Skip to content

Kubernetes Namespace-based resource isolation

Kubernetes Namespace-based resource isolation involves using Kubernetes Namespaces in conjunction with specific policy resources to manage, restrict, and allocate compute resources for groups of objects.^[400-devops-06-kubernetes-k8s-ithelp-day23-readme.md]

Core Mechanisms

Namespaces act as the primary scope for these isolation policies. By default, Kubernetes allows containers to use unbounded resources, potentially allowing a single Pod to monopolize a node's available capacity.^[400-devops-06-kubernetes-k8s-ithelp-day23-readme.md] To mitigate this, administrators can attach objects such as [[LimitRange]] and [[ResourceQuota]] to a Namespace to enforce constraints.1

LimitRange

A LimitRange is a policy object that defines constraints on resource allocation (CPU and Memory) within a specific Namespace.^[400-devops-06-kubernetes-k8s-ithelp-day23-readme.md]

Its primary functions include:

  • Constraint Enforcement: Ensuring that Pods or containers do not exceed specified max resources or fall below min requests.^[400-devops-06-kubernetes-k8s-ithelp-day23-readme.md]
  • Default Value Injection: Automatically applying default CPU and memory requests or limits to containers that do not explicitly define them.^[400-devops-06-kubernetes-k8s-ithelp-day23-readme.md]
  • Storage Limits: Restricting the minimum and maximum storage size for PersistentVolumeClaim requests.^[400-devops-06-kubernetes-k8s-ithelp-day23-readme.md]
  • Request-to-Limit Ratio: Controlling the ratio between resource requests and limits.^[400-devops-06-kubernetes-k8s-ithelp-day23-readme.md]

Enforcement Behavior

When a LimitRange is created in a Namespace, the Kubernetes API server enforces its rules during object creation:

  • Defaulting: If a Pod is created without specified resources, the values from LimitRange are injected automatically.^[400-devops-06-kubernetes-k8s-ithelp-day23-readme.md]
  • Rejection: If a Pod specification exceeds the defined max limit or fails to meet the min request, the creation is forbidden, and an error is returned.^[400-devops-06-kubernetes-k8s-ithelp-day23-readme.md]

Usage Scenarios

This isolation strategy is commonly used to partition cluster resources among different teams or environments.

  • Multi-tenancy: Administrators can assign a specific Namespace to a department and apply resource limits to ensure they do not consume capacity allocated to other groups.^[400-devops-06-kubernetes-k8s-ithelp-day23-readme.md]
  • Resource Management: Combining Namespace with LimitRange and ResourceQuota allows for flexible planning of configurations for different users or workloads.^[400-devops-06-kubernetes-k8s-ithelp-day23-readme.md]
  • [[Namespace]]
  • Kubernetes Resource Management
  • [[LimitRange]]
  • ArgoCD (utilized namespaces for installation) ^[400-devops__04-CI-CD-Pipelines__k8s-argocd__argocd-app-config__README.md]

Sources

^[400-devops-06-kubernetes-k8s-ithelp-day23-readme.md] ^[400-devops__04-CI-CD-Pipelines__k8s-argocd__argocd-app-config__README.md]

  1. The text mentions that LimitRange and RequestQaota (ResourceQuota) are configuration objects attached to Namespaces, though only LimitRange is detailed in the provided examples.