Just lately whereas testing out the most recent model of the aks-preview Azure CLI extension, I stumbled throughout a brand new preview characteristic: Managed Namespaces in Azure Kubernetes Service (AKS). On the time of writing, this characteristic hasn’t been formally documented by Microsoft, however you possibly can already attempt it for your self utilizing the most recent CLI instruments.
On this weblog submit, I’ll stroll you thru what Managed Namespaces are, what you are able to do with them, and how one can begin utilizing this characteristic at this time in your individual AKS clusters.
What Are Managed Namespaces?
In customary Kubernetes, namespaces are a option to separate sources logically. You would possibly use them to group functions, environments, or groups. Nonetheless, these namespaces are sometimes simply labels, they don’t implement issues like CPU limits, reminiscence constraints, or community insurance policies out of the field.
Managed Namespaces in AKS purpose to shut that hole. With this new characteristic, you possibly can outline namespace-level insurance policies equivalent to:
- Default CPU and reminiscence useful resource requests and limits
- Ingress and egress community insurance policies
- Delete behaviour (ought to the namespace be cleaned up or preserved)
- How AKS handles current namespaces (referred to as an adoption coverage)
- Metadata like tags, labels, and annotations
The objective is to offer stronger governance and consistency throughout your workloads, particularly in multi-team or multi-tenant clusters.
Getting Began
Earlier than you need to use this characteristic, you’ll want the most recent model of the aks-preview extension. Should you haven’t received it already, or if you wish to be sure you’re on the most recent model, use the next command:
|
az extension add —identify aks–preview —improve |
Not like another AKS preview options, there’s at the moment no must register a characteristic flag to make use of Managed Namespaces.
Making a Managed Namespace
Let’s begin with a fundamental instance. Suppose you need to create a brand new namespace referred to as team-a with some CPU and reminiscence limits.
Right here’s the way you’d do it:
|
az aks namespace add —useful resource–group my–rg —cluster–identify my–aks —identify staff–a —cpu–request 500m —cpu–restrict 1 —reminiscence–request 1Gi —reminiscence–restrict 2Gi |
This creates a brand new namespace inside your AKS cluster and enforces the desired useful resource requests and limits for any pods created inside that namespace.
It’s also possible to outline different properties at creation time. For instance, if you wish to specify community guidelines, tags, labels, and annotations, you are able to do so in a single command:
|
az aks namespace add —useful resource–group my–rg —cluster–identify my–aks —identify staff–a —cpu–request 500m —cpu–restrict 1 —reminiscence–request 1Gi —reminiscence–restrict 2Gi —ingress–coverage AllowSameNamespace —egress–coverage AllowAll —delete–coverage Preserve —adoption–coverage By no means —tags staff=platform —labels env=dev —annotations proprietor=devteam |
That’s a whole lot of management from only one command.
Viewing and Managing Your Namespaces
As soon as your namespace is created, you would possibly need to test its standing or modify its configuration. AKS consists of a number of instructions to assist with that.
Present Namespace Particulars
To view details about a particular managed namespace:
|
az aks namespace present —useful resource–group my–rg —cluster–identify my–aks —identify staff–a |
This can return JSON with all of the configured insurance policies and metadata for the namespace.
Record All Managed Namespaces
To see all of the managed namespaces in a given cluster:
|
az aks namespace record —useful resource–group my–rg —cluster–identify my–aks |
That is particularly helpful in case you’re managing many environments or groups inside a single cluster.
Replace a Managed Namespace
If you could change any of the settings after creation, say you need to regulate the reminiscence limits or replace the labels, you need to use the replace command.
For instance:
|
az aks namespace replace —useful resource–group my–rg —cluster–identify my–aks —identify staff–a —cpu–request 600m —reminiscence–request 2Gi —labels env=prod |
Delete a Managed Namespace
While you not want a namespace, or need to take away its configuration from AKS, you possibly can delete it:
|
az aks namespace delete —useful resource–group my–rg —cluster–identify my–aks —identify staff–a |
This can respect the --delete-policy you configured earlier.
Scoped Entry: Get Credentials for a Namespace
One actually fascinating characteristic is the power to retrieve credentials scoped to a particular managed namespace. This may be helpful if you wish to give entry to a staff however prohibit them to solely their namespace.
You possibly can generate a kubeconfig only for the managed namespace utilizing:
|
az aks namespace get–credentials —useful resource–group my–rg —cluster–identify my–aks —identify staff–a —file ~/.kube/staff–a.config |
This lets your staff work together with their namespace utilizing kubectl with out touching the remainder of the cluster.
All of the Accessible Parameters
Right here’s a fast overview of the important thing parameters obtainable for az aks namespace add and replace:
| Parameter | Description |
|---|---|
--cpu-request |
Set the default CPU request |
--cpu-limit |
Set the default CPU restrict |
--memory-request |
Set the default reminiscence request |
--memory-limit |
Set the default reminiscence restrict |
--ingress-policy |
Ingress management (AllowAll, DenyAll, AllowSameNamespace) |
--egress-policy |
Egress management (AllowAll, DenyAll) |
--delete-policy |
What to do when deleting the namespace (Preserve, Delete) |
--adoption-policy |
How one can deal with current namespaces (By no means, Sync) |
--labels |
Add Kubernetes labels |
--annotations |
Add Kubernetes annotations |
--tags |
Add Azure useful resource tags |
--no-wait |
Run the command with out ready for it to finish |
You possibly can mix any of those to fit your governance mannequin.
Remaining Ideas
Managed Namespaces are a welcome addition to AKS. They carry extra construction and consistency to how namespaces behave throughout your clusters. Whether or not you’re attempting to implement team-level limits or isolate networking guidelines, this characteristic offers you a centralised option to do it, and also you don’t must depend on separate Kubernetes manifests or admission controllers.
It’s nonetheless early days, so issues might change, and extra options could get added earlier than GA. For now, it is a nice alternative to get accustomed to the tooling and take into consideration the way it might match into your individual AKS deployments.
Should you attempt it out, let me know the way it goes. As all the time, check new options in a dev cluster earlier than rolling something into manufacturing.
