Module 9: Kubernetes Namespaces, Multi-Tenancy & RBAC

DevOpsLaunchpadDevOpsLaunchpad
5 min read

๐Ÿ“– Introduction

So far, weโ€™ve been deploying everything into the default namespace. But in real-world clusters, especially in production, youโ€™ll have multiple teams, environments, and applications sharing the same cluster.

๐Ÿ‘‰ This is where Namespaces come in. They allow you to logically isolate and organize resources inside a Kubernetes cluster.

Think of Namespaces as folders in an operating system โ€” they help keep things organized and prevent conflicts.

๐ŸŒ What is a Namespace?

  • A Namespace is a virtual cluster inside Kubernetes.

  • It lets you group resources (Pods, Services, Deployments, ConfigMaps, Secrets, etc.) together.

  • Each Namespace provides isolation of names โ†’ two Services with the same name can exist in different Namespaces without conflict.

๐Ÿ“Œ By default, Kubernetes comes with these namespaces:

  • default โ†’ where resources go if no namespace is specified.

  • kube-system โ†’ for system components (e.g., CoreDNS, kube-proxy).

  • kube-public โ†’ public, read-only resources (rarely used).

  • kube-node-lease โ†’ manages node heartbeats.

๐Ÿ”‘ Why Use Namespaces?

Namespaces help in:

  • โœ… Multi-tenancy โ†’ Different teams can share the same cluster without interfering.

  • โœ… Environment separation โ†’ Example: dev, staging, prod.

  • โœ… Resource isolation โ†’ Apply ResourceQuotas and LimitRanges per namespace.

  • โœ… RBAC (Role-Based Access Control) โ†’ Assign permissions per namespace.

  • โœ… Organization โ†’ Keep microservices grouped by project.

๐Ÿ›  Creating a Namespace

1. Command Line

kubectl create namespace dev
kubectl get namespaces

2. YAML Manifest

apiVersion: v1
kind: Namespace
metadata:
  name: dev

Apply it:

kubectl apply -f namespace-dev.yaml

๐Ÿš€ Deploying into a Namespace

Example: Deploying NGINX into the dev namespace.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
  namespace: dev
spec:
  replicas: 2
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx:1.21
        ports:
        - containerPort: 80

๐Ÿ”„ Switching Between Namespaces

  • List all namespaces:

      kubectl get namespaces

  • Check resources in a specific namespace:

      kubectl get pods -n dev

  • Switch default namespace using context:

      kubectl config set-context --current --namespace=dev

Now, every command will default to dev.

โšก Cross-Namespace Communication

  • Services in different namespaces need fully qualified domain names (FQDNs).

  • Format:

      <service-name>.<namespace>.svc.cluster.local

  • Example:

      backend.dev.svc.cluster.local

So a frontend pod in frontend namespace can talk to backend service in dev namespace using this DNS.

๐Ÿ” What is RBAC?

RBAC in Kubernetes is a way to control access to resources:

  • Who โ†’ The subject (User, Group, or ServiceAccount).

  • Can do What โ†’ The action (verbs: get, list, create, delete, update).

  • On Which Resources โ†’ Pods, Services, Deployments, etc.

  • In Which Namespace โ†’ Example: dev, staging, prod.

๐Ÿ‘‰ RBAC uses four main objects:

  1. Role โ†’ Defines permissions within a namespace.

  2. ClusterRole โ†’ Defines permissions cluster-wide.

  3. RoleBinding โ†’ Assigns a Role to a user in a namespace.

  4. ClusterRoleBinding โ†’ Assigns a ClusterRole to a user across all namespaces.

๐Ÿ›  Example: Role & RoleBinding

1. Create a Namespace

kubectl create namespace dev

2. Define a Role

dev-role.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: dev
  name: dev-role
rules:
- apiGroups: [""]
  resources: ["pods", "services"]
  verbs: ["get", "list", "create", "delete"]

๐Ÿ‘‰ This allows the user to manage only pods & services in the dev namespace.

3. Bind the Role to a User

dev-rolebinding.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: dev-rolebinding
  namespace: dev
subjects:
- kind: User
  name: developer1          # Replace with your actual user
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: dev-role
  apiGroup: rbac.authorization.k8s.io

๐Ÿ‘‰ Now, developer1 can only create/manage pods & services in dev namespace, but not in prod.

๐Ÿ›ก ClusterRole Example (Admin)

Sometimes, you want cluster-wide permissions.

cluster-admin-role.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cluster-admin-role
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["*"]

Bind it with ClusterRoleBinding:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cluster-admin-binding
subjects:
- kind: User
  name: admin1
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: cluster-admin-role
  apiGroup: rbac.authorization.k8s.io

๐Ÿ‘‰ admin1 will have full access across all namespaces.

๐Ÿ”‘ Service Accounts + RBAC

  • Pods can use ServiceAccounts to access Kubernetes API securely.

  • Example: give a pod access to list secrets in dev.

apiVersion: v1
kind: ServiceAccount
metadata:
  name: dev-sa
  namespace: dev
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: dev
  name: sa-role
rules:
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: sa-rolebinding
  namespace: dev
subjects:
- kind: ServiceAccount
  name: dev-sa
  namespace: dev
roleRef:
  kind: Role
  name: sa-role
  apiGroup: rbac.authorization.k8s.io

๐Ÿ‘‰ Now, any pod using dev-sa can only list secrets in dev namespace, not modify or delete.

๐Ÿ” RBAC & Namespace Security

Namespaces integrate tightly with RBAC (Role-Based Access Control).

Example: Restrict a developer to only manage resources in the dev namespace.

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: dev
  name: dev-role
rules:
- apiGroups: [""]
  resources: ["pods", "services"]
  verbs: ["get", "list", "create", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: dev-rolebinding
  namespace: dev
subjects:
- kind: User
  name: developer1
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: dev-role
  apiGroup: rbac.authorization.k8s.io

๐Ÿ‘‰ Now developer1 can only work in dev namespace, not prod.

๐Ÿ“Š Resource Quotas per Namespace

You can limit how much CPU/Memory a team uses:

apiVersion: v1
kind: ResourceQuota
metadata:
  name: dev-quota
  namespace: dev
spec:
  hard:
    requests.cpu: "2"
    requests.memory: 2Gi
    limits.cpu: "4"
    limits.memory: 4Gi
    pods: "10"

This ensures no single namespace can hog cluster resources.

๐Ÿ“Š Best Practices

  1. โœ… Always use namespaces for isolation (dev, staging, prod).

  2. โœ… Assign RBAC per namespace to avoid privilege leaks.

  3. โœ… Use least privilege principle โ†’ give only what is needed.

  4. โœ… Use ServiceAccounts for apps, not root credentials.

  5. โœ… Combine with ResourceQuota to prevent resource hogging.

-๐ŸŽฏ Conclusion

Namespaces are essential for scaling Kubernetes in production. They provide isolation, organization, security, and resource control for multi-tenant clusters.

By using Namespaces correctly, you can:

  • Separate environments (dev, staging, prod).

  • Allocate resources fairly among teams.

  • Implement RBAC policies for security.

RBAC (Role-Based Access Control) โ†’ Control who can do what within a namespace.

0
Subscribe to my newsletter

Read articles from DevOpsLaunchpad directly inside your inbox. Subscribe to the newsletter, and don't miss out.

kubenetes accsss controlKubernetesrbac#namespaceskubernetes rolebindingsrolesKubernetes SecurityMulti tenancyDevopscloud native

Written by

DevOpsLaunchpad
DevOpsLaunchpad