K
Q

Should I use kubernetes default namespace?

2/22/2020

We are going to provide customers a function by deploying and running a container in customers kubernetes environment. After the job is done, we will clean up the container. Currently, the plan is to use k8s default namespace, but I'm not sure whether it can be a concern for customers. I don't have much experience in k8s related field. Should we give customers' an option to specify a namespace to run container, or just use the default namespace? I appreciate your suggestions!

-- vcycyv
kubernetes

Similar Questions

Kubernetes Stateful Sets - Mapping existing IDs to persistent/stateful pods
Problem parsing Fluentbit Docker Logs(Systemd) to GELF message Output in Kubernetes
Docker / Kubernetes: tried to wipe everything, but I still have a container running on localhost that I can't see with docker ps
How to control interval between kubernetes cronjobs (i.e. cooldown period after completion)

2 Answers

2/22/2020

I would recommend you not use (!?) the default namespace for anything ever.

The following is more visceral than objective but it's drawn from many years' experience of Kubernetes. In 2016, a now former colleague and I blogged about the use of namespaces:

https://kubernetes.io/blog/2016/08/kubernetes-namespaces-use-cases-insights/

NB since then, RBAC was added and it permits enforcing separation, securely.

Although it exists as a named (default) namespace, it behaves as if there is (the cluster has) no namespace. It may be (!?) that it was retcon'd into Kubernetes after namespaces were added

Unless your context is defined to be a specific other namespace, kubectl ... behaves as kubectl ... --namespace=default. So, by accident it's easy to pollute and be impacted by pollution in this namespace. I'm sure your team will use code for your infrastructure but mistakes happen and "I forgot to specify the namespace" is easily done (and rarely wanted).

Using non-default namespaces becomes very intentional, explicit and, I think, precise. You must, for example (per @david-maze answer) be more intentional about RBAC for the namespace's resources.

Using namespaces is a mechanism that promotes multi-tenancy which is desired for separation of customers (business units, versions etc.)

You can't delete the default namespace but you can delete (and by consequence delete all the resources constrained by) any non-default namespace.

I'll think of more, I'm sure!

Update

  • Corollary: generally don't constrain resources to namespace in specs but use e.g. kubeftl apply --filename=x.yaml --namespace=${NAMESPACE}
-- DazWilkin
Source: StackOverflow
2/22/2020

I'd consider the namespace name pretty much a required option. I would default to the namespace name specified in the .kube/config file, if that's at all a choice for you. (That may not be default.)

RBAC rules or organizational policies also might mean the default namespace can't or shouldn't be used. One of the clusters I work with is a shared cluster where each user has their own namespace, enforced by RBAC policies; except for cluster admins, nobody gets to use default, and everybody needs to be able to configure the namespace to run in their own.

-- David Maze
Source: StackOverflow