命名空间 #

一、命名空间概念 #

命名空间(Namespace)是Kubernetes中用于资源隔离的机制,可以将集群划分为多个虚拟集群。

1.1 命名空间作用 #

text 
命名空间作用
    │
    ├── 资源隔离
    │   ├── 不同环境(dev/test/prod)
    │   ├── 不同团队
    │   └── 不同项目
    │
    ├── 权限控制
    │   ├── RBAC绑定
    │   └── 访问限制
    │
    └── 资源限制
        ├── ResourceQuota
        └── LimitRange

1.2 默认命名空间 #

命名空间 说明
default 默认命名空间
kube-system 系统组件命名空间
kube-public 公开资源命名空间
kube-node-lease 节点心跳命名空间

二、命名空间操作 #

2.1 创建命名空间 #

yaml 
# namespace.yaml
apiVersion: v1
kind: Namespace
metadata:
  name: development
  labels:
    env: dev
bash 
# 命令行创建
kubectl create namespace development

# 从文件创建
kubectl apply -f namespace.yaml

2.2 查看命名空间 #

bash 
# 查看所有命名空间
kubectl get namespaces
kubectl get ns

# 输出示例
NAME              STATUS   AGE
default           Active   10d
development       Active   1h
kube-node-lease   Active   10d
kube-public       Active   10d
kube-system       Active   10d
production        Active   30m

# 查看命名空间详情
kubectl describe namespace development

2.3 在命名空间中操作 #

bash 
# 指定命名空间创建资源
kubectl apply -f deployment.yaml -n development

# 查看指定命名空间的资源
kubectl get pods -n development

# 查看所有命名空间的资源
kubectl get pods -A
kubectl get pods --all-namespaces

# 删除命名空间
kubectl delete namespace development

2.4 设置默认命名空间 #

bash 
# 设置当前上下文的默认命名空间
kubectl config set-context --current --namespace=development

# 查看当前命名空间
kubectl config view --minify | grep namespace

三、命名空间与资源 #

3.1 命名空间作用域 #

text 
命名空间作用域资源
    │
    ├── Pod
    ├── Service
    ├── Deployment
    ├── ReplicaSet
    ├── StatefulSet
    ├── ConfigMap
    ├── Secret
    ├── PVC
    └── ResourceQuota

集群作用域资源
    │
    ├── Node
    ├── Namespace
    ├── ClusterRole
    ├── ClusterRoleBinding
    ├── PersistentVolume
    └── StorageClass

3.2 跨命名空间访问 #

yaml 
# Service跨命名空间访问
apiVersion: v1
kind: Service
metadata:
  name: my-service
  namespace: development
spec:
  selector:
    app: nginx
  ports:
  - port: 80

# 在其他命名空间访问
# 格式: <service-name>.<namespace>.svc.cluster.local
# 示例: my-service.development.svc.cluster.local

四、资源配额 #

4.1 ResourceQuota概述 #

ResourceQuota用于限制命名空间的资源使用总量。

yaml 
# resource-quota.yaml
apiVersion: v1
kind: ResourceQuota
metadata:
  name: compute-quota
  namespace: development
spec:
  hard:
    requests.cpu: "4"
    requests.memory: 8Gi
    limits.cpu: "8"
    limits.memory: 16Gi
    pods: "10"
    services: "5"
    secrets: "10"
    configmaps: "10"
    persistentvolumeclaims: "5"

4.2 资源配额类型 #

yaml 
apiVersion: v1
kind: ResourceQuota
metadata:
  name: full-quota
  namespace: development
spec:
  hard:
    # 计算资源
    requests.cpu: "4"
    requests.memory: 8Gi
    limits.cpu: "8"
    limits.memory: 16Gi
    
    # 存储资源
    requests.storage: 100Gi
    persistentvolumeclaims: "10"
    
    # 对象数量
    pods: "20"
    services: "10"
    secrets: "20"
    configmaps: "20"
    replicationcontrollers: "5"
    resourcequotas: "1"
    
    # 按类型限制
    count/deployments.apps: "10"
    count/statefulsets.apps: "5"
    count/jobs.batch: "10"

4.3 查看配额使用 #

bash 
# 查看配额
kubectl get resourcequota -n development

# 查看配额详情
kubectl describe resourcequota compute-quota -n development

# 输出示例
Name:            compute-quota
Namespace:       development
Resource         Used   Hard
--------         ----   ----
limits.cpu       2      8
limits.memory    4Gi    16Gi
pods             5      10
requests.cpu     1      4
requests.memory  2Gi    8Gi

4.4 配额作用域 #

yaml 
apiVersion: v1
kind: ResourceQuota
metadata:
  name: scoped-quota
  namespace: development
spec:
  hard:
    pods: "4"
  scopes:
  - Terminating
---
apiVersion: v1
kind: ResourceQuota
metadata:
  name: besteffort-quota
  namespace: development
spec:
  hard:
    pods: "10"
  scopes:
  - BestEffort
作用域 说明
Terminating 有activeDeadlineSeconds的Pod
NotTerminating 无activeDeadlineSeconds的Pod
BestEffort 无资源请求的Pod
NotBestEffort 有资源请求的Pod

五、限制范围 #

5.1 LimitRange概述 #

LimitRange用于限制单个资源的大小范围。

yaml 
# limit-range.yaml
apiVersion: v1
kind: LimitRange
metadata:
  name: resource-limits
  namespace: development
spec:
  limits:
  - type: Container
    default:
      cpu: 200m
      memory: 256Mi
    defaultRequest:
      cpu: 100m
      memory: 128Mi
    min:
      cpu: 50m
      memory: 64Mi
    max:
      cpu: 1
      memory: 1Gi
    maxLimitRequestRatio:
      cpu: 2

5.2 容器限制 #

yaml 
apiVersion: v1
kind: LimitRange
metadata:
  name: container-limits
  namespace: development
spec:
  limits:
  - type: Container
    default:        # 默认limits
      cpu: 200m
      memory: 256Mi
    defaultRequest: # 默认requests
      cpu: 100m
      memory: 128Mi
    min:            # 最小值
      cpu: 50m
      memory: 64Mi
    max:            # 最大值
      cpu: 2
      memory: 2Gi
    maxLimitRequestRatio: # limits/requests最大比例
      cpu: 3
      memory: 2

5.3 Pod限制 #

yaml 
apiVersion: v1
kind: LimitRange
metadata:
  name: pod-limits
  namespace: development
spec:
  limits:
  - type: Pod
    max:
      cpu: 4
      memory: 4Gi
    min:
      cpu: 200m
      memory: 256Mi

5.4 PVC限制 #

yaml 
apiVersion: v1
kind: LimitRange
metadata:
  name: storage-limits
  namespace: development
spec:
  limits:
  - type: PersistentVolumeClaim
    max:
      storage: 50Gi
    min:
      storage: 1Gi

5.5 查看限制范围 #

bash 
# 查看LimitRange
kubectl get limitrange -n development

# 查看详情
kubectl describe limitrange resource-limits -n development

六、命名空间实践 #

6.1 环境隔离 #

yaml 
# 开发环境
apiVersion: v1
kind: Namespace
metadata:
  name: development
  labels:
    env: development
---
# 测试环境
apiVersion: v1
kind: Namespace
metadata:
  name: staging
  labels:
    env: staging
---
# 生产环境
apiVersion: v1
kind: Namespace
metadata:
  name: production
  labels:
    env: production

6.2 团队隔离 #

yaml 
# 团队A命名空间
apiVersion: v1
kind: Namespace
metadata:
  name: team-a
  labels:
    team: a
---
apiVersion: v1
kind: ResourceQuota
metadata:
  name: team-a-quota
  namespace: team-a
spec:
  hard:
    requests.cpu: "2"
    requests.memory: 4Gi
    pods: "10"
---
# 团队B命名空间
apiVersion: v1
kind: Namespace
metadata:
  name: team-b
  labels:
    team: b
---
apiVersion: v1
kind: ResourceQuota
metadata:
  name: team-b-quota
  namespace: team-b
spec:
  hard:
    requests.cpu: "2"
    requests.memory: 4Gi
    pods: "10"

6.3 完整配置示例 #

yaml 
# complete-namespace.yaml
apiVersion: v1
kind: Namespace
metadata:
  name: myapp
  labels:
    env: production
    team: backend
---
apiVersion: v1
kind: ResourceQuota
metadata:
  name: myapp-quota
  namespace: myapp
spec:
  hard:
    requests.cpu: "4"
    requests.memory: 8Gi
    limits.cpu: "8"
    limits.memory: 16Gi
    pods: "20"
    services: "10"
    secrets: "20"
    configmaps: "20"
    persistentvolumeclaims: "10"
---
apiVersion: v1
kind: LimitRange
metadata:
  name: myapp-limits
  namespace: myapp
spec:
  limits:
  - type: Container
    default:
      cpu: 200m
      memory: 256Mi
    defaultRequest:
      cpu: 100m
      memory: 128Mi
    min:
      cpu: 50m
      memory: 64Mi
    max:
      cpu: 1
      memory: 1Gi
  - type: PersistentVolumeClaim
    max:
      storage: 50Gi
    min:
      storage: 1Gi

七、命名空间与RBAC #

7.1 命名空间角色 #

yaml 
# 命名空间角色
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: developer
  namespace: development
rules:
- apiGroups: [""]
  resources: ["pods", "services", "configmaps", "secrets"]
  verbs: ["get", "list", "watch", "create", "update", "delete"]
- apiGroups: ["apps"]
  resources: ["deployments", "replicasets"]
  verbs: ["get", "list", "watch", "create", "update", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: developer-binding
  namespace: development
subjects:
- kind: User
  name: dev-user
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: developer
  apiGroup: rbac.authorization.k8s.io

7.2 限制命名空间访问 #

yaml 
# 只允许访问特定命名空间
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: namespace-admin
  namespace: team-a
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: team-a-admin-binding
  namespace: team-a
subjects:
- kind: Group
  name: team-a-admins
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: namespace-admin
  apiGroup: rbac.authorization.k8s.io

八、命名空间最佳实践 #

8.1 命名规范 #

text 
命名规范
    │
    ├── 使用小写字母
    │
    ├── 使用连字符分隔
    │
    ├── 避免使用特殊字符
    │
    ├── 语义化命名
    │   ├── <env>-<project>
    │   ├── <team>-<service>
    │   └── <customer>-<app>
    │
    └── 添加标签
        ├── env: development/staging/production
        └── team: team-name

8.2 资源配额建议 #

环境 CPU 内存 Pod数量
开发 2核 4Gi 10
测试 4核 8Gi 20
生产 8核+ 16Gi+ 50+

8.3 注意事项 #

text 
注意事项
    │
    ├── 删除命名空间会删除所有资源
    │
    ├── ResourceQuota需要Pod设置resources
    │
    ├── 不同命名空间的Service需要FQDN访问
    │
    └── 系统命名空间不要部署业务应用

九、总结 #

9.1 核心要点 #

要点 说明
作用 资源隔离、多租户管理
默认命名空间 default、kube-system、kube-public
资源配额 ResourceQuota限制总量
限制范围 LimitRange限制单个资源
权限控制 配合RBAC使用

9.2 下一步 #

理解了命名空间的使用后,让我们学习 标签与选择器,掌握资源标记和查询过滤的方法。

最后更新:2026-03-28