.png)
Introduction to Namespaces
Linux namespaces allow for the isolation of global system resources between processes. The following table shows the namespace types available on Linux with their isolations.
| Cgroup | Cgroup root directory |
| IPC | System V IPC, POSIX message queues |
| Network | Network devices, stacks, ports, etc. |
| Mount | Mount points |
| PID | Process IDs |
| User | User and group IDs |
| UTS | Hostname and NIS domain name |
Changes to the global resource are visible only the process that member of the namespace, but are invisible to the others. Each process running on the Linux machine has a PID that assigned to a namespace. The PID on the same namespace can have access to others. This concept is the fundamental technology behind container implementations and describes why any process running in a container cannot access other processes information in spite of running at the same host.
Namespace doesn't restrict access to physical resources like CPU, memory, disk. These types of resources are restricted by a feature called Cgroups on Linux kernel. You can read more about Cgroups from RedHat documentation. I want to show a use case of the namespace on the Linux server. "unshare" command allows to run commands with a namespace that restrict parent process access.
Isolate Application by Setting Linux Namespace
Step 1: Use the unshare command and run "bash"
# unshare -m /bin/bash # secret_dir=`mktemp -d --tmpdir=/tmp` # echo $secret_dir /tmp/tmp.SpfZ93Jf56 # mount -n -o size=1m -t tmpfs tmpfs $secret_dir # df -hT Filesystem Type Size Used Avail Use% Mounted on tmpfs tmpfs 1,0M 0 1,0M 0% /tmp/tmp.SpfZ93Jf56 # cd /tmp/tmp.SpfZ93Jf56/ # touch filehidden1 # touch filehidden2 # ls -lrt total 0 -rw-r--r-- 1 root root 0 Oca 4 13:11 filehidden1 -rw-r--r-- 1 root root 0 Oca 4 13:11 filehidden2
Step 2: Open another terminal-session that check if these files exist.
We have restricted to these files with a namespace that the parent process has no access.
# df -h /tmp/tmp.SpfZ93Jf56/ Filesystem Size Used Avail Use% Mounted on /dev/sda5 62G 12G 47G 21% / # whoami root # cd /tmp/tmp.SpfZ93Jf56/ # pwd /tmp/tmp.SpfZ93Jf56 # ls -lrt total 0
Kubernetes Namespace
For Kubernetes(K8s), namespaces are a way to divide cluster resources between multiple users. Kubernetes uses namespaces to help address the complexity of organizing objects within a cluster. You can group objects to manage and filter with the namespace. This feature makes easy to apply policies to a specific part of your cluster.
View Existing Namespaces
To display all namespaces existing on a cluster, use the command:
#kubectl get namespaces NAME STATUS AGE default Active 2m11s kube-node-lease Active 2m12s kube-public Active 2m12s kube-system Active 2m12s kubernetes-dashboard Active 2m
If you need more information about a specific namespace, then use the command:
#kubectl describe namespace kube-system Name: kube-system Labels: <none> Annotations: <none> Status: Active No resource quota. No LimitRange resource.
Create Namespaces
To create a new namespace from the command line:
#kubectl create namespace casesup namespace/casesup created #kubectl get namespace NAME STATUS AGE casesup Active 4s default Active 6m17s kube-node-lease Active 6m18s kube-public Active 6m18s kube-system Active 6m18s kubernetes-dashboard Active 6m6s
Also, it's possible to create namespace from YAML file. Easy way to create a namespace from YAML file, first export any existing namespace to a file then change it as you wish.
#kubectl get namespace casesup -o yaml > /tmp/test.yaml #cat /tmp/test.yaml apiVersion: v1 kind: Namespace metadata: creationTimestamp: "2020-01-04T10:46:10Z" name: casesup resourceVersion: "1274" selfLink: /api/v1/namespaces/casesup uid: d2f1383a-c2d2-4aee-a076-31555e5925d1 spec: finalizers: - kubernetes status: phase: Active #vi /tmp/test.yaml --remove spesific id and replace names. #cat /tmp/test.yaml apiVersion: v1 kind: Namespace metadata: name: casesupclone #kubectl create -f /tmp/test.yaml namespace/casesupclone created #kubectl get namespaces NAME STATUS AGE casesup Active 5m29s casesupclone Active 5s default Active 11m kube-node-lease Active 11m kube-public Active 11m kube-system Active 11m kubernetes-dashboard Active 11m
Selecting Namespaces from the command line
If you run a command without specifying a namespace, it will be run at default namespace. To apply an action for the specific namespace, we should use "-n" or "--namespace" option or you need to define a namespace in YAML file. I added a basic example of Nginx POD. You can use "--dry-run" and "-o yaml" option to perform a test scenario without creating a deployment. If you want to create deployment then remove --dry-run and -o yaml options.
#kubectl create deployment --image nginx nginx --namespace=casesup --dry-run -o yaml
apiVersion: apps/v1
kind: Deployment
metadata:
creationTimestamp: null
labels:
app: nginx
name: nginx
namespace: casesup
spec:
replicas: 1
selector:
matchLabels:
app: nginx
strategy: {}
template:
metadata:
creationTimestamp: null
labels:
app: nginx
spec:
containers:
- image: nginx
name: nginx
resources: {}
status: {}
#kubectl create deployment --image nginx nginx --namespace=casesup deployment.apps/nginx created #kubectl get deployment No resources found in default namespace. #kubectl get pod -n casesup NAME READY STATUS RESTARTS AGE nginx-86c57db685-m652f 1/1 Running 0 39s #kubectl get deployment -n casesup NAME READY UP-TO-DATE AVAILABLE AGE nginx 1/1 1 1 46s
Selecting Namespaces by changing Context
#kubectl config get-contexts
CURRENT NAME CLUSTER AUTHINFO NAMESPACE
* minikube minikube minikube
#kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority: /root/.minikube/ca.crt
server: https://172.17.0.8:8443
name: minikube
contexts:
- context:
cluster: minikube
user: minikube
name: minikube
current-context: minikube
kind: Config
preferences: {}
users:
- name: minikube
user:
client-certificate: /root/.minikube/client.crt
client-key: /root/.minikube/client.key
The above command sets indicate that there is only one context that hasn't any namespace attribute. So, default namespace applies when you run a command. Let's try to change it.
#kubectl config set-context $(kubectl config current-context) --namespace=casesup
Context "minikube" modified.
#kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority: /root/.minikube/ca.crt
server: https://172.17.0.8:8443
name: minikube
contexts:
- context:
cluster: minikube
namespace: casesup
user: minikube
name: minikube
current-context: minikube
kind: Config
preferences: {}
users:
- name: minikube
user:
client-certificate: /root/.minikube/client.crt
client-key: /root/.minikube/client.key
Time to test your skills. Use Katacoda and find out the answers.
Question 1: How to list all namespaces?
#kubectl get namespaces NAME STATUS AGE default Active 28s kube-node-lease Active 31s kube-public Active 31s kube-system Active 31s kubernetes-dashboard Active 14s
Question 2: How to list pods for kube-system namespace?
#kubectl get pods -n kube-system NAME READY STATUS RESTARTS AGE coredns-6955765f44-d276m 1/1 Running 0 5m1s coredns-6955765f44-jtzlk 1/1 Running 0 5m1s etcd-minikube 1/1 Running 0 5m2s kube-addon-manager-minikube 1/1 Running 0 5m1s kube-apiserver-minikube 1/1 Running 0 5m2s kube-controller-manager-minikube 1/1 Running 0 5m1s kube-proxy-pdrhh 1/1 Running 0 5m kube-scheduler-minikube 1/1 Running 0 5m1s storage-provisioner 1/1 Running 0 4m54s
Question 3: How to list all pods?
#kubectl get pods --all-namespaces NAMESPACE NAME READY STATUS RESTARTS AGE kube-system coredns-6955765f44-d276m 1/1 Running 0 3m54s kube-system coredns-6955765f44-jtzlk 1/1 Running 0 3m54s kube-system etcd-minikube 1/1 Running 0 3m55s kube-system kube-addon-manager-minikube 1/1 Running 0 3m54s kube-system kube-apiserver-minikube 1/1 Running 0 3m55s kube-system kube-controller-manager-minikube 1/1 Running 0 3m54s kube-system kube-proxy-pdrhh 1/1 Running 0 3m53s kube-system kube-scheduler-minikube 1/1 Running 0 3m54s kube-system storage-provisioner 1/1 Running 0 3m47s kubernetes-dashboard dashboard-metrics-scraper-7b64584c5c-8xlfq 1/1 Running 0 3m44s kubernetes-dashboard kubernetes-dashboard-79d9cd965-k2p6l 1/1 Running 0 3m44s
Question 4: Create a namespace called casesup?
#kubectl create namespace casesup namespace/casesup created
Question 5: Use casesup namespace and create Nginx Deployment.(Ex. #kubectl create deployment)
#kubectl create deployment --image nginx nginx --namespace=casesup deployment.apps/nginx created #kubectl get deployment -n casesup NAME READY UP-TO-DATE AVAILABLE AGE nginx 0/1 1 0 8s
Question 6: How to change namespace by setting context? Change namespace to the casesup.
#kubectl config set-context $(kubectl config current-context) --namespace=casesup Context "minikube" modified. #kubectl get pods NAME READY STATUS RESTARTS AGE nginx-86c57db685-lkfzg 1/1 Running 0 3m46s
Question 7: How to delete namespace named casesup?"
#kubectl delete namespace casesup namespace "casesup" deleted #kubectl get namespaces NAME STATUS AGE default Active 28m kube-node-lease Active 28m kube-public Active 28m kube-system Active 28m kubernetes-dashboard Active 28m
