Namespace use cases

Namespaces are a way for multiple tenants to share the same cluster.

What is Tenant?

Tenant is a loose term and can refer to individual applications, different teams or departments, and even external customers. How we implement Namespaces and what we consider as tenants is up to we, but it’s most common to use Namespaces to divide clusters for use by tenants within the same organization. For example, we might divide a production cluster into the following three Namespace to match the organizational structure:

• finance

• hr

• corporate-ops

We’d deploy Finance apps to the finance Namespace, HR apps to the hr Namespace, and Corporate apps to the corporate-ops Namespace. Each Namespace can have its own users, permissions, resource quotas, and policies.

Using Namespaces to divide a cluster among external tenants isn’t as common. This is because they only provide soft isolation and cannot prevent compromised workloads from escaping the Namespace and impacting workloads in other Namespaces. At the time of writing, the only way to strongly isolate tenants is to run them on their own clusters and their own hardware.

The following figure shows a cluster on the left using Namespaces for soft multi-tenancy. All apps on this cluster share the same nodes and control plane, and compromised workloads can impact both Namespaces. The two clusters on the right provide strong isolation by implementing two separate clusters, each on dedicated hardware.