Kubernetes Namespace 命名空间隔离机制

最新推荐文章于 2025-06-06 16:54:19 发布

Moshow郑锴

最新推荐文章于 2025-06-06 16:54:19 发布

阅读量431

点赞数 3

CC 4.0 BY-SA版权

分类专栏： Cloud|Docker|Kubernetes 文章标签： kubernetes 云原生 Namespace

本文链接：https://blog.csdn.net/moshowgame/article/details/146764199

Cloud|Docker|Kubernetes 专栏收录该内容

68 篇文章

订阅专栏

什么是Kubernetes Namespace？

Kubernetes Namespace 是一种逻辑隔离机制，用于组织和管理 Kubernetes 集群中的资源。通过 Namespace，可以将集群中的资源划分为不同的“虚拟环境”，以便于资源隔离、权限管理和资源配额控制。一个常用的场景就是部门搭建共享的K8S，然后为每个团队的每个环境分配不同的Namespace。例如命名方式为部门-团队/应用-环境: DEPT-TEAM-DEV/DEPT-TEAM-UAT/DEPT-TEAM-PROD等。

Namespace功能和作用：

资源隔离：不同的团队、项目或应用可以使用各自的 Namespace，在同一个集群中实现资源隔离。
权限管理：通过 RBAC（基于角色的访问控制），可以针对特定 Namespace 设置访问权限，确保数据安全。
资源配额：可以为 Namespace 设置资源限制（如 CPU 和内存），防止资源耗尽或不公平分配。
便捷管理：将相关资源（如 Pod、Service、ConfigMap）组织到同一个 Namespace 中，简化管理。

示例：

Kubernetes 默认有以下 Namespace：

default：默认的 Namespace，用于没有指定 Namespace 的资源。
kube-system：存放 Kubernetes 系统组件（如控制器和调度器）。
kube-public：用于公开资源，所有用户都可以访问。
kube-node-lease：存放节点心跳租约。

创建自定义 Namespace：

你可以使用以下 YAML 创建一个 Namespace：

apiVersion: v1
kind: Namespace
metadata:
  name: my-namespace

然后通过以下命令应用：

kubectl apply -f namespace.yaml

Namespace 非常适合复杂的集群和团队协作场景。

Namespace 练习

       Welcome to the KodeKloud Hands-On lab                                                           
    __ ______  ____  ________ __ __    ____  __  ______ 
   / //_/ __ \/ __ \/ ____/ //_// /   / __ \/ / / / __ \
  / ,< / / / / / / / __/ / ,<  / /   / / / / / / / / / /
 / /| / /_/ / /_/ / /___/ /| |/ /___/ /_/ / /_/ / /_/ / 
/_/ |_\____/_____/_____/_/ |_/_____/\____/\____/_____/  
                                                        
           All rights reserved                                                                         

controlplane ~ ➜  kubectl get namespace
NAME              STATUS   AGE
default           Active   13m
dev               Active   34s
finance           Active   34s
kube-node-lease   Active   13m
kube-public       Active   13m
kube-system       Active   13m
manufacturing     Active   34s
marketing         Active   34s
prod              Active   34s
research          Active   33s

controlplane ~ ➜  kubectl describe namespace research
Name:         research
Labels:       kubernetes.io/metadata.name=research
Annotations:  <none>
Status:       Active

No resource quota.

No LimitRange resource.

controlplane ~ ➜  kubectl get pods --namespace=research
NAME    READY   STATUS             RESTARTS      AGE
dna-1   0/1     CrashLoopBackOff   4 (12s ago)   97s
dna-2   0/1     Completed          4 (54s ago)   97s

controlplane ~ ➜  ls
sample.yaml

controlplane ~ ➜  kubectl create -f sample.yaml --namespace=finance
error: no objects passed to create

controlplane ~ ✖ kubectl run redis --image=redis -n=finance
pod/redis created


controlplane ~ ✖ kubectl describe pod redis -n=finance
Name:             redis
Namespace:        finance
Priority:         0
Service Account:  default
Node:             controlplane/192.168.104.33
Start Time:       Sun, 30 Mar 2025 06:06:19 +0000
Labels:           run=redis
Annotations:      <none>
Status:           Running
IP:               10.22.0.16
IPs:
  IP:  10.22.0.16
Containers:
  redis:
    Container ID:   containerd://7a278303c07b1c083abd996c91c7da4cbe1c434e501c92ac940bfcd71ed287ba
    Image:          redis
    Image ID:       docker.io/library/redis@sha256:bd41d55aae1ecff61b2fafd0d66761223fe94a60373eb6bb781cfbb570a84079
    Port:           <none>
    Host Port:      <none>
    State:          Running
      Started:      Sun, 30 Mar 2025 06:06:22 +0000
    Ready:          True
    Restart Count:  0
    Environment:    <none>
    Mounts:
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-plbrl (ro)
Conditions:
  Type                        Status
  PodReadyToStartContainers   True 
  Initialized                 True 
  Ready                       True 
  ContainersReady             True 
  PodScheduled                True 
Volumes:
  kube-api-access-plbrl:
    Type:                    Projected (a volume that contains injected data from multiple sources)
    TokenExpirationSeconds:  3607
    ConfigMapName:           kube-root-ca.crt
    ConfigMapOptional:       <nil>
    DownwardAPI:             true
QoS Class:                   BestEffort
Node-Selectors:              <none>
Tolerations:                 node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
                             node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
  Type    Reason     Age   From               Message
  ----    ------     ----  ----               -------
  Normal  Scheduled  50s   default-scheduler  Successfully assigned finance/redis to controlplane
  Normal  Pulling    50s   kubelet            Pulling image "redis"
  Normal  Pulled     47s   kubelet            Successfully pulled image "redis" in 2.379s (2.379s including waiting). Image size: 44999260 bytes.
  Normal  Created    47s   kubelet            Created container: redis
  Normal  Started    47s   kubelet            Started container redis

controlplane ~ ➜  kubectl get pods -n=research
NAME    READY   STATUS             RESTARTS       AGE
dna-1   0/1     CrashLoopBackOff   5 (115s ago)   4m48s
dna-2   0/1     CrashLoopBackOff   5 (114s ago)   4m48s

controlplane ~ ➜  kubectl get pods -n=default
No resources found in default namespace.

controlplane ~ ➜  kubectl get pods -n=marketing
NAME       READY   STATUS    RESTARTS   AGE
blue       1/1     Running   0          6m26s
redis-db   1/1     Running   0          6m26s

controlplane ~ ➜  kubectl describe pod redis-db -n=marketing
Name:             redis-db
Namespace:        marketing
Priority:         0
Service Account:  default
Node:             controlplane/192.168.104.33
Start Time:       Sun, 30 Mar 2025 06:03:16 +0000
Labels:           name=redis
Annotations:      <none>
Status:           Running
IP:               10.22.0.13
IPs:
  IP:  10.22.0.13
Containers:
  redis:
    Container ID:   containerd://633b6aea4cccb3acb27f2313700c7e712628ca281f6c416f5f9715ac8a63f733
    Image:          redis:alpine
    Image ID:       docker.io/library/redis@sha256:02419de7eddf55aa5bcf49efb74e88fa8d931b4d77c07eff8a6b2144472b6952
    Port:           6379/TCP
    Host Port:      0/TCP
    State:          Running
      Started:      Sun, 30 Mar 2025 06:03:19 +0000
    Ready:          True
    Restart Count:  0
    Environment:
      REDIS_ROOT_PASSWORD:  paswrd
    Mounts:
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-kt96z (ro)
Conditions:
  Type                        Status
  PodReadyToStartContainers   True 
  Initialized                 True 
  Ready                       True 
  ContainersReady             True 
  PodScheduled                True 
Volumes:
  kube-api-access-kt96z:
    Type:                    Projected (a volume that contains injected data from multiple sources)
    TokenExpirationSeconds:  3607
    ConfigMapName:           kube-root-ca.crt
    ConfigMapOptional:       <nil>
    DownwardAPI:             true
QoS Class:                   BestEffort
Node-Selectors:              <none>
Tolerations:                 node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
                             node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
  Type    Reason     Age    From               Message
  ----    ------     ----   ----               -------
  Normal  Scheduled  6m51s  default-scheduler  Successfully assigned marketing/redis-db to controlplane
  Normal  Pulling    6m50s  kubelet            Pulling image "redis:alpine"
  Normal  Pulled     6m48s  kubelet            Successfully pulled image "redis:alpine" in 1.882s (1.882s including waiting). Image size: 17238094 bytes.
  Normal  Created    6m48s  kubelet            Created container: redis
  Normal  Started    6m48s  kubelet            Started container redis

controlplane ~ ✖ kubectl get service -n=marketing
NAME           TYPE       CLUSTER-IP      EXTERNAL-IP   PORT(S)          AGE
blue-service   NodePort   10.43.234.235   <none>        8080:30082/TCP   8m24s
db-service     NodePort   10.43.117.172   <none>        6379:32722/TCP   8m24s

controlplane ~ ✖ kubectl describe svc db-service -n=marketing
Name:                     db-service
Namespace:                marketing
Labels:                   <none>
Annotations:              <none>
Selector:                 name=redis
Type:                     NodePort
IP Family Policy:         SingleStack
IP Families:              IPv4
IP:                       10.43.117.172
IPs:                      10.43.117.172
Port:                     <unset>  6379/TCP
TargetPort:               6379/TCP
NodePort:                 <unset>  32722/TCP
Endpoints:                10.22.0.13:6379
Session Affinity:         None
External Traffic Policy:  Cluster
Internal Traffic Policy:  Cluster
Events:                   <none>

controlplane ~ ➜  kubectl describe svc db-service -n=dev
Name:                     db-service
Namespace:                dev
Labels:                   <none>
Annotations:              <none>
Selector:                 name=redis
Type:                     ClusterIP
IP Family Policy:         SingleStack
IP Families:              IPv4
IP:                       10.43.224.215
IPs:                      10.43.224.215
Port:                     <unset>  6379/TCP
TargetPort:               6379/TCP
Endpoints:                10.22.0.12:6379
Session Affinity:         None
Internal Traffic Policy:  Cluster
Events:                   <none>

controlplane ~ ➜  kubectl get svc -n=dev
NAME         TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)    AGE
db-service   ClusterIP   10.43.224.215   <none>        6379/TCP   11m

controlplane ~ ➜  curl http://db-service.dev.svc.cluster.local:6379
curl: (6) Could not resolve host: db-service.dev.svc.cluster.local

controlplane ~ ➜ Powered by Moshow@https://zhengkai.blog.csdn.net/