orphaned: true title: Kubernetes namespace isolation summary: Using K8s namespaces to create isolated environments (test, prod, infra) for deploying services, enabling resource segregation, access control, and environment-specific service discovery within the same cluster. sources: - 400-devops-06-kubernetes-k8s-paas-06k8sapollo.md kind: concept createdAt: "2026-04-28T04:30:04.511Z" updatedAt: "2026-04-28T04:30:04.511Z" tags: - kubernetes - infrastructure - multi-tenancy - devops aliases: - kubernetes-namespace-isolation - KNI confidence: 0.9 provenanceState: extracted inferredParagraphs: 0

Kubernetes Namespace isolation¶

Kubernetes namespace isolation is a mechanism used to virtually divide cluster resources among multiple users, teams, or environments (such as development, testing, and production).^[400-devops-06-kubernetes-k8s-paas-06k8sapollo.md]

Namespaces provide a scope for Kubernetes resource names, ensuring that names of resources (like Pods or Services) are unique within a namespace but do not need to be unique across the entire cluster.^[400-devops-06-kubernetes-k8s-paas-06k8sapollo.md]

Isolation Characteristics¶

Namespaces in Kubernetes offer a form of soft isolation.

• Network Connectivity: By default, namespaces do not restrict network communication. Pods in one namespace can communicate with Pods in another namespace^[400-devops-06-kubernetes-k8s-paas-06k8sapollo.md].
• DNS Scope: DNS records for Services are scoped to the namespace. For example, if a Service named "Apollo" is in the "test" namespace, it is accessible via apollo.test.svc.cluster.local, whereas an instance in "prod" would be apollo.prod.svc.cluster.local^[400-devops-06-kubernetes-k8s-paas-06k8sapollo.md].

Practical Use Cases¶

Separating resources by namespace allows for distinct configurations and environments within the same physical cluster^[400-devops-06-kubernetes-k8s-paas-06k8sapollo.md].

• Dedicated Infrastructure: In a split-environment strategy, different namespaces can utilize different backend resources. For instance, a "test" namespace might point to a test database and Zookeeper cluster, while a "prod" namespace points to production instances^[400-devops-06-kubernetes-k8s-paas-06k8sapollo.md].
• Internal Communication: Resources within the same namespace can communicate using simplified Service discovery (e.g., http://apollo-configservice:8080) because they share the same DNS scope^[400-devops-06-kubernetes-k8s-paas-06k8sapollo.md].
• Domain Routing: Ingress rules can be configured per namespace to route external traffic to specific internal Services, often using subdomains to distinguish environments (e.g., demo-test.od.com vs demo-prod.od.com)^[400-devops-06-kubernetes-k8s-paas-06k8sapollo.md].

Related Concepts¶

• Kubernetes
• [[Service discovery]]
• ConfigMap

Sources¶

^[400-devops-06-kubernetes-k8s-paas-06k8sapollo.md]