TechLead
Lesson 15 of 25
5 min read
Cloud & Kubernetes

Namespaces and Resource Quotas

Organize clusters with Namespaces, enforce resource limits with ResourceQuotas and LimitRanges, and implement multi-tenancy

Namespaces

Namespaces provide a mechanism for isolating groups of resources within a single cluster. They are intended for use in environments with many users spread across multiple teams or projects. Namespaces provide a scope for names — resource names must be unique within a namespace, but not across namespaces.

When to Use Namespaces

  • Environment Separation: development, staging, production namespaces
  • Team Isolation: Each team gets their own namespace with resource quotas
  • Application Grouping: Group related microservices in a namespace
  • Access Control: Apply RBAC policies per namespace
  • Resource Management: Enforce CPU/memory quotas per namespace
# namespace.yaml
apiVersion: v1
kind: Namespace
metadata:
  name: production
  labels:
    environment: production
    team: platform
  annotations:
    description: "Production workloads"
---
apiVersion: v1
kind: Namespace
metadata:
  name: staging
  labels:
    environment: staging
    team: platform
---
apiVersion: v1
kind: Namespace
metadata:
  name: monitoring
  labels:
    environment: shared
    team: sre
# Create a namespace
kubectl create namespace production

# List namespaces
kubectl get namespaces

# Set default namespace for kubectl
kubectl config set-context --current --namespace=production

# View resources in a namespace
kubectl get all -n production

# View resources across all namespaces
kubectl get pods -A

# Delete a namespace (WARNING: deletes all resources in it)
kubectl delete namespace staging

Resource Quotas

ResourceQuotas limit the total resource consumption per namespace. They prevent any single namespace from consuming more than its fair share of the cluster's resources. 

# resource-quota.yaml
apiVersion: v1
kind: ResourceQuota
metadata:
  name: production-quota
  namespace: production
spec:
  hard:
    # Compute resource limits
    requests.cpu: "20"          # Total CPU requests across all pods
    requests.memory: "40Gi"     # Total memory requests
    limits.cpu: "40"            # Total CPU limits
    limits.memory: "80Gi"       # Total memory limits

    # Object count limits
    pods: "100"                 # Maximum number of pods
    services: "20"              # Maximum number of services
    services.loadbalancers: "5" # Maximum LoadBalancer services
    configmaps: "50"            # Maximum ConfigMaps
    secrets: "50"               # Maximum Secrets
    persistentvolumeclaims: "20" # Maximum PVCs
    replicationcontrollers: "20"

    # Storage limits
    requests.storage: "100Gi"   # Total storage requests
    gold.storageclass.storage.k8s.io/requests.storage: "50Gi"
---
# Quota for staging (smaller limits)
apiVersion: v1
kind: ResourceQuota
metadata:
  name: staging-quota
  namespace: staging
spec:
  hard:
    requests.cpu: "8"
    requests.memory: "16Gi"
    limits.cpu: "16"
    limits.memory: "32Gi"
    pods: "50"
    services: "10"
    persistentvolumeclaims: "10"

LimitRanges

While ResourceQuotas limit total resources per namespace, LimitRanges set default and min/max constraints on individual Pods and containers. They ensure no single Pod can consume all the namespace's quota. 

# limit-range.yaml
apiVersion: v1
kind: LimitRange
metadata:
  name: production-limits
  namespace: production
spec:
  limits:
  # Default limits for containers (applied if not specified in the Pod spec)
  - type: Container
    default:          # Default limits
      cpu: "500m"
      memory: "256Mi"
    defaultRequest:   # Default requests
      cpu: "100m"
      memory: "128Mi"
    min:              # Minimum allowed
      cpu: "50m"
      memory: "64Mi"
    max:              # Maximum allowed
      cpu: "4"
      memory: "4Gi"

  # Limits for Pods (sum of all containers)
  - type: Pod
    max:
      cpu: "8"
      memory: "8Gi"

  # Limits for PVCs
  - type: PersistentVolumeClaim
    min:
      storage: "1Gi"
    max:
      storage: "50Gi"
# View quotas
kubectl get resourcequota -n production
kubectl describe resourcequota production-quota -n production

# View limit ranges
kubectl get limitrange -n production
kubectl describe limitrange production-limits -n production

# Check quota usage
kubectl describe resourcequota production-quota -n production
# Output shows: Used / Hard for each resource

Multi-Tenancy Patterns

For multi-tenant clusters, combine namespaces with RBAC, network policies, and resource quotas to create strong isolation between teams. 

# team-namespace-setup.yaml
# Namespace
apiVersion: v1
kind: Namespace
metadata:
  name: team-frontend
  labels:
    team: frontend
---
# Resource Quota
apiVersion: v1
kind: ResourceQuota
metadata:
  name: team-frontend-quota
  namespace: team-frontend
spec:
  hard:
    requests.cpu: "10"
    requests.memory: "20Gi"
    pods: "50"
---
# LimitRange
apiVersion: v1
kind: LimitRange
metadata:
  name: team-frontend-limits
  namespace: team-frontend
spec:
  limits:
  - type: Container
    default:
      cpu: "200m"
      memory: "256Mi"
    defaultRequest:
      cpu: "100m"
      memory: "128Mi"
---
# Network Policy: isolate namespace
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-all-ingress
  namespace: team-frontend
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          team: frontend

Key Takeaways

  • Namespaces provide logical isolation for resources, RBAC, and network policies
  • ResourceQuotas limit total resource consumption per namespace
  • LimitRanges set default and min/max constraints on individual Pods and PVCs
  • Combine namespaces + RBAC + NetworkPolicies + ResourceQuotas for multi-tenancy
  • When ResourceQuotas are set, every Pod must specify resource requests and limits

Continue Learning

Docker & DevOps

Container fundamentals and CI/CD workflows

System Design

Design scalable cloud-native systems

Cybersecurity

Secure your cloud infrastructure

Performance Engineering

Optimize cloud workloads and costs

Data Engineering

Cloud-based data pipelines