Kubernetes namespace-based environment isolation¶

Kubernetes namespace-based environment isolation is a practice that uses Kubernetes Namespaces to segregate deployments and resources for different lifecycle stages (such as testing and production) within a single cluster^[400-devops__06-Kubernetes__k8s-paas__06.在K8S中集成Apollo配置中心.md]. This approach allows a single application image to be deployed across multiple environments by varying external configurations^[400-devops__06-Kubernetes__k8s-paas__06.在K8S中集成Apollo配置中心.md].

Core Concepts¶

Namespaces provide a mechanism to isolate clusters and resources virtually^[400-devops__06-Kubernetes__k8s-paas__06.在K8S中集成Apollo配置中心.md]. In a namespace-based isolation strategy, distinct namespaces are created for each environment, for example, a test namespace for testing environments and a prod namespace for production environments^[400-devops__06-Kubernetes__k8s-paas__06.在K8S中集成Apollo配置中心.md].

This method ensures that while the underlying infrastructure is shared, the application instances, services, and Ingress routes for one environment are logically separated from another. This setup supports the goal of building a single image that can be delivered to and run in different environments based on configuration^[400-devops__06-Kubernetes__k8s-paas__06.在K8S中集成Apollo配置中心.md].

Implementation¶

To implement namespace-based isolation, specific resource configurations are applied for each target environment.

Namespace Creation and Secrets¶

First, distinct namespaces are created, along with necessary secrets (such as Docker Registry credentials) within each namespace^[400-devops__06-Kubernetes__k8s-paas__06.在K8S中集成Apollo配置中心.md].

[kubectl](<./kubectl.md>) create ns test
[kubectl](<./kubectl.md>) create ns prod
[kubectl](<./kubectl.md>) create secret docker-registry harbor -n test ...
[kubectl](<./kubectl.md>) create secret docker-registry harbor -n prod ...

Resource Manifests¶

Resource manifests (Deployments, Services, Ingress, ConfigMaps) are separated by environment^[400-devops__06-Kubernetes__k8s-paas__06.在K8S中集成Apollo配置中心.md]. For instance, directory structures are often organized as /data/k8s-yaml/test/ and /data/k8s-yaml/prod/^[400-devops__06-Kubernetes__k8s-paas__06.在K8S中集成Apollo配置中心.md].

Within these manifests, the namespace field is explicitly set to match the target environment^[400-devops__06-Kubernetes__k8s-paas__06.在K8S中集成Apollo配置中心.md]. Additionally, environment-specific configurations, such as the connection string to a configuration center (like Apollo), are specified via environment variables or ConfigMaps^[400-devops__06-Kubernetes__k8s-paas__06.在K8S中集成Apollo配置中心.md].

Network Isolation¶

Network access to the different environments is typically managed through domain name resolution and Ingress rules^[400-devops__06-Kubernetes__k8s-paas__06.在K8S中集成Apollo配置中心.md].

• Domain Names: Unique domains are resolved for each environment (e.g., demo-test.od.com points to the test environment, while demo-prod.od.com points to the production environment)^[400-devops__06-Kubernetes__k8s-paas__06.在K8S中集成Apollo配置中心.md].
• Ingress: Ingress resources are configured within specific namespaces to route traffic from these external domains to the corresponding internal services^[400-devops__06-Kubernetes__k8s-paas__06.在K8S中集成Apollo配置中心.md].

Service Discovery¶

When resources reside within the same namespace, they can communicate using internal Kubernetes DNS service names (e.g., http://apollo-configservice:8080), which simplifies internal networking compared to using external proxy URLs^[400-devops__06-Kubernetes__k8s-paas__06.在K8S中集成Apollo配置中心.md].

Deployment Workflow¶

The deployment workflow utilizing this isolation typically involves:

1. Build: Create a single application image.
2. Deploy to Test: Apply the resource manifests located in the test directory to the test namespace^[400-devops__06-Kubernetes__k8s-paas__06.在K8S中集成Apollo配置中心.md].
3. Verification: Verify the deployment in the test environment via its specific domain.
4. Promote to Prod: Once validated, apply the resource manifests from the prod directory to the prod namespace^[400-devops__06-Kubernetes__k8s-paas__06.在K8S中集成Apollo配置中心.md]. This may involve simply updating the image tag in the production Deployment without requiring a new image build^[400-devops__06-Kubernetes__k8s-paas__06.在K8S中集成Apollo配置中心.md].

Related Concepts¶

• Ingress
• ConfigMap
• [[Apollo]]
• [[Microservices]]

Sources¶

^[400-devops__06-Kubernetes__k8s-paas__06.在K8S中集成Apollo配置中心.md]