SlideShare a Scribd company logo

OMG Namespaces! | Raffaele Di Fazio

KCDItaly
KCDItaly

This talk is a journey through the wonders and mysteries of Kubernetes namespaces. While being a known feature of Kubernetes, there are a number of not so well known things to know about them that can teach a lot about Kubernetes. During the talk we will not only take a look at the details of Kubernetes namespaces, but also show how they are used in different production scenarios.

Technology
1 of 78
Download to read offline
R A F F A E L E D I F A Z I O Author 2 0 2 1 - 1 1 - 1 7 Date OMG Namespaces! A journey through the wonders and mysteries of Kubernetes namespaces
Hi! • • • Software Engineer at GitHub. Created my first Kubernetes cluster in 2015. Creator and maintainer of ExternalDNS.
Let's talk about Namespaces! < / >
Deployment resource apiVersion: apps/v1 kind: Deployment metadata: name: nginx labels: app: nginx spec: replicas: 3 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - name: nginx image: nginx ports: - containerPort: 80
Namespace apiVersion: v1 kind: Namespace metadata: name: pineapple pizza
Deployment with namespace apiVersion: apps/v1 kind: Deployment metadata: name: nginx namespace: pineapple pizza labels: app: nginx spec: replicas: 3 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - name: nginx image: nginx ports: - containerPort: 80
The end, thank you for coming! < / >
No, no, I'm just joking SORRY 😅 < / >
Goals • • We'll use Namespaces as a mean to explore Kubernetes and some of its design decisions. Tools used: kind, kubernetes/kubernetes, the official docs.
index.html 1. 2. 3. 4. 5. Read the docs Not all namespaces are created equal Internals, resources, tools How people use namespaces Namespaces evolution
Chapter 1: read the docs < / >
Namespaces de nition (v1.21) Kubernetes supports multiple virtual clusters backed by the same physical cluster. These virtual clusters are called namespaces.
Namespaces de nition (latest) In Kubernetes, namespaces provides a mechanism for isolating groups of resources within a single cluster. Names of resources need to be unique within a namespace, but not across namespaces. Namespace-based scoping is applicable only for namespaced objects (e.g. Deployments, Services, etc) and not for cluster-wide objects (e.g. StorageClass, Nodes, PersistentVolumes, etc).
When to Use Multiple Namespaces (docs) Namespaces are intended for use in environments with many users spread across multiple teams, or projects. For clusters with a few to tens of users, you should not need to create or think about namespaces at all. Start using namespaces when you need the features they provide. Namespaces provide a scope for names. Names of resources need to be unique within a namespace, but not across namespaces. Namespaces cannot be nested inside one another and each Kubernetes resource can only be in one namespace. Namespaces are a way to divide cluster resources between multiple users (via resource quota). It is not necessary to use multiple namespaces to separate slightly different resources, such as different versions of the same software: use labels to distinguish resources within the same namespace.
Recap from the docs • • • • • Some resources are namespaced. Namespaced resources are unique within a namespace. Can be used for isolation. Namespaces can be used to divide the clusters between users. The docs don't really prescribe how to use namespaces.
Questions • • Is isolation really there? What does it even mean to divide resources between users?
Chapter 2: not all namespaces are created equal K O O B C E E T E E E L L < / >
K U B E R N E T E S N A M E S P A C E I N F R E S H K I N D C L U S T E R
L O O K I N G A T S O M E R E S O U R C E S ( K U B E - P U B L I C )
L O O K I N G A T S O M E R E S O U R C E S ( K U B E - S Y S T E M )
L O O K I N G A T S O M E R E S O U R C E S ( D E F A U L T )
Let's delete the "kubernetes" service 🔥🧨🎇 < / >
D E L E T I N G T H E D E F A U L T K U B E R N E T E S S E R V I C E
K U B E R N E T E S D E F A U L T P O D S
K U B E R N E T E S D E F A U L T E N D P O I N T S
Service, endpoints, no pods? 🤔 < / >
Let's delete the "default" namespace 🔥🧨🎇 < / >
D E L E T I N G D E F A U L T N A M E S P A C E
Keeping the kubernetes namespace around RunKubernetesNamespaces periodically makes sure that all internal namespaces exist func (c *Controller) RunKubernetesNamespaces(ch chan struct{}) { wait.Until(func() { Loop the system namespace list, and create them if they do not exist for _, ns range c.SystemNamespaces { if err createNamespaceIfNeeded(c.NamespaceClient, ns); err nil { runtime.HandleError(fmt.Errorf("unable to create required kubernetes system namespace %s: %v", ns, err)) } } }, c.SystemNamespacesInterval, ch) }
Keeping the kubernetes service around RunKubernetesService periodically updates the kubernetes service func (c *Controller) RunKubernetesService(ch chan struct{}) { wait until process is ready wait.PollImmediateUntil(100 time.Millisecond, func() (bool, error) { var code int c.readyzClient.Get().AbsPath("/readyz").Do(context.TODO()).StatusCode(&code) return code http.StatusOK, nil }, ch) wait.NonSlidingUntil(func() { Service def nition is not reconciled after f rst run, ports and type will be corrected only during start. if err c.UpdateKubernetesService(false); err nil { runtime.HandleError(fmt.Errorf("unable to sync kubernetes service: %v", err)) } }, c.EndpointInterval, ch) }
Keeping the kubernetes service around func (c *Controller) CreateOrUpdateMasterServiceIfNeeded() error { if s, err c.ServiceClient.Services(metav1.NamespaceDefault).Get(serviceName); err nil { The service already exists. if reconcile { if svc, updated reconcilers.GetMasterServiceUpdateIfNeeded(serviceName); updated { _, err c.ServiceClient.Services(metav1.NamespaceDefault).Update(svc) return err } } return nil } c.ServiceClient.Services(metav1.NamespaceDefault).Create(svc) }
Why do we need the Kubernetes service? < / >
Kubernetes default service We need this service to talk with the API service, it's the ClusterIP of the Kubernetes API server, used by users (humans) and controllers.
But why in the default namespace? < / >
Chapter 3: internals, resources, tools < / >
Resources • • • Not all resources are namespaced. How are namespaces represented? What about custom resources?
Namespaced resource apiVersion: apps/v1 kind: Deployment metadata: name: nginx namespace: pineapple pizza labels: app: nginx spec: replicas: 3 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - name: nginx image: nginx ports: - containerPort: 80
Non namespaced resource apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cluster admin rules: - apiGroups: - '*' resources: - '*' verbs: - '*' - nonResourceURLs: - '*' verbs: - '*'
Namespaced resource
Are namespaces... namespaced? < / >
A namespaced namespace apiVersion: v1 kind: Namespace metadata: name: foo namespace: kube system
A namespaced namespace
A look at etcd
How does it even work? < / >
A piece of code that creates namespaces... kubernetes/pkg/master/client_util.go func createNamespaceIfNeeded(c corev1client.NamespacesGetter, ns string) error { if _, err c.Namespaces().Get(context.TODO(), ns, metav1.GetOptions{}); err nil { the namespace already exists return nil } newNs &corev1.Namespace{ ObjectMeta: metav1.ObjectMeta{ Name: ns, Namespace: "", }, } _, err c.Namespaces().Create(context.TODO(), newNs, metav1.CreateOptions{}) if err nil errors.IsAlreadyExists(err) { err = nil } return err }
A piece of code that creates namespaces... kubernetes/pkg/master/client_util.go func createNamespaceIfNeeded(c corev1client.NamespacesGetter, ns string) error { if _, err c.Namespaces().Get(context.TODO(), ns, metav1.GetOptions{}); err nil { the namespace already exists return nil } newNs &corev1.Namespace{ ObjectMeta: metav1.ObjectMeta{ Name: ns, Namespace: "", }, } _, err c.Namespaces().Create(context.TODO(), newNs, metav1.CreateOptions{}) if err nil errors.IsAlreadyExists(err) { err = nil } return err }
Another gem: IsCertainlyClusterScoped 😅 IsCertainlyClusterScoped returns true for Node, Namespace, etc. and false for Pod, Deployment, etc. and kinds that aren't recognized in the openapi data. See: https: kubernetes.io/docs/concepts/overview/working with objects/namespaces func IsCertainlyClusterScoped(typeMeta yaml.TypeMeta) bool { nsScoped, found IsNamespaceScoped(typeMeta) return found !nsScoped }
Namespaces are not namespaced :-) from pkg/registry/core/namespace/strategy.go NamespaceScoped is false for namespaces. func (namespaceStrategy) NamespaceScoped() bool { return false } staging/src/k8s.io/apiextensions apiserver/pkg/registry/customresource/strategy.go objectMetaFieldsSet returns a f elds that represent the ObjectMeta. func objectMetaFieldsSet(objectMeta metav1.Object, namespaceScoped bool) f elds.Set { if namespaceScoped { return f elds.Set{ "metadata.name": objectMeta.GetName(), "metadata.namespace": objectMeta.GetNamespace(), } } return f elds.Set{ "metadata.name": objectMeta.GetName(), } }
Namespacing CRDs
Kubernetes is tolerant, not all tools are
Chapter 4: how people use namespaces < / >
Different usages • • • • Naive: everything in the default namespace. One namespace per team. One namespace per environment. One namespace per application.
Kubernetes does not have an opinion on how you should use Namespaces. < / >
Everything in default a.k.a. kubetcl YOLO < / >
CONs PROs • • Easy to understand. What you do following most tutorials. • • Hard to manage with a lot of resources. Who owns what?
One namespace per team < / >
CONs PROs • • Logical separation between services of different teams. Good for "team centric" companies. • In some companies teams are extremely fluid.
One namespace per environment < / >
CONs PROs • • Logical separation between staging, production, etc. Can work well for small companies. • Are things really separated? 😬
The great misunderstanding < / >
There's no separation between things in different namespaces. < / >
Network policies
It's likely a bad idea to mix prod and non prod workloads. < / >
RBAC and Namespaces < / >
RBAC for Namespaces • • Creating/deleting arbitrary namespaces -> very high privileges. Custom controllers often need to get access to all namespaces which give them lots of permissions.
Permission model weaknesses
One namespace per application < / >
CONs PROs • • • • Good logical separation. You can fine tune what talks with what. Keeps the number of resources per namespace low. Deleting a namespace is like deleting an app... sort of. • • If you have a monolith, what's even an app? You could end up with a lot of namespaces.
Chapter 5: Namespaces evolution < / >
Hierarchical Namespaces
Virtual Clusters using Namespaces https://youtu.be/QddWNqchD9I
Conclusions < / >
Thank You < / >

Recommended

Knative goes
 beyond serverless | Alexandre Roman
Knative goes
 beyond serverless | Alexandre RomanKnative goes
 beyond serverless | Alexandre Roman
Knative goes
 beyond serverless | Alexandre Roman
KCDItaly
 
Tu non puoi passare! Policy compliance con OPA Gatekeeper | Niccolò Raspa
Tu non puoi passare! Policy compliance con OPA Gatekeeper | Niccolò RaspaTu non puoi passare! Policy compliance con OPA Gatekeeper | Niccolò Raspa
Tu non puoi passare! Policy compliance con OPA Gatekeeper | Niccolò Raspa
KCDItaly
 
Istio canaries and kubernetes
Istio canaries and kubernetesIstio canaries and kubernetes
Istio canaries and kubernetes
Red Hat Developers
 
Read ebook Kubernetes Cookbook: Building Cloud Native Applications Full Access
Read ebook Kubernetes Cookbook: Building Cloud Native Applications Full AccessRead ebook Kubernetes Cookbook: Building Cloud Native Applications Full Access
Read ebook Kubernetes Cookbook: Building Cloud Native Applications Full Access
illingstabilityb
 
Zero-downtime deployment of Micro-services with Kubernetes
Zero-downtime deployment of Micro-services with KubernetesZero-downtime deployment of Micro-services with Kubernetes
Zero-downtime deployment of Micro-services with Kubernetes
Wojciech Barczyński
 
Mattia Gandolfi - Improving utilization and portability with Containers and C...
Mattia Gandolfi - Improving utilization and portability with Containers and C...Mattia Gandolfi - Improving utilization and portability with Containers and C...
Mattia Gandolfi - Improving utilization and portability with Containers and C...
Codemotion
 
Devoxx 2015 - Web Application Development using Grails and Docker
Devoxx 2015 - Web Application Development using Grails and DockerDevoxx 2015 - Web Application Development using Grails and Docker
Devoxx 2015 - Web Application Development using Grails and Docker
Ted Vinke
 
Kubernetes Architecture and Introduction
Kubernetes Architecture and IntroductionKubernetes Architecture and Introduction
Kubernetes Architecture and Introduction
Stefan Schimanski
 

Recommended

Knative goes
 beyond serverless | Alexandre Roman
Knative goes
 beyond serverless | Alexandre RomanKnative goes
 beyond serverless | Alexandre Roman
Knative goes
 beyond serverless | Alexandre Roman
KCDItaly
 
Tu non puoi passare! Policy compliance con OPA Gatekeeper | Niccolò Raspa
Tu non puoi passare! Policy compliance con OPA Gatekeeper | Niccolò RaspaTu non puoi passare! Policy compliance con OPA Gatekeeper | Niccolò Raspa
Tu non puoi passare! Policy compliance con OPA Gatekeeper | Niccolò Raspa
KCDItaly
 
Istio canaries and kubernetes
Istio canaries and kubernetesIstio canaries and kubernetes
Istio canaries and kubernetes
Red Hat Developers
 
Read ebook Kubernetes Cookbook: Building Cloud Native Applications Full Access
Read ebook Kubernetes Cookbook: Building Cloud Native Applications Full AccessRead ebook Kubernetes Cookbook: Building Cloud Native Applications Full Access
Read ebook Kubernetes Cookbook: Building Cloud Native Applications Full Access
illingstabilityb
 
Zero-downtime deployment of Micro-services with Kubernetes
Zero-downtime deployment of Micro-services with KubernetesZero-downtime deployment of Micro-services with Kubernetes
Zero-downtime deployment of Micro-services with Kubernetes
Wojciech Barczyński
 
Mattia Gandolfi - Improving utilization and portability with Containers and C...
Mattia Gandolfi - Improving utilization and portability with Containers and C...Mattia Gandolfi - Improving utilization and portability with Containers and C...
Mattia Gandolfi - Improving utilization and portability with Containers and C...
Codemotion
 
Devoxx 2015 - Web Application Development using Grails and Docker
Devoxx 2015 - Web Application Development using Grails and DockerDevoxx 2015 - Web Application Development using Grails and Docker
Devoxx 2015 - Web Application Development using Grails and Docker
Ted Vinke
 
Kubernetes Architecture and Introduction
Kubernetes Architecture and IntroductionKubernetes Architecture and Introduction
Kubernetes Architecture and Introduction
Stefan Schimanski
 
Zero downtime deployment of micro-services with Kubernetes
Zero downtime deployment of micro-services with KubernetesZero downtime deployment of micro-services with Kubernetes
Zero downtime deployment of micro-services with Kubernetes
Wojciech Barczyński
 
Managing Docker Containers In A Cluster - Introducing Kubernetes
Managing Docker Containers In A Cluster - Introducing KubernetesManaging Docker Containers In A Cluster - Introducing Kubernetes
Managing Docker Containers In A Cluster - Introducing Kubernetes
Marc Sluiter
 
Kubernetes Architecture
Kubernetes Architecture Kubernetes Architecture
Kubernetes Architecture
Knoldus Inc.
 
KUBEBOOT - SPRING BOOT DEPLOYMENT ON KUBERNETES HAS NEVER BEEN SO EASY
KUBEBOOT - SPRING BOOT DEPLOYMENT ON KUBERNETES HAS NEVER BEEN SO EASYKUBEBOOT - SPRING BOOT DEPLOYMENT ON KUBERNETES HAS NEVER BEEN SO EASY
KUBEBOOT - SPRING BOOT DEPLOYMENT ON KUBERNETES HAS NEVER BEEN SO EASY
Red Hat Developers
 
CI Implementation with Kubernetes at LivePerson by Saar Demri
CI Implementation with Kubernetes at LivePerson by Saar DemriCI Implementation with Kubernetes at LivePerson by Saar Demri
CI Implementation with Kubernetes at LivePerson by Saar Demri
DoiT International
 
KubeCon EU 2016 Keynote: Kubernetes State of the Union
KubeCon EU 2016 Keynote: Kubernetes State of the UnionKubeCon EU 2016 Keynote: Kubernetes State of the Union
KubeCon EU 2016 Keynote: Kubernetes State of the Union
KubeAcademy
 
Create Great CNCF User-Base from Lessons Learned from Other Open Source Commu...
Create Great CNCF User-Base from Lessons Learned from Other Open Source Commu...Create Great CNCF User-Base from Lessons Learned from Other Open Source Commu...
Create Great CNCF User-Base from Lessons Learned from Other Open Source Commu...
Lee Calcote
 
Kubernetes 101 and Fun
Kubernetes 101 and FunKubernetes 101 and Fun
Kubernetes 101 and Fun
Mario-Leander Reimer
 
Monitoring Weave Cloud with Prometheus
Monitoring Weave Cloud with PrometheusMonitoring Weave Cloud with Prometheus
Monitoring Weave Cloud with Prometheus
Weaveworks
 
Kubernetes extensibility
Kubernetes extensibilityKubernetes extensibility
Kubernetes extensibility
Docker, Inc.
 
Kubernetes 101 VMworld 2019 workshop slides
Kubernetes 101 VMworld 2019 workshop slidesKubernetes 101 VMworld 2019 workshop slides
Kubernetes 101 VMworld 2019 workshop slides
Simone Morellato
 
Docker Enterprise Workshop - Technical
Docker Enterprise Workshop - TechnicalDocker Enterprise Workshop - Technical
Docker Enterprise Workshop - Technical
Patrick Chanezon
 
Introduction to Kubernetes
Introduction to KubernetesIntroduction to Kubernetes
Introduction to Kubernetes
Amy Chen
 
kubernetes operators
kubernetes operatorskubernetes operators
kubernetes operators
Juraj Hantak
 
Helm - Package Manager for Kubernetes
Helm - Package Manager for KubernetesHelm - Package Manager for Kubernetes
Helm - Package Manager for Kubernetes
Knoldus Inc.
 
Orchestrating Microservices with Kubernetes
Orchestrating Microservices with Kubernetes Orchestrating Microservices with Kubernetes
Orchestrating Microservices with Kubernetes
Weaveworks
 
Cloud native - CI/CD
Cloud native - CI/CDCloud native - CI/CD
Cloud native - CI/CD
Elad Hirsch
 
GKE Tip Series how do i choose between gke standard, autopilot and cloud run
GKE Tip Series how do i choose between gke standard, autopilot and cloud run GKE Tip Series how do i choose between gke standard, autopilot and cloud run
GKE Tip Series how do i choose between gke standard, autopilot and cloud run
Sreenivas Makam
 
Kubernetes Interview Questions And Answers | Kubernetes Tutorial | Kubernetes...
Kubernetes Interview Questions And Answers | Kubernetes Tutorial | Kubernetes...Kubernetes Interview Questions And Answers | Kubernetes Tutorial | Kubernetes...
Kubernetes Interview Questions And Answers | Kubernetes Tutorial | Kubernetes...
Edureka!
 
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Edureka!
 
Kubernetes Java Operator
Kubernetes Java OperatorKubernetes Java Operator
Kubernetes Java Operator
Anthony Dahanne
 
AWS re:Invent 2016: Service Integration Delivery and Automation Using Amazon ...
AWS re:Invent 2016: Service Integration Delivery and Automation Using Amazon ...AWS re:Invent 2016: Service Integration Delivery and Automation Using Amazon ...
AWS re:Invent 2016: Service Integration Delivery and Automation Using Amazon ...
Amazon Web Services
 

More Related Content

What's hot

Managing Docker Containers In A Cluster - Introducing Kubernetes
Managing Docker Containers In A Cluster - Introducing KubernetesManaging Docker Containers In A Cluster - Introducing Kubernetes
Managing Docker Containers In A Cluster - Introducing Kubernetes
Marc Sluiter
 
KUBEBOOT - SPRING BOOT DEPLOYMENT ON KUBERNETES HAS NEVER BEEN SO EASY
KUBEBOOT - SPRING BOOT DEPLOYMENT ON KUBERNETES HAS NEVER BEEN SO EASYKUBEBOOT - SPRING BOOT DEPLOYMENT ON KUBERNETES HAS NEVER BEEN SO EASY
KUBEBOOT - SPRING BOOT DEPLOYMENT ON KUBERNETES HAS NEVER BEEN SO EASY
Red Hat Developers
 
Kubernetes 101 and Fun
Kubernetes 101 and FunKubernetes 101 and Fun
Kubernetes 101 and Fun
Mario-Leander Reimer
 

What's hot (20)

Zero downtime deployment of micro-services with Kubernetes
Zero downtime deployment of micro-services with KubernetesZero downtime deployment of micro-services with Kubernetes
Zero downtime deployment of micro-services with Kubernetes
 
Managing Docker Containers In A Cluster - Introducing Kubernetes
Managing Docker Containers In A Cluster - Introducing KubernetesManaging Docker Containers In A Cluster - Introducing Kubernetes
Managing Docker Containers In A Cluster - Introducing Kubernetes
 
Kubernetes Architecture
Kubernetes Architecture Kubernetes Architecture
Kubernetes Architecture
 
KUBEBOOT - SPRING BOOT DEPLOYMENT ON KUBERNETES HAS NEVER BEEN SO EASY
KUBEBOOT - SPRING BOOT DEPLOYMENT ON KUBERNETES HAS NEVER BEEN SO EASYKUBEBOOT - SPRING BOOT DEPLOYMENT ON KUBERNETES HAS NEVER BEEN SO EASY
KUBEBOOT - SPRING BOOT DEPLOYMENT ON KUBERNETES HAS NEVER BEEN SO EASY
 
CI Implementation with Kubernetes at LivePerson by Saar Demri
CI Implementation with Kubernetes at LivePerson by Saar DemriCI Implementation with Kubernetes at LivePerson by Saar Demri
CI Implementation with Kubernetes at LivePerson by Saar Demri
 
KubeCon EU 2016 Keynote: Kubernetes State of the Union
KubeCon EU 2016 Keynote: Kubernetes State of the UnionKubeCon EU 2016 Keynote: Kubernetes State of the Union
KubeCon EU 2016 Keynote: Kubernetes State of the Union
 
Create Great CNCF User-Base from Lessons Learned from Other Open Source Commu...
Create Great CNCF User-Base from Lessons Learned from Other Open Source Commu...Create Great CNCF User-Base from Lessons Learned from Other Open Source Commu...
Create Great CNCF User-Base from Lessons Learned from Other Open Source Commu...
 
Kubernetes 101 and Fun
Kubernetes 101 and FunKubernetes 101 and Fun
Kubernetes 101 and Fun
 
Monitoring Weave Cloud with Prometheus
Monitoring Weave Cloud with PrometheusMonitoring Weave Cloud with Prometheus
Monitoring Weave Cloud with Prometheus
 
Kubernetes extensibility
Kubernetes extensibilityKubernetes extensibility
Kubernetes extensibility
 
Kubernetes 101 VMworld 2019 workshop slides
Kubernetes 101 VMworld 2019 workshop slidesKubernetes 101 VMworld 2019 workshop slides
Kubernetes 101 VMworld 2019 workshop slides
 
Docker Enterprise Workshop - Technical
Docker Enterprise Workshop - TechnicalDocker Enterprise Workshop - Technical
Docker Enterprise Workshop - Technical
 
Introduction to Kubernetes
Introduction to KubernetesIntroduction to Kubernetes
Introduction to Kubernetes
 
kubernetes operators
kubernetes operatorskubernetes operators
kubernetes operators
 
Helm - Package Manager for Kubernetes
Helm - Package Manager for KubernetesHelm - Package Manager for Kubernetes
Helm - Package Manager for Kubernetes
 
Orchestrating Microservices with Kubernetes
Orchestrating Microservices with Kubernetes Orchestrating Microservices with Kubernetes
Orchestrating Microservices with Kubernetes
 
Cloud native - CI/CD
Cloud native - CI/CDCloud native - CI/CD
Cloud native - CI/CD
 
GKE Tip Series how do i choose between gke standard, autopilot and cloud run
GKE Tip Series how do i choose between gke standard, autopilot and cloud run GKE Tip Series how do i choose between gke standard, autopilot and cloud run
GKE Tip Series how do i choose between gke standard, autopilot and cloud run
 
Kubernetes Interview Questions And Answers | Kubernetes Tutorial | Kubernetes...
Kubernetes Interview Questions And Answers | Kubernetes Tutorial | Kubernetes...Kubernetes Interview Questions And Answers | Kubernetes Tutorial | Kubernetes...
Kubernetes Interview Questions And Answers | Kubernetes Tutorial | Kubernetes...
 
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
Kubernetes Architecture | Understanding Kubernetes Components | Kubernetes Tu...
 

Similar to OMG Namespaces! | Raffaele Di Fazio

AWS re:Invent 2016: Service Integration Delivery and Automation Using Amazon ...
AWS re:Invent 2016: Service Integration Delivery and Automation Using Amazon ...AWS re:Invent 2016: Service Integration Delivery and Automation Using Amazon ...
AWS re:Invent 2016: Service Integration Delivery and Automation Using Amazon ...
Amazon Web Services
 
Writing robust Node.js applications
Writing robust Node.js applicationsWriting robust Node.js applications
Writing robust Node.js applications
Tom Croucher
 
JavaScript Growing Up
JavaScript Growing UpJavaScript Growing Up
JavaScript Growing Up
David Padbury
 
Operator Lifecycle Management
Operator Lifecycle ManagementOperator Lifecycle Management
Operator Lifecycle Management
DoKC
 
KubeCon EU 2016: Templatized Application Configuration on OpenShift and Kuber...
KubeCon EU 2016: Templatized Application Configuration on OpenShift and Kuber...KubeCon EU 2016: Templatized Application Configuration on OpenShift and Kuber...
KubeCon EU 2016: Templatized Application Configuration on OpenShift and Kuber...
KubeAcademy
 

Similar to OMG Namespaces! | Raffaele Di Fazio (20)

Kubernetes Java Operator
Kubernetes Java OperatorKubernetes Java Operator
Kubernetes Java Operator
 
AWS re:Invent 2016: Service Integration Delivery and Automation Using Amazon ...
AWS re:Invent 2016: Service Integration Delivery and Automation Using Amazon ...AWS re:Invent 2016: Service Integration Delivery and Automation Using Amazon ...
AWS re:Invent 2016: Service Integration Delivery and Automation Using Amazon ...
 
Writing robust Node.js applications
Writing robust Node.js applicationsWriting robust Node.js applications
Writing robust Node.js applications
 
Kubernetes #1 intro
Kubernetes #1 introKubernetes #1 intro
Kubernetes #1 intro
 
JavaScript Growing Up
JavaScript Growing UpJavaScript Growing Up
JavaScript Growing Up
 
Kubernetes for the PHP developer
Kubernetes for the PHP developerKubernetes for the PHP developer
Kubernetes for the PHP developer
 
Containerd Project Update: FOSDEM 2018
Containerd Project Update: FOSDEM 2018Containerd Project Update: FOSDEM 2018
Containerd Project Update: FOSDEM 2018
 
A DevOps guide to Kubernetes
A DevOps guide to KubernetesA DevOps guide to Kubernetes
A DevOps guide to Kubernetes
 
Understanding OpenStack Deployments - PuppetConf 2014
Understanding OpenStack Deployments - PuppetConf 2014Understanding OpenStack Deployments - PuppetConf 2014
Understanding OpenStack Deployments - PuppetConf 2014
 
Learning Puppet basic thing
Learning Puppet basic thing Learning Puppet basic thing
Learning Puppet basic thing
 
Operator Lifecycle Management
Operator Lifecycle ManagementOperator Lifecycle Management
Operator Lifecycle Management
 
Operator Lifecycle Management
Operator Lifecycle ManagementOperator Lifecycle Management
Operator Lifecycle Management
 
DevOps
DevOpsDevOps
DevOps
 
KubeCon EU 2016: Templatized Application Configuration on OpenShift and Kuber...
KubeCon EU 2016: Templatized Application Configuration on OpenShift and Kuber...KubeCon EU 2016: Templatized Application Configuration on OpenShift and Kuber...
KubeCon EU 2016: Templatized Application Configuration on OpenShift and Kuber...
 
Building an aws sdk for Perl - Granada Perl Workshop 2014
Building an aws sdk for Perl - Granada Perl Workshop 2014Building an aws sdk for Perl - Granada Perl Workshop 2014
Building an aws sdk for Perl - Granada Perl Workshop 2014
 
Cloud Orchestration with RightScale Cloud Workflow
Cloud Orchestration with RightScale Cloud WorkflowCloud Orchestration with RightScale Cloud Workflow
Cloud Orchestration with RightScale Cloud Workflow
 
How I Learned to Stop Worrying and Love the Cloud - Wesley Beary, Engine Yard
How I Learned to Stop Worrying and Love the Cloud - Wesley Beary, Engine YardHow I Learned to Stop Worrying and Love the Cloud - Wesley Beary, Engine Yard
How I Learned to Stop Worrying and Love the Cloud - Wesley Beary, Engine Yard
 
RubyEnRails2007 - Dr Nic Williams - Keynote
RubyEnRails2007 - Dr Nic Williams - KeynoteRubyEnRails2007 - Dr Nic Williams - Keynote
RubyEnRails2007 - Dr Nic Williams - Keynote
 
Angular Weekend
Angular WeekendAngular Weekend
Angular Weekend
 
DevOpSec_KubernetesOperatorUsingJava.pdf
DevOpSec_KubernetesOperatorUsingJava.pdfDevOpSec_KubernetesOperatorUsingJava.pdf
DevOpSec_KubernetesOperatorUsingJava.pdf
 

Recently uploaded

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Recently uploaded (20)

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Simplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxSimplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptx
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
 
Choreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software EngineeringChoreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software Engineering
 
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
WSO2 Micro Integrator for Enterprise Integration in a Decentralized, Microser...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 

OMG Namespaces! | Raffaele Di Fazio

  • 1. R A F F A E L E D I F A Z I O Author 2 0 2 1 - 1 1 - 1 7 Date OMG Namespaces! A journey through the wonders and mysteries of Kubernetes namespaces
  • 2. Hi! • • • Software Engineer at GitHub. Created my first Kubernetes cluster in 2015. Creator and maintainer of ExternalDNS.
  • 3. Let's talk about Namespaces! < / >
  • 4. Deployment resource apiVersion: apps/v1 kind: Deployment metadata: name: nginx labels: app: nginx spec: replicas: 3 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - name: nginx image: nginx ports: - containerPort: 80
  • 6. Deployment with namespace apiVersion: apps/v1 kind: Deployment metadata: name: nginx namespace: pineapple pizza labels: app: nginx spec: replicas: 3 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - name: nginx image: nginx ports: - containerPort: 80
  • 7. The end, thank you for coming! < / >
  • 8. No, no, I'm just joking SORRY 😅 < / >
  • 9. Goals • • We'll use Namespaces as a mean to explore Kubernetes and some of its design decisions. Tools used: kind, kubernetes/kubernetes, the official docs.
  • 10. index.html 1. 2. 3. 4. 5. Read the docs Not all namespaces are created equal Internals, resources, tools How people use namespaces Namespaces evolution
  • 11. Chapter 1: read the docs < / >
  • 12. Namespaces de nition (v1.21) Kubernetes supports multiple virtual clusters backed by the same physical cluster. These virtual clusters are called namespaces.
  • 13.
  • 14.
  • 15. Namespaces de nition (latest) In Kubernetes, namespaces provides a mechanism for isolating groups of resources within a single cluster. Names of resources need to be unique within a namespace, but not across namespaces. Namespace-based scoping is applicable only for namespaced objects (e.g. Deployments, Services, etc) and not for cluster-wide objects (e.g. StorageClass, Nodes, PersistentVolumes, etc).
  • 16. When to Use Multiple Namespaces (docs) Namespaces are intended for use in environments with many users spread across multiple teams, or projects. For clusters with a few to tens of users, you should not need to create or think about namespaces at all. Start using namespaces when you need the features they provide. Namespaces provide a scope for names. Names of resources need to be unique within a namespace, but not across namespaces. Namespaces cannot be nested inside one another and each Kubernetes resource can only be in one namespace. Namespaces are a way to divide cluster resources between multiple users (via resource quota). It is not necessary to use multiple namespaces to separate slightly different resources, such as different versions of the same software: use labels to distinguish resources within the same namespace.
  • 17. Recap from the docs • • • • • Some resources are namespaced. Namespaced resources are unique within a namespace. Can be used for isolation. Namespaces can be used to divide the clusters between users. The docs don't really prescribe how to use namespaces.
  • 18. Questions • • Is isolation really there? What does it even mean to divide resources between users?
  • 19. Chapter 2: not all namespaces are created equal K O O B C E E T E E E L L < / >
  • 20. K U B E R N E T E S N A M E S P A C E I N F R E S H K I N D C L U S T E R
  • 21. L O O K I N G A T S O M E R E S O U R C E S ( K U B E - P U B L I C )
  • 22. L O O K I N G A T S O M E R E S O U R C E S ( K U B E - S Y S T E M )
  • 23. L O O K I N G A T S O M E R E S O U R C E S ( D E F A U L T )
  • 24. Let's delete the "kubernetes" service 🔥🧨🎇 < / >
  • 25. D E L E T I N G T H E D E F A U L T K U B E R N E T E S S E R V I C E
  • 26. K U B E R N E T E S D E F A U L T P O D S
  • 27. K U B E R N E T E S D E F A U L T E N D P O I N T S
  • 28. Service, endpoints, no pods? 🤔 < / >
  • 29. Let's delete the "default" namespace 🔥🧨🎇 < / >
  • 30. D E L E T I N G D E F A U L T N A M E S P A C E
  • 31.
  • 32. Keeping the kubernetes namespace around RunKubernetesNamespaces periodically makes sure that all internal namespaces exist func (c *Controller) RunKubernetesNamespaces(ch chan struct{}) { wait.Until(func() { Loop the system namespace list, and create them if they do not exist for _, ns range c.SystemNamespaces { if err createNamespaceIfNeeded(c.NamespaceClient, ns); err nil { runtime.HandleError(fmt.Errorf("unable to create required kubernetes system namespace %s: %v", ns, err)) } } }, c.SystemNamespacesInterval, ch) }
  • 33. Keeping the kubernetes service around RunKubernetesService periodically updates the kubernetes service func (c *Controller) RunKubernetesService(ch chan struct{}) { wait until process is ready wait.PollImmediateUntil(100 time.Millisecond, func() (bool, error) { var code int c.readyzClient.Get().AbsPath("/readyz").Do(context.TODO()).StatusCode(&code) return code http.StatusOK, nil }, ch) wait.NonSlidingUntil(func() { Service def nition is not reconciled after f rst run, ports and type will be corrected only during start. if err c.UpdateKubernetesService(false); err nil { runtime.HandleError(fmt.Errorf("unable to sync kubernetes service: %v", err)) } }, c.EndpointInterval, ch) }
  • 34. Keeping the kubernetes service around func (c *Controller) CreateOrUpdateMasterServiceIfNeeded() error { if s, err c.ServiceClient.Services(metav1.NamespaceDefault).Get(serviceName); err nil { The service already exists. if reconcile { if svc, updated reconcilers.GetMasterServiceUpdateIfNeeded(serviceName); updated { _, err c.ServiceClient.Services(metav1.NamespaceDefault).Update(svc) return err } } return nil } c.ServiceClient.Services(metav1.NamespaceDefault).Create(svc) }
  • 35. Why do we need the Kubernetes service? < / >
  • 36. Kubernetes default service We need this service to talk with the API service, it's the ClusterIP of the Kubernetes API server, used by users (humans) and controllers.
  • 37. But why in the default namespace? < / >
  • 38.
  • 39.
  • 40. Chapter 3: internals, resources, tools < / >
  • 41. Resources • • • Not all resources are namespaced. How are namespaces represented? What about custom resources?
  • 42. Namespaced resource apiVersion: apps/v1 kind: Deployment metadata: name: nginx namespace: pineapple pizza labels: app: nginx spec: replicas: 3 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - name: nginx image: nginx ports: - containerPort: 80
  • 43. Non namespaced resource apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cluster admin rules: - apiGroups: - '*' resources: - '*' verbs: - '*' - nonResourceURLs: - '*' verbs: - '*'
  • 46. A namespaced namespace apiVersion: v1 kind: Namespace metadata: name: foo namespace: kube system
  • 48. A look at etcd
  • 49. How does it even work? < / >
  • 50. A piece of code that creates namespaces... kubernetes/pkg/master/client_util.go func createNamespaceIfNeeded(c corev1client.NamespacesGetter, ns string) error { if _, err c.Namespaces().Get(context.TODO(), ns, metav1.GetOptions{}); err nil { the namespace already exists return nil } newNs &corev1.Namespace{ ObjectMeta: metav1.ObjectMeta{ Name: ns, Namespace: "", }, } _, err c.Namespaces().Create(context.TODO(), newNs, metav1.CreateOptions{}) if err nil errors.IsAlreadyExists(err) { err = nil } return err }
  • 51. A piece of code that creates namespaces... kubernetes/pkg/master/client_util.go func createNamespaceIfNeeded(c corev1client.NamespacesGetter, ns string) error { if _, err c.Namespaces().Get(context.TODO(), ns, metav1.GetOptions{}); err nil { the namespace already exists return nil } newNs &corev1.Namespace{ ObjectMeta: metav1.ObjectMeta{ Name: ns, Namespace: "", }, } _, err c.Namespaces().Create(context.TODO(), newNs, metav1.CreateOptions{}) if err nil errors.IsAlreadyExists(err) { err = nil } return err }
  • 52. Another gem: IsCertainlyClusterScoped 😅 IsCertainlyClusterScoped returns true for Node, Namespace, etc. and false for Pod, Deployment, etc. and kinds that aren't recognized in the openapi data. See: https: kubernetes.io/docs/concepts/overview/working with objects/namespaces func IsCertainlyClusterScoped(typeMeta yaml.TypeMeta) bool { nsScoped, found IsNamespaceScoped(typeMeta) return found !nsScoped }
  • 53. Namespaces are not namespaced :-) from pkg/registry/core/namespace/strategy.go NamespaceScoped is false for namespaces. func (namespaceStrategy) NamespaceScoped() bool { return false } staging/src/k8s.io/apiextensions apiserver/pkg/registry/customresource/strategy.go objectMetaFieldsSet returns a f elds that represent the ObjectMeta. func objectMetaFieldsSet(objectMeta metav1.Object, namespaceScoped bool) f elds.Set { if namespaceScoped { return f elds.Set{ "metadata.name": objectMeta.GetName(), "metadata.namespace": objectMeta.GetNamespace(), } } return f elds.Set{ "metadata.name": objectMeta.GetName(), } }
  • 55. Kubernetes is tolerant, not all tools are
  • 56. Chapter 4: how people use namespaces < / >
  • 57. Different usages • • • • Naive: everything in the default namespace. One namespace per team. One namespace per environment. One namespace per application.
  • 58. Kubernetes does not have an opinion on how you should use Namespaces. < / >
  • 59. Everything in default a.k.a. kubetcl YOLO < / >
  • 60. CONs PROs • • Easy to understand. What you do following most tutorials. • • Hard to manage with a lot of resources. Who owns what?
  • 61. One namespace per team < / >
  • 62. CONs PROs • • Logical separation between services of different teams. Good for "team centric" companies. • In some companies teams are extremely fluid.
  • 63. One namespace per environment < / >
  • 64. CONs PROs • • Logical separation between staging, production, etc. Can work well for small companies. • Are things really separated? 😬
  • 66. There's no separation between things in different namespaces. < / >
  • 68. It's likely a bad idea to mix prod and non prod workloads. < / >
  • 70. RBAC for Namespaces • • Creating/deleting arbitrary namespaces -> very high privileges. Custom controllers often need to get access to all namespaces which give them lots of permissions.
  • 72. One namespace per application < / >
  • 73. CONs PROs • • • • Good logical separation. You can fine tune what talks with what. Keeps the number of resources per namespace low. Deleting a namespace is like deleting an app... sort of. • • If you have a monolith, what's even an app? You could end up with a lot of namespaces.
  • 74. Chapter 5: Namespaces evolution < / >
  • 76. Virtual Clusters using Namespaces https://youtu.be/QddWNqchD9I