# Namespaces

A **Namespace** is a logical partition inside a Kubernetes cluster. Most resources live in a namespace (Pods, Deployments, Services), which helps you separate environments and teams.


## Why namespaces are used
- **Environment separation**: `dev`, `stage`, `prod`.
- **Multi-team separation**: reduce naming collisions and improve clarity.
- **RBAC boundaries**: grant access per namespace.
- **Resource controls**: quotas and limit ranges can be namespace-scoped.


## How namespaces are used
- Create namespaces explicitly.
- Apply resources into a namespace.
- Set your current kubectl context namespace to avoid mistakes.

Common practice:
- One namespace per environment (and sometimes per team/app).
- Use GitOps/Kustomize overlays to set the namespace per env.


## YAML template
```yaml
apiVersion: v1
kind: Namespace
metadata:
  name: prod
  labels:
    env: prod
```


## Putting resources in a namespace
Option A: set `metadata.namespace` on each resource
```yaml
apiVersion: v1
kind: Service
metadata:
  name: web
  namespace: prod
spec:
  selector:
    app: web
  ports:
    - port: 80
      targetPort: 8080
```

Option B: apply with kubectl
```bash
kubectl apply -n prod -f service.yaml
```

Option C: set namespace via Kustomize overlay
```yaml
# overlays/prod/kustomization.yaml
namespace: prod
```


## Pitfalls
- Some resources are **cluster-scoped** (Nodes, StorageClasses, CRDs) and do not live in a namespace.
- Default namespace mistakes: always check `kubectl config view --minify` or set the context namespace.
- Namespaces are not strong security boundaries on their own; combine with RBAC and network policies.

## References
- Namespaces: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/
- Resource quotas: https://kubernetes.io/docs/concepts/policy/resource-quotas/
