Cluster vs Namespace
Understanding the relationship between clusters and namespaces is fundamental to working effectively with Kubernetes. These two concepts represent different levels of organization and isolation, and knowing when to use each is crucial for designing and managing Kubernetes deployments.
Think of it like a building: the cluster is the entire building with all its infrastructure (electrical, plumbing, security), while namespaces are like floors or departments within that building. Everyone shares the building’s infrastructure, but each floor can have its own organization, rules, and resources.
What is a Cluster?
A Kubernetes cluster is a complete, independent Kubernetes installation. It consists of:
- Control Plane - The management layer that makes decisions about the cluster
- Worker Nodes - The machines that run your containerized applications
- Networking - The network fabric that connects all components
- Storage - Storage systems available to the cluster
- All Resources - Every pod, service, deployment, and other object in the cluster
A cluster is the top-level boundary in Kubernetes. Everything exists within a cluster, and clusters are completely isolated from each other. If you have multiple clusters, they don’t share resources, networking, or state unless you explicitly connect them.
Cluster Characteristics
- Isolation - Complete separation from other clusters
- Shared Infrastructure - All nodes, networking, and storage are shared by everything in the cluster
- Single Control Plane - One API server, one etcd, one set of controllers manage the entire cluster
- Resource Pool - All nodes contribute to a shared pool of CPU, memory, and storage
- Network Domain - All pods can potentially communicate with each other (unless restricted by network policies)
What is a Namespace?
A namespace is a way to divide cluster resources between multiple users, teams, or projects. It’s a virtual cluster within a physical cluster. Namespaces provide:
- Logical Separation - Organize resources without physical separation
- Resource Quotas - Limit resource usage per namespace
- Access Control - Apply RBAC policies at the namespace level
- Network Policies - Isolate network traffic between namespaces
- Scoped Resources - Most Kubernetes resources are namespaced (exist within a namespace)
Namespace Characteristics
- Logical Boundary - Not a physical separation; all namespaces share the same cluster infrastructure
- Resource Organization - Helps organize and group related resources
- Isolation Options - Can provide isolation through quotas, RBAC, and network policies
- Not Complete Isolation - Resources in different namespaces can still interact if not restricted
- Scoped Naming - Resource names must be unique within a namespace, but can be reused across namespaces
The Relationship
One cluster contains many namespaces. All namespaces share the same:
- Control plane
- Worker nodes
- Network infrastructure
- Storage systems
- Cluster-level resources
Each namespace contains its own:
- Pods, services, deployments, and other namespaced resources
- Resource quotas (if configured)
- RBAC policies (if configured)
- Network policies (if configured)
When to Use Namespaces
Namespaces are useful for:
Multi-Tenancy
When multiple teams or projects share a cluster, namespaces provide logical separation. Each team gets their own namespace where they can manage their resources independently.
# Team A's namespace
apiVersion: v1
kind: Namespace
metadata:
name: team-a
---
# Team B's namespace
apiVersion: v1
kind: Namespace
metadata:
name: team-b
Environment Separation
Separate development, staging, and production environments within the same cluster:
kubectl create namespace development
kubectl create namespace staging
kubectl create namespace production
This allows you to test in development, validate in staging, and run production—all in one cluster with clear boundaries.
Resource Management
Use namespaces with resource quotas to limit resource consumption:
apiVersion: v1
kind: ResourceQuota
metadata:
name: compute-quota
namespace: development
spec:
hard:
requests.cpu: "10"
requests.memory: 20Gi
limits.cpu: "20"
limits.memory: 40Gi
This ensures the development namespace can’t consume all cluster resources.
Access Control
Apply RBAC policies at the namespace level to control who can do what:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: production
name: developer
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list"]
Organizational Structure
Use namespaces to organize resources by:
- Application (frontend, backend, database)
- Project (project-alpha, project-beta)
- Department (engineering, marketing, sales)
- Customer (for SaaS applications)
When NOT to Use Namespaces
Namespaces are not always the right solution:
Complete Isolation Needed
If you need complete isolation (separate networking, different Kubernetes versions, different security policies), use separate clusters instead of namespaces.
Small Deployments
For small deployments with a single team, the default namespace may be sufficient. Don’t create namespaces just because you can—use them when they solve a real problem.
Cluster-Level Resources
Some resources are cluster-scoped and exist outside namespaces:
- Nodes
- PersistentVolumes
- ClusterRoles
- ClusterRoleBindings
- Namespaces themselves
These can’t be put into namespaces, so they’re shared across the entire cluster.
Default Namespaces
Kubernetes creates several namespaces by default:
- default - The namespace for resources with no namespace specified
- kube-system - For Kubernetes system components
- kube-public - For resources that should be readable by all users
- kube-node-lease - For node heartbeat information
You typically deploy applications to the default namespace or create your own namespaces.
Working with Namespaces
Creating a Namespace
# Using kubectl
kubectl create namespace my-namespace
# Using YAML
kubectl apply -f - <<EOF
apiVersion: v1
kind: Namespace
metadata:
name: my-namespace
EOF
Setting the Default Namespace
# Set default namespace for current context
kubectl config set-context --current --namespace=my-namespace
# Or use kubens (if installed)
kubens my-namespace
Listing Resources in a Namespace
# List pods in a specific namespace
kubectl get pods -n my-namespace
# List all resources in a namespace
kubectl get all -n my-namespace
Cross-Namespace Communication
Services in one namespace can communicate with services in another namespace using the fully qualified domain name (FQDN):
service-name.namespace-name.svc.cluster.local
For example, a pod in the frontend namespace can reach a service in the backend namespace using:
backend-service.backend.svc.cluster.local
Best Practices
Use Meaningful Names - Choose namespace names that clearly indicate their purpose (e.g.,
production,team-frontend,customer-acme)Apply Resource Quotas - Use quotas to prevent one namespace from consuming all cluster resources
Use RBAC - Apply role-based access control at the namespace level for security
Document Namespace Purpose - Use labels and annotations to document what each namespace is for
Limit Namespace Count - Too many namespaces can make management difficult. Find a balance between organization and simplicity
Consider Network Policies - If you need network isolation between namespaces, use NetworkPolicies
Key Takeaways
- Cluster = Complete Kubernetes installation with all infrastructure
- Namespace = Logical division within a cluster for organization and isolation
- Use namespaces for multi-tenancy, environment separation, and resource management
- Use separate clusters when you need complete isolation
- Most resources are namespaced, but some (nodes, PVs) are cluster-scoped
- Namespaces share cluster infrastructure but provide logical boundaries
See Also
- What is Kubernetes? - Understanding Kubernetes basics
- Pods 101 - Resources that live in namespaces
- RBAC - Controlling access with namespaces
- Resource Quotas - Limiting resources per namespace