功能作用
用来对集群资源进行隔离划分,默认只隔离资源,不隔离网络,不同命名空间的资源对象网络互通,通过命名空间可以创建多个虚拟的集群,提供了一种不同用户间分隔集群资源的方法。
命名空间为资源名称提供了一个作用域。除了隔离资源,命名空间还可用于仅允许某些用户访问某些特定资源,甚至限 制单个用户可用的计算资源数量。相同命名空间内的资源名保证唯一即可,因此不同的命名空间下可以使用相同的资源名。
节点资源是全局独立不被约束在命名空间下的
应用场景
假设有两个命名空间dev和prod,则dev环境只能引用dev相关组件的配置,而prod环境只能引用prod相关组件的配置。
默认空间
Kubernetes默认自带了如下命名空间
[root@cka-master yaml]# kubectl get nsNAME STATUS AGEdefault Active 12hkube-node-lease Active 12hkube-public Active 12hkube-system Active 12h[root@cka-master yaml]#
default是默认命名空间,这个命名空间不能被删除,删除会失败 kube-node-lease是Kubernetes集群节点租约状态,v1.13加入 kube-public由系统自动创建并且对所有用户可读性,做为集群公用资源的保留命名空间 kube-system由Kubernetes系统对象组成的命名空间
查看当前命名空间的所有资源
[root@cka-master yaml]# kubectl get all -n defaultNAME READY STATUS RESTARTS AGEpod/myapp 1/1 Running 0 6h51mNAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGEservice/kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 12h[root@cka-master yaml]#
切换默认
查看当前配置
[root@cka-master yaml]# kubectl config viewapiVersion: v1clusters:- cluster:certificate-authority-data: DATA+OMITTEDserver: https://192.168.184.128:6443name: kubernetescontexts:- context:cluster: kubernetesuser: kubernetes-adminname: kubernetes-admin@kubernetescurrent-context: kubernetes-admin@kuberneteskind: Configpreferences: {}users:- name: kubernetes-adminuser:client-certificate-data: REDACTEDclient-key-data: REDACTED
查看当前上下文
[root@cka-master yaml]# kubectl config current-contextkubernetes-admin@kubernetes[root@cka-master yaml]#
创建测试命名空间ns1
[root@cka-master yaml]# kubectl create ns ns1namespace/ns1 created
切换默认命名空间为ns1
[root@cka-master yaml]# kubectl config set-context $(kubectl config current-context) --namespace=ns1Context "kubernetes-admin@kubernetes" modified.[root@cka-master yaml]#
查看相关配置
[root@cka-master yaml]# kubectl config viewapiVersion: v1clusters:- cluster:certificate-authority-data: DATA+OMITTEDserver: https://192.168.184.128:6443name: kubernetescontexts:- context:cluster: kubernetesnamespace: ns1user: kubernetes-adminname: kubernetes-admin@kubernetescurrent-context: kubernetes-admin@kuberneteskind: Configpreferences: {}users:- name: kubernetes-adminuser:client-certificate-data: REDACTEDclient-key-data: REDACTED[root@cka-master yaml]#
经过和原始配置对比,可以看到多了一行contexts.context.namespace
上下文包含三要素:集群[cluster] 用户[user] 命名空间[namespace]
资源对象
不是所有的对象都在命名空间中,例如 nodes、persistentVolumes 就没有命名空间,所有用户都是可见的。
指定参数-namespaced=true
[root@cka-master yaml]# kubectl api-resources --namespaced=trueNAME SHORTNAMES APIVERSION NAMESPACED KINDbindings v1 true Bindingconfigmaps cm v1 true ConfigMapendpoints ep v1 true Endpointsevents ev v1 true Eventlimitranges limits v1 true LimitRangepersistentvolumeclaims pvc v1 true PersistentVolumeClaimpods po v1 true Podpodtemplates v1 true PodTemplatereplicationcontrollers rc v1 true ReplicationControllerresourcequotas quota v1 true ResourceQuotasecrets v1 true Secretserviceaccounts sa v1 true ServiceAccountservices svc v1 true Servicecontrollerrevisions apps/v1 true ControllerRevisiondaemonsets ds apps/v1 true DaemonSetdeployments deploy apps/v1 true Deploymentreplicasets rs apps/v1 true ReplicaSetstatefulsets sts apps/v1 true StatefulSetlocalsubjectaccessreviews authorization.k8s.io/v1 true LocalSubjectAccessReviewhorizontalpodautoscalers hpa autoscaling/v1 true HorizontalPodAutoscalercronjobs cj batch/v1 true CronJobjobs batch/v1 true Jobleases coordination.k8s.io/v1 true Leasenetworkpolicies crd.projectcalico.org/v1 true NetworkPolicynetworksets crd.projectcalico.org/v1 true NetworkSetendpointslices discovery.k8s.io/v1 true EndpointSliceevents ev events.k8s.io/v1 true Eventingresses ing networking.k8s.io/v1 true Ingressnetworkpolicies netpol networking.k8s.io/v1 true NetworkPolicypoddisruptionbudgets pdb policy/v1 true PodDisruptionBudgetrolebindings rbac.authorization.k8s.io/v1 true RoleBindingroles rbac.authorization.k8s.io/v1 true Rolecsistoragecapacities storage.k8s.io/v1beta1 true CSIStorageCapacity
指定参数-namespaced=false
[root@cka-master yaml]# kubectl api-resources --namespaced=falseNAME SHORTNAMES APIVERSION NAMESPACED KINDcomponentstatuses cs v1 false ComponentStatusnamespaces ns v1 false Namespacenodes no v1 false Nodepersistentvolumes pv v1 false PersistentVolumemutatingwebhookconfigurations admissionregistration.k8s.io/v1 false MutatingWebhookConfigurationvalidatingwebhookconfigurations admissionregistration.k8s.io/v1 false ValidatingWebhookConfigurationcustomresourcedefinitions crd,crds apiextensions.k8s.io/v1 false CustomResourceDefinitionapiservices apiregistration.k8s.io/v1 false APIServicetokenreviews authentication.k8s.io/v1 false TokenReviewselfsubjectaccessreviews authorization.k8s.io/v1 false SelfSubjectAccessReviewselfsubjectrulesreviews authorization.k8s.io/v1 false SelfSubjectRulesReviewsubjectaccessreviews authorization.k8s.io/v1 false SubjectAccessReviewcertificatesigningrequests csr certificates.k8s.io/v1 false CertificateSigningRequestbgpconfigurations crd.projectcalico.org/v1 false BGPConfigurationbgppeers crd.projectcalico.org/v1 false BGPPeerblockaffinities crd.projectcalico.org/v1 false BlockAffinitycaliconodestatuses crd.projectcalico.org/v1 false CalicoNodeStatusclusterinformations crd.projectcalico.org/v1 false ClusterInformationfelixconfigurations crd.projectcalico.org/v1 false FelixConfigurationglobalnetworkpolicies crd.projectcalico.org/v1 false GlobalNetworkPolicyglobalnetworksets crd.projectcalico.org/v1 false GlobalNetworkSethostendpoints crd.projectcalico.org/v1 false HostEndpointipamblocks crd.projectcalico.org/v1 false IPAMBlockipamconfigs crd.projectcalico.org/v1 false IPAMConfigipamhandles crd.projectcalico.org/v1 false IPAMHandleippools crd.projectcalico.org/v1 false IPPoolipreservations crd.projectcalico.org/v1 false IPReservationkubecontrollersconfigurations crd.projectcalico.org/v1 false KubeControllersConfigurationflowschemas flowcontrol.apiserver.k8s.io/v1beta1 false FlowSchemaprioritylevelconfigurations flowcontrol.apiserver.k8s.io/v1beta1 false PriorityLevelConfigurationingressclasses networking.k8s.io/v1 false IngressClassruntimeclasses node.k8s.io/v1 false RuntimeClasspodsecuritypolicies psp policy/v1beta1 false PodSecurityPolicyclusterrolebindings rbac.authorization.k8s.io/v1 false ClusterRoleBindingclusterroles rbac.authorization.k8s.io/v1 false ClusterRolepriorityclasses pc scheduling.k8s.io/v1 false PriorityClasscsidrivers storage.k8s.io/v1 false CSIDrivercsinodes storage.k8s.io/v1 false CSINodestorageclasses sc storage.k8s.io/v1 false StorageClassvolumeattachments storage.k8s.io/v1 false VolumeAttachment[root@cka-master yaml]#
若有收获,就点个赞吧
0 人点赞
