Multi-Tenancy

Alright, let’s talk about using namespaces for multi-tenancy. You’re probably thinking, “I’ll just slap each customer into their own namespace, it’ll be clean, isolated, and perfect.” And I’m here to be that brilliant friend who tells you, “Yes, but also no, and here’s why you’re about to get a nasty surprise at 3 AM.” The core idea is sound. A Kubernetes namespace is a fantastic boundary for organization, not unlike having separate folders for different projects on your laptop. It lets you scope object names, apply access controls with RBAC, and assign resource quotas. For a lot of use cases, this is 90% of what you need. But—and it’s a big but—namespaces are not a security boundary. They’re a organizational boundary that sits inside a single, shared cluster security domain. This distinction is everything.

Right, so you’ve got your pristine, isolated namespaces. Your dev team can’t accidentally kubectl delete the prod database. Everyone’s happy in their little sandboxes. Until, of course, they aren’t. Because at some point, dev needs to test its new fancy service against the prod database, or the logging namespace needs to collect metrics from everywhere. This is where we break the glass and carefully, deliberately, poke holes in our beautiful isolation. Welcome to cross-namespace communication.

Alright, let’s get our hands dirty. You’ve got your cluster humming along, and now you need to start isolating things. That’s the whole point of namespaces, right? To create these neat little sandboxes so Team A’s “experimental” chaos doesn’t bring down Team B’s mission-critical payroll app. But here’s the first conceptual speed bump: not every resource in Kubernetes plays by these sandbox rules. Some resources are natively scoped to a single namespace, while others are cluster-scoped and exist in a sort of VIP lounge above it all. Understanding this distinction is non-negotiable; messing it up is how you accidentally take down the entire cluster instead of just one problematic pod.

Right, so you’ve decided you don’t want all your stuff in one big, messy room. Good call. Welcome to namespaces, the single most effective tool for organizing the glorious chaos of a Kubernetes cluster. Think of a namespace as a virtual cluster inside your actual cluster. It’s a way to slice up the resources—pods, services, deployments, the whole lot—into logically separated groups. This is your first, best step towards multi-tenancy, where you can have separate ‘dev’, ‘staging’, and ‘production’ environments all humming along on the same physical hardware without the dev team accidentally deleting the production database. (It happens more than you’d think.)

Right, let’s talk about the four namespaces Kubernetes gives you out of the box. You might be tempted to ignore them, to treat them like the default settings on a new phone you immediately change. Don’t. They’re not just defaults; they’re the foundation of your cluster’s sanity. Think of them as the designated drawers in a shared workshop: one for your own tools (default), one for the shop’s dangerous machinery (kube-system), one for posting public notices (kube-public), and one for the maintenance crew’s checklists (kube-node-lease). Mixing these up is how you accidentally “rm -rf” your own cluster’s brain.

Right, let’s talk about namespaces. If you’re coming from the world of virtual machines, your first instinct is to think of a namespace as a “mini-server” or a “virtual cluster.” I need you to unlearn that. It’s the wrong mental model, and it will lead to confusion and spectacularly broken deployments. A namespace is not a separate cluster; it’s a filter you apply to your existing cluster. It’s a way to say, “For this particular group of users or applications, only show them the objects that belong to them.”