概念解析

Namespace是Kubernetes中用於實現資源隔離和多租户管理的機制。它將集羣資源劃分為多個虛擬集羣,每個Namespace內的資源名稱必須唯一,但不同Namespace間的資源可以重名。

核心概念

  1. 資源隔離:將集羣資源劃分為多個邏輯分區
  2. 命名空間:為資源提供作用域,避免命名衝突
  3. 多租户支持:支持多個團隊或項目共享同一集羣
  4. 資源配額:可以為Namespace設置資源限制

Namespace的工作原理

  1. 作用域隔離:同一Namespace內的資源必須有唯一的名稱
  2. 網絡隔離:通過網絡策略實現不同Namespace間的網絡隔離
  3. 資源管理:通過ResourceQuota限制Namespace的資源使用
  4. 訪問控制:通過RBAC控制不同用户對Namespace的訪問權限

核心特性

  1. 資源隔離:將集羣資源劃分為多個邏輯分區
  2. 命名作用域:為資源提供命名作用域,避免命名衝突
  3. 資源配額:支持為Namespace設置CPU、內存、存儲等資源限制
  4. 訪問控制:支持基於角色的訪問控制(RBAC)
  5. 默認Namespace:默認提供default、kube-system、kube-public等Namespace
  6. 標籤和註解:支持為Namespace添加標籤和註解進行分類管理

實踐教程

創建Namespace

# 使用kubectl創建
kubectl create namespace development

# 使用YAML文件創建
cat <<EOF > namespace.yaml
apiVersion: v1
kind: Namespace
metadata:
  name: production
  labels:
    environment: production
    team: backend
EOF
kubectl apply -f namespace.yaml

在Namespace中創建資源

# 指定Namespace創建Pod
kubectl create deployment nginx --image=nginx -n development

# 使用YAML文件指定Namespace
cat <<EOF > pod.yaml
apiVersion: v1
kind: Pod
metadata:
  name: my-pod
  namespace: production
spec:
  containers:
  - name: app
    image: busybox
    command: ["sleep", "3600"]
EOF
kubectl apply -f pod.yaml

切換Namespace上下文

# 設置默認Namespace
kubectl config set-context --current --namespace=development

# 查看當前上下文
kubectl config view | grep namespace

# 臨時指定Namespace
kubectl get pods -n production

真實案例

案例:企業級多環境管理平台

某大型企業在Kubernetes集羣中運行開發、測試、預發佈和生產等多個環境,通過Namespace實現環境隔離和資源管理:

# 開發環境Namespace
apiVersion: v1
kind: Namespace
metadata:
  name: dev
  labels:
    environment: development
    team: all
  annotations:
    description: "Development environment for all teams"
---
# 測試環境Namespace
apiVersion: v1
kind: Namespace
metadata:
  name: test
  labels:
    environment: testing
    team: qa
  annotations:
    description: "Testing environment for QA team"
---
# 預發佈環境Namespace
apiVersion: v1
kind: Namespace
metadata:
  name: staging
  labels:
    environment: staging
    team: operations
  annotations:
    description: "Staging environment for pre-production testing"
---
# 生產環境Namespace
apiVersion: v1
kind: Namespace
metadata:
  name: production
  labels:
    environment: production
    team: operations
  annotations:
    description: "Production environment - handle with care"
---
# ResourceQuota for development environment
apiVersion: v1
kind: ResourceQuota
metadata:
  name: dev-resource-quota
  namespace: dev
spec:
  hard:
    requests.cpu: "2"
    requests.memory: 4Gi
    limits.cpu: "4"
    limits.memory: 8Gi
    persistentvolumeclaims: "10"
    services.loadbalancers: "0"
    services.nodeports: "0"
---
# ResourceQuota for production environment
apiVersion: v1
kind: ResourceQuota
metadata:
  name: prod-resource-quota
  namespace: production
spec:
  hard:
    requests.cpu: "16"
    requests.memory: 32Gi
    limits.cpu: "32"
    limits.memory: 64Gi
    persistentvolumeclaims: "50"
    services.loadbalancers: "10"
    services.nodeports: "5"
---
# LimitRange for development environment
apiVersion: v1
kind: LimitRange
metadata:
  name: dev-limit-range
  namespace: dev
spec:
  limits:
  - default:
      cpu: 200m
      memory: 256Mi
    defaultRequest:
      cpu: 100m
      memory: 128Mi
    type: Container
---
# LimitRange for production environment
apiVersion: v1
kind: LimitRange
metadata:
  name: prod-limit-range
  namespace: production
spec:
  limits:
  - default:
      cpu: 1
      memory: 2Gi
    defaultRequest:
      cpu: 500m
      memory: 1Gi
    type: Container
---
# Network Policy for production environment
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: prod-network-policy
  namespace: production
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          environment: staging
    - podSelector:
        matchLabels:
          app: monitoring
  egress:
  - to:
    - namespaceSelector:
        matchLabels:
          environment: production
---
# RBAC for development team
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: dev
  name: dev-developer
rules:
- apiGroups: [""]
  resources: ["pods", "services", "configmaps", "secrets"]
  verbs: ["get", "list", "create", "update", "delete"]
- apiGroups: ["apps"]
  resources: ["deployments", "statefulsets", "daemonsets"]
  verbs: ["get", "list", "create", "update", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: dev-developers
  namespace: dev
subjects:
- kind: User
  name: alice
  apiGroup: rbac.authorization.k8s.io
- kind: User
  name: bob
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: dev-developer
  apiGroup: rbac.authorization.k8s.io

這種多環境管理方案的優勢:

  • 環境隔離:不同環境的資源完全隔離
  • 資源控制:為不同環境設置不同的資源配額
  • 訪問控制:為不同團隊設置不同的訪問權限
  • 網絡安全:通過網絡策略控制環境間的通信
  • 標準化管理:統一的環境管理規範

配置詳解

Namespace標籤和註解

apiVersion: v1
kind: Namespace
metadata:
  name: example-namespace
  labels:
    environment: production
    team: backend
    cost-center: cc-1234
    compliance: pci-dss
  annotations:
    description: "Example namespace for production workloads"
    contact: "backend-team@example.com"
    sla-level: "high"
    backup-required: "true"

ResourceQuota配置

apiVersion: v1
kind: ResourceQuota
metadata:
  name: compute-resources
  namespace: example
spec:
  hard:
    # 計算資源配額
    requests.cpu: "4"
    requests.memory: 8Gi
    limits.cpu: "8"
    limits.memory: 16Gi
    
    # 存儲資源配額
    requests.storage: 500Gi
    persistentvolumeclaims: "20"
    
    # 對象數量配額
    pods: "50"
    services: "20"
    services.loadbalancers: "5"
    services.nodeports: "10"
    configmaps: "100"
    secrets: "100"
    replicationcontrollers: "20"
    resourcequotas: "1"

LimitRange配置

apiVersion: v1
kind: LimitRange
metadata:
  name: container-limits
  namespace: example
spec:
  limits:
  # 容器資源限制
  - default:
      cpu: 500m
      memory: 512Mi
    defaultRequest:
      cpu: 100m
      memory: 256Mi
    max:
      cpu: "2"
      memory: 2Gi
    min:
      cpu: 50m
      memory: 64Mi
    type: Container
    
  # Pod資源限制
  - max:
      cpu: "4"
      memory: 4Gi
    type: Pod
    
  # PersistentVolumeClaim限制
  - default:
      storage: 10Gi
    max:
      storage: 50Gi
    min:
      storage: 1Gi
    type: PersistentVolumeClaim

故障排除

常見問題及解決方案

  1. 資源配額不足

    # 查看Namespace配額
kubectl describe quota -n <namespace>

# 查看資源使用情況
kubectl describe namespace <namespace>

# 調整配額
kubectl edit resourcequota <quota-name> -n <namespace>

  2. 跨Namespace訪問被拒絕

    # 檢查網絡策略
kubectl get networkpolicy -n <namespace>

# 檢查RBAC權限
kubectl auth can-i <verb> <resource> --namespace <namespace>

# 檢查服務賬户權限
kubectl describe rolebinding -n <namespace>

  3. 對象創建失敗

    # 檢查對象創建事件
kubectl describe <resource> <name> -n <namespace>

# 檢查LimitRange限制
kubectl describe limitrange -n <namespace>

# 檢查ResourceQuota
kubectl describe quota -n <namespace>

  4. Namespace刪除卡住

    # 查看Namespace狀態
kubectl get namespace <namespace>

# 檢查Finalizers
kubectl get namespace <namespace> -o yaml

# 強制刪除(謹慎使用)
kubectl delete namespace <namespace> --force --grace-period=0

最佳實踐

  1. 命名規範

    • 使用有意義的Namespace名稱
    • 遵循統一的命名約定
    • 為不同環境使用不同的前綴或後綴

  2. 資源管理

    • 為每個Namespace設置ResourceQuota
    • 配置合適的LimitRange
    • 定期監控資源使用情況

  3. 訪問控制

    • 為不同團隊設置獨立的Namespace
    • 使用RBAC控制訪問權限
    • 定期審計訪問日誌

  4. 標籤管理

    • 為Namespace添加環境、團隊等標籤
    • 使用標籤進行資源分類和查詢
    • 建立標籤使用規範

  5. 安全管理

    • 為生產環境設置網絡策略
    • 限制特權容器的使用
    • 定期審查Namespace配置

安全考慮

使用網絡策略隔離Namespace

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-all
  namespace: production
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-from-monitoring
  namespace: production
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          name: monitoring

使用RBAC控制Namespace訪問

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: production
  name: prod-admin
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: prod-admins
  namespace: production
subjects:
- kind: User
  name: admin-user
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: prod-admin
  apiGroup: rbac.authorization.k8s.io

限制特權操作

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: restricted-psp
spec:
  privileged: false
  allowPrivilegeEscalation: false
  requiredDropCapabilities:
    - ALL
  volumes:
    - 'configMap'
    - 'emptyDir'
    - 'projected'
    - 'secret'
    - 'downwardAPI'
    - 'persistentVolumeClaim'
  hostNetwork: false
  hostIPC: false
  hostPID: false
  runAsUser:
    rule: 'MustRunAsNonRoot'
  seLinux:
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'MustRunAs'
    ranges:
      - min: 1
        max: 65535
  fsGroup:
    rule: 'MustRunAs'
    ranges:
      - min: 1
        max: 65535

命令速查

命令 描述
kubectl get namespaces 查看Namespace列表
kubectl describe namespace <name> 查看Namespace詳細信息
kubectl create namespace <name> 創建Namespace
kubectl delete namespace <name> 刪除Namespace
kubectl config set-context --current --namespace=<name> 設置默認Namespace
kubectl get pods -n <namespace> 查看指定Namespace的Pod
kubectl get quota -n <namespace> 查看Namespace的資源配額
kubectl get limitrange -n <namespace> 查看Namespace的限制範圍
kubectl get networkpolicy -n <namespace> 查看Namespace的網絡策略
kubectl get all -n <namespace> 查看Namespace中的所有資源

總結

Namespace是Kubernetes中實現資源隔離和多租户管理的核心機制。通過本文檔的學習,你應該能夠:

  • 理解Namespace的概念和工作機制
  • 創建和管理Namespace
  • 配置資源配額和限制範圍
  • 實現環境隔離和訪問控制
  • 排查常見的Namespace問題
  • 遵循Namespace管理的最佳實踐和安全考慮

在下一文檔中,我們將學習RBAC權限控制,它是保障Kubernetes集羣安全的重要機制。