docs / infrastructure / /📜-namespaces

📜 Namespaces

Isolate resources, enforce policies, and manage multi-tenant workloads with CloudNexus Namespaces. Learn how to configure, secure, and scale your isolation boundaries.

Overview

Namespaces in CloudNexus provide logical partitioning of cluster resources, enabling teams to collaborate safely while maintaining strict isolation boundaries. Each namespace operates as an independent environment with its own network policies, resource quotas, and access controls.

💡 Best Practice

Always create dedicated namespaces for each microservice, team, or environment (dev/staging/prod). Avoid sharing namespaces across distinct workloads to prevent resource contention and policy conflicts.

Key Capabilities

  • Logical Isolation: Separate resource scopes without hardware boundaries
  • Policy Enforcement: Attach network policies, admission controllers, and quotas per namespace
  • RBAC Integration: Granular access control mapped to namespaces
  • Resource Quotas: Prevent resource starvation with CPU, memory, and storage limits
  • Audit Trails: Full activity logging per namespace for compliance

Creating a Namespace

Namespaces can be provisioned via the CloudNexus Console, CLI, or Kubernetes API. Below is a standard YAML manifest:

namespace.yaml 
apiVersion: v1
kind: Namespace
metadata:
  name: production-workloads
  labels:
    environment: production
    team: platform-eng
  annotations:
    cloudnexus.io/network-policy: strict
    cloudnexus.io/encryption: enabled
spec:
  finalizers:
    - kubernetes

Apply using the CLI:

Terminal 
# Apply namespace configuration
$ cnx kubectl apply -f namespace.yaml

# Verify creation
$ cnx kubectl get ns production-workloads
NAME                  STATUS   AGE
production-workloads  Active   3m24s

Resource Quotas & Limits

Prevent noisy-neighbor issues by attaching quotas to your namespaces. CloudNexus automatically enforces these limits at the controller level.

d>16 GB
Resource Default Quota Hard Limit Scaling
CPU Cores 8 cores 64 cores Auto-scale or manual
Memory 256 GB Vertical pod autoscaling
Pods 50 500 Burst-capable
Storage 100 GB NVMe 2 TB Dynamic provisioning
⚠️ Note

Exceeding hard limits requires approval from the CloudNexus Operations team. Quota increases are typically processed within 15 minutes via the console.

Network Policies

Namespaces inherit default network isolation. You can tighten communication rules using CloudNexus NetworkPolicies. By default, all ingress/egress traffic is denied unless explicitly allowed.

network-policy.yaml 
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-frontend-ingress
  namespace: production-workloads
spec:
  podSelector:
    matchLabels:
      app: web-frontend
  policyTypes:
    - Ingress
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              environment: public
      ports:
        - protocol: TCP
          port: 443

FAQ & Troubleshooting

Why are my pods stuck in Pending state?

This usually indicates a quota breach. Run cnx kubectl describe ns <name> to check resource utilization. If quotas are exhausted, request a temporary increase or scale down idle workloads.

Can namespaces span multiple regions?

No. Namespaces are region-scoped by default. For multi-region deployments, use CloudNexus's Global Namespace Sync feature or replicate configurations via GitOps pipelines.

How do I migrate workloads between namespaces?

Use the cnx migrate CLI tool. It safely transfers Secrets, ConfigMaps, and persistent volume claims while preserving RBAC bindings and network policies.

← Previous: Networking Next: Clusters →