Kubernetes Namespace:资源隔离
Kubernetes Namespace:资源隔离
Namespace概述
Namespace是Kubernetes中实现多租户资源隔离的核心机制。它为集群内的资源提供逻辑隔离,不同Namespace的资源相互独立。
创建Namespace
# 命令行创建
kubectl create namespace production
kubectl create namespace staging
kubectl create namespace development
# YAML声明式
kubectl apply -f - <<EOF
apiVersion: v1
kind: Namespace
metadata:
name: production
labels:
env: production
team: backend
EOF
使用Namespace
# 指定命名空间运行资源
kubectl run nginx --image=nginx -n production
# 查看特定命名空间的资源
kubectl get pods -n production
kubectl get svc -n staging
# 查看所有命名空间
kubectl get namespaces
# 切换默认命名空间
kubectl config set-context --current --namespace=production
# 查看当前命名空间
kubectl config view --minify -o jsonpath='{..namespace}'
资源配额
ResourceQuota
# resource-quota.yaml
apiVersion: v1
kind: ResourceQuota
metadata:
name: compute-quota
namespace: production
spec:
hard:
requests.cpu: "10"
requests.memory: 20Gi
limits.cpu: "20"
limits.memory: 40Gi
pods: "50"
services: "10"
persistentvolumeclaims: "20"
# 查看配额使用情况
kubectl describe resourcequota -n production
LimitRange
# limit-range.yaml
apiVersion: v1
kind: LimitRange
metadata:
name: default-limits
namespace: production
spec:
limits:
- default:
cpu: "500m"
memory: "256Mi"
defaultRequest:
cpu: "100m"
memory: "128Mi"
type: Container
RBAC权限控制
Role
# role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: production
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods", "pods/log"]
verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "list"]
RoleBinding
# rolebinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-pods
namespace: production
subjects:
- kind: User
name: developer
apiGroup: rbac.authorization.k8s.io
- kind: Group
name: dev-team
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
ClusterRole(集群级别)
# clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cluster-reader
rules:
- apiGroups: [""]
resources: ["nodes", "namespaces"]
verbs: ["get", "list"]
- apiGroups: ["storage.k8s.io"]
resources: ["storageclasses"]
verbs: ["get", "list"]
实践:多环境Namespace架构
# 开发环境
apiVersion: v1
kind: Namespace
metadata:
name: development
labels:
env: dev
---
# 测试环境
apiVersion: v1
kind: Namespace
metadata:
name: staging
labels:
env: staging
---
# 生产环境
apiVersion: v1
kind: Namespace
metadata:
name: production
labels:
env: prod
---
# 监控系统
apiVersion: v1
kind: Namespace
metadata:
name: monitoring
labels:
env: infra
---
# 日志系统
apiVersion: v1
kind: Namespace
metadata:
name: logging
labels:
env: infra
网络策略
# network-policy.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
namespace: production
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
---
# 允许特定Pod通信
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-frontend
namespace: production
spec:
podSelector:
matchLabels:
app: backend
ingress:
- from:
- podSelector:
matchLabels:
app: frontend
ports:
- port: 8080
资源清理
# 删除空命名空间
kubectl delete namespace dev-$(date +%Y%m%d)
# 清理命名空间内所有资源
kubectl delete all --all -n development
# 查看命名空间资源使用
kubectl top pods -n production
kubectl top nodes
常用命令
# Namespace操作
kubectl get ns
kubectl describe ns production
kubectl label ns production env=prod
# 资源配额
kubectl get resourcequota -n production
kubectl describe resourcequota -n production
# RBAC
kubectl get rolebindings -n production
kubectl get clusterrolebindings
最佳实践
# 1. 使用命名空间分隔环境
# 2. 为每个团队创建独立命名空间
# 3. 设置资源配额防止资源耗尽
# 4. 使用NetworkPolicy限制网络访问
# 5. 通过RBAC控制用户权限
总结
Namespace是Kubernetes多租户架构的基础。合理使用Namespace、ResourceQuota和RBAC,可以实现安全的资源隔离和权限管理。