Namespace Strategy and Multi-Tenancy#
Namespaces are the foundation for isolating workloads in a shared Kubernetes cluster. Without a deliberate strategy, teams deploy into arbitrary namespaces, resources are unbound, and one misbehaving application can take down the entire cluster.
Why Namespaces Matter#
Namespaces provide four isolation boundaries:
- RBAC scoping: Roles and RoleBindings are namespace-scoped, so you can grant teams access to their namespaces only.
- Resource quotas: Limit CPU, memory, and object counts per namespace, preventing one team from starving others.
- Network policies: Restrict traffic between namespaces so a compromised application cannot reach services it should not.
- Organizational clarity:
kubectl get pods -n payments-prodshows exactly what you expect, not a jumble of unrelated workloads.
Recommended Namespace Layout#
System Namespaces#
These exist in every cluster and should be off-limits to application teams: