Kubernetes Namespaces Organizing Your Cluster

A namespace is a virtual boundary inside a Kubernetes cluster. It groups related resources together and keeps them isolated from other groups. One physical cluster can host multiple teams, projects, or environments — each in its own namespace — without them interfering with each other.

Why Namespaces Matter

Without namespaces, a cluster is like a single shared desk where ten people drop all their files. Everything mixes together, names clash, and nobody can tell which file belongs to which project. Namespaces give each team their own desk drawer — labeled, isolated, and organized.

┌─────────────────────────────────────────────┐
│              Kubernetes Cluster             │
│                                             │
│  ┌──────────────┐   ┌──────────────┐        │
│  │  Namespace:  │   │  Namespace:  │        │
│  │  production  │   │  staging     │        │
│  │  [web-app]   │   │  [web-app]   │        │
│  │  [database]  │   │  [database]  │        │
│  └──────────────┘   └──────────────┘        │
│                                             │
│  ┌──────────────┐   ┌──────────────┐        │
│  │  Namespace:  │   │  Namespace:  │        │
│  │  team-alpha  │   │  team-beta   │        │
│  │  [api]       │   │  [api]       │        │
│  └──────────────┘   └──────────────┘        │
└─────────────────────────────────────────────┘

Default Namespaces in Every Cluster

Every fresh Kubernetes cluster comes with four built-in namespaces:

NamespacePurpose
defaultWhere your resources land if you do not specify a namespace
kube-systemKubernetes system components (API Server, DNS, scheduler)
kube-publicPublicly readable data — usually just cluster info
kube-node-leaseNode heartbeat data — used internally for node health tracking

Never deploy your own applications into kube-system. That namespace belongs to Kubernetes itself.

Creating a Namespace

Two ways to create a namespace:

Command Line

kubectl create namespace production
kubectl create namespace staging

YAML File

apiVersion: v1
kind: Namespace
metadata:
  name: production
  labels:
    environment: prod
    team: platform

kubectl apply -f namespace.yaml

Working Within a Namespace

Add -n or --namespace to any kubectl command to target a specific namespace:

kubectl get pods -n production
kubectl get deployments -n staging
kubectl apply -f app.yaml -n production
kubectl delete deployment my-app -n staging

To list resources across all namespaces at once:

kubectl get pods -A
kubectl get deployments --all-namespaces

Setting a Default Namespace for Your Session

Typing -n production on every command gets tedious. Set a default namespace for your current context:

kubectl config set-context --current --namespace=production

Now all kubectl commands target the production namespace until you change it. Check your current context settings:

kubectl config view --minify | grep namespace

Deploying a Resource into a Specific Namespace via YAML

Put the namespace in the metadata section of your YAML:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: web-app
  namespace: production
spec:
  replicas: 3
  ...

This ensures the Deployment always lands in the production namespace regardless of your kubectl context.

Resource Quotas: Limiting What Each Namespace Can Use

A ResourceQuota sets a maximum on how many resources a namespace can consume. This prevents one team from accidentally exhausting all cluster resources and starving other teams.

apiVersion: v1
kind: ResourceQuota
metadata:
  name: staging-quota
  namespace: staging
spec:
  hard:
    pods: "20"
    requests.cpu: "4"
    requests.memory: 8Gi
    limits.cpu: "8"
    limits.memory: 16Gi

Once this quota is applied, any attempt to create more than 20 Pods or exceed the CPU/memory limits in the staging namespace gets rejected.

LimitRange: Setting Defaults for Individual Resources

A LimitRange sets default resource requests and limits for containers that do not specify them. Without this, a container that forgets to set limits can consume unlimited CPU and memory.

apiVersion: v1
kind: LimitRange
metadata:
  name: default-limits
  namespace: staging
spec:
  limits:
  - type: Container
    default:
      cpu: "500m"
      memory: "256Mi"
    defaultRequest:
      cpu: "100m"
      memory: "128Mi"

Cross-Namespace Communication

Services in different namespaces can still communicate. You use the full DNS name:

http://<service-name>.<namespace>.svc.cluster.local

For example, a Pod in the staging namespace reaching the payments service in the production namespace:

http://payments.production.svc.cluster.local

Network Policies (covered later) can restrict or allow this cross-namespace communication.

Namespaces Are Not Security Boundaries

Namespaces organize resources and can limit resource usage, but they do not provide strong security isolation by themselves. A container with the right permissions can still access resources in another namespace. For real security boundaries, combine namespaces with RBAC (Role-Based Access Control) and Network Policies.

Key Points

  • Namespaces create virtual partitions inside one physical cluster for different teams or environments.
  • The default namespace is where resources land if you do not specify one.
  • Never put your apps in kube-system — it belongs to Kubernetes.
  • Use ResourceQuotas to cap resource usage per namespace and prevent one team from starving others.
  • Cross-namespace communication uses the full DNS name: <service>.<namespace>.svc.cluster.local.
Previous lessons
Back to courses
Next lessons

Leave a Comment