Kubernetes also has an additional construct for isolation at the cluster level. In most cases, you can run Kubernetes and never worry about namespaces; everything will run in the default namespace if not specified. However, in cases where you run multitenancy communities or want broad-scale segregation and isolation of the cluster resources, namespaces can be used to this end. True, end-to-end multitenancy is not yet feature complete in Kubernetes, but you can get very close using RBAC, container permissions, ingress rules, and clear network policing. If you're interested in enterprise-strength multitenancy right now, Red Hat's Openshift Origin (OO) would be a good place to learn.
To start, Kubernetes has two namespaces—default and kube-system. The kube-system namespace is used for all the system-level containers we saw in Chapter 1, Introduction to Kubernetes, in the Services running on the minions section. UI, logging, DNS, and so on are all run in kube-system. Everything else the user creates runs in the default namespace. However, our resource definition files can optionally specify a custom namespace. For the sake of experimenting, let's take a look at how to build a new namespace.
First, we'll need to create a namespace definition file test-ns.yaml like the one in the following lines of code:
apiVersion: v1
kind: Namespace
metadata:
name: test
We can go ahead and create this file with our handy create command:
$ kubectl create -f test-ns.yaml
Now, we can create resources that use the test namespace. The following listing, ns-pod.yaml, is an example of a pod using this new namespace:
apiVersion: v1
kind: Pod
metadata:
name: utility
namespace: test
spec:
containers:
- image: debian:latest
command:
- sleep
- "3600"
name: utility
While the pod can still access services in other namespaces, it will need to use the long DNS form of <service-name>.<namespace-name>.cluster.local. For example, if you were to run a command from inside the container in listing ns-pod.yaml, you could use node-js.default.cluster.local to access the Node.js example from Chapter 2, Pods, Services, Replication Controllers, and Labels.
$ kubectl delete pod <pod name>
$ kubectl delete svc <service name>
$ kubectl delete rc <replication controller name>
$ kubectl delete rs <replicaset name>.