluster, use the command:

#kubectl  get  namespaces
NAME                   STATUS   AGE
default                Active   2m11s
kube-node-lease        Active   2m12s
kube-public            Active   2m12s
kube-system            Active   2m12s
kubernetes-dashboard   Active   2m

If you need more information about a specific namespace, then use the command:

#kubectl  describe  namespace  kube-system
Name:         kube-system
Labels:       <none>
Annotations:  <none>
Status:       Active

No resource quota.

No LimitRange resource.

Create Namespaces

To create a new namespace from the command  line:

#kubectl  create namespace  casesup
namespace/casesup created
#kubectl  get  namespace
NAME                   STATUS   AGE
casesup                Active   4s
default                Active   6m17s
kube-node-lease        Active   6m18s
kube-public            Active   6m18s
kube-system            Active   6m18s
kubernetes-dashboard   Active   6m6s

Also, it's possible to create namespace from YAML file. Easy way to create a namespace from YAML file, first export any existing namespace to a file then change it as you wish.

#kubectl  get namespace  casesup -o yaml >  /tmp/test.yaml
#cat /tmp/test.yaml
apiVersion: v1
kind: Namespace
metadata:
  creationTimestamp: "2020-01-04T10:46:10Z"
  name: casesup
  resourceVersion: "1274"
  selfLink: /api/v1/namespaces/casesup
  uid: d2f1383a-c2d2-4aee-a076-31555e5925d1
spec:
  finalizers:
  - kubernetes
status:
  phase: Active
#vi   /tmp/test.yaml
--remove spesific id and replace names.
#cat /tmp/test.yaml
apiVersion: v1
kind: Namespace
metadata:
  name: casesupclone

#kubectl  create  -f  /tmp/test.yaml
namespace/casesupclone created
#kubectl  get  namespaces
NAME                   STATUS   AGE
casesup                Active   5m29s
casesupclone           Active   5s
default                Active   11m
kube-node-lease        Active   11m
kube-public            Active   11m
kube-system            Active   11m
kubernetes-dashboard   Active   11m

Selecting Namespaces from the command  line

If you run a command without specifying a namespace, it will be run at default namespace. To apply an action for the specific namespace, we should use "-n" or "--namespace" option or you need to define a namespace in YAML file. I added a basic example of Nginx POD. You can use "--dry-run" and  "-o yaml"  option to perform a test scenario without creating a deployment.  If you want to create deployment then remove  --dry-run and  -o yaml options.  

#kubectl create deployment --image nginx nginx   --namespace=casesup --dry-run  -o yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  creationTimestamp: null
  labels:
    app: nginx
  name: nginx
  namespace: casesup
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
  strategy: {}
  template:
    metadata:
      creationTimestamp: null
      labels:
        app: nginx
    spec:
      containers:
      - image: nginx
        name: nginx
        resources: {}
status: {}
#kubectl create deployment --image nginx nginx   --namespace=casesup
deployment.apps/nginx created

#kubectl  get  deployment
No resources found in default namespace.

#kubectl  get  pod -n casesup
NAME                     READY   STATUS    RESTARTS   AGE
nginx-86c57db685-m652f   1/1     Running   0          39s

#kubectl  get  deployment -n casesup
NAME    READY   UP-TO-DATE   AVAILABLE   AGE
nginx   1/1     1            1           46s

Selecting Namespaces by changing Context

#kubectl config get-contexts
CURRENT   NAME       CLUSTER    AUTHINFO   NAMESPACE
*         minikube   minikube   minikube

#kubectl  config view
apiVersion: v1
clusters:
- cluster:
    certificate-authority: /root/.minikube/ca.crt
    server: https://172.17.0.8:8443
  name: minikube
contexts:
- context:
    cluster: minikube
    user: minikube
  name: minikube
current-context: minikube
kind: Config
preferences: {}
users:
- name: minikube
  user:
    client-certificate: /root/.minikube/client.crt
    client-key: /root/.minikube/client.key

The above command sets indicate that there is only one context that hasn't any namespace attribute. So, default namespace applies when you run a command. Let's try to change it.

#kubectl config set-context $(kubectl config current-context) --namespace=casesup
Context "minikube" modified.

#kubectl  config view
apiVersion: v1
clusters:
- cluster:
    certificate-authority: /root/.minikube/ca.crt
    server: https://172.17.0.8:8443
  name: minikube
contexts:
- context:
    cluster: minikube
    namespace: casesup
    user: minikube
  name: minikube
current-context: minikube
kind: Config
preferences: {}
users:
- name: minikube
  user:
    client-certificate: /root/.minikube/client.crt
    client-key: /root/.minikube/client.key

 

Time to test your skills. Use  Katacoda and find out the answers.

Question 1:  How to list all namespaces?

#kubectl  get  namespaces
NAME                   STATUS   AGE
default                Active   28s
kube-node-lease        Active   31s
kube-public            Active   31s
kube-system            Active   31s
kubernetes-dashboard   Active   14s

Question 2:  How to list pods for kube-system namespace?

#kubectl  get  pods  -n kube-system
NAME                               READY   STATUS    RESTARTS   AGE
coredns-6955765f44-d276m           1/1     Running   0          5m1s
coredns-6955765f44-jtzlk           1/1     Running   0          5m1s
etcd-minikube                      1/1     Running   0          5m2s
kube-addon-manager-minikube        1/1     Running   0          5m1s
kube-apiserver-minikube            1/1     Running   0          5m2s
kube-controller-manager-minikube   1/1     Running   0          5m1s
kube-proxy-pdrhh                   1/1     Running   0          5m
kube-scheduler-minikube            1/1     Running   0          5m1s
storage-provisioner                1/1     Running   0          4m54s

Question 3: How to list all pods?

#kubectl  get  pods  --all-namespaces
NAMESPACE              NAME                                         READY   STATUS    RESTARTS   AGE
kube-system            coredns-6955765f44-d276m                     1/1     Running   0          3m54s
kube-system            coredns-6955765f44-jtzlk                     1/1     Running   0          3m54s
kube-system            etcd-minikube                                1/1     Running   0          3m55s
kube-system            kube-addon-manager-minikube                  1/1     Running   0          3m54s
kube-system            kube-apiserver-minikube                      1/1     Running   0          3m55s
kube-system            kube-controller-manager-minikube             1/1     Running   0          3m54s
kube-system            kube-proxy-pdrhh                             1/1     Running   0          3m53s
kube-system            kube-scheduler-minikube                      1/1     Running   0          3m54s
kube-system            storage-provisioner                          1/1     Running   0          3m47s
kubernetes-dashboard   dashboard-metrics-scraper-7b64584c5c-8xlfq   1/1     Running   0          3m44s
kubernetes-dashboard   kubernetes-dashboard-79d9cd965-k2p6l         1/1     Running   0          3m44s

Question 4: Create a namespace called casesup?

#kubectl  create namespace casesup
namespace/casesup created

Question 5: Use casesup namespace and create Nginx Deployment.(Ex. #kubectl create deployment)

#kubectl create deployment --image nginx nginx   --namespace=casesup
deployment.apps/nginx created
#kubectl  get deployment  -n casesup
NAME    READY   UP-TO-DATE   AVAILABLE   AGE
nginx   0/1     1            0           8s

Question 6: How to change namespace by setting context? Change namespace to the casesup.

#kubectl config set-context $(kubectl config current-context) --namespace=casesup
Context "minikube" modified.
#kubectl  get  pods
NAME                     READY   STATUS    RESTARTS   AGE
nginx-86c57db685-lkfzg   1/1     Running   0          3m46s

Question 7: How to delete namespace named casesup?"

#kubectl  delete namespace  casesup
namespace "casesup" deleted
#kubectl  get  namespaces
NAME                   STATUS   AGE
default                Active   28m
kube-node-lease        Active   28m
kube-public            Active   28m
kube-system            Active   28m
kubernetes-dashboard   Active   28m

I'm a IT Infrastructure and Operations Architect with extensive experience and administration skills and works for Turk Telekom. I provide hardware and software support for the IT Infrastructure and Operations tasks.

204 Total Posts
Follow Me

Related Post

0 Comments

Leave a Reply