Within Rancher, you can further divide projects into different namespaces, which are virtual clusters within a project backed by a physical cluster. Should you require another level of organization beyond projects and the
default namespace, you can use multiple namespaces to isolate applications and resources.
Although you assign resources at the project level so that each namespace in the project can use them, you can override this inheritance by assigning resources explicitly to a namespace.
Resources that you can assign directly to namespaces include:
- Load Balancers/Ingress
- Service Discovery Records
- Persistent Volume Claims
To manage permissions in a vanilla Kubernetes cluster, cluster admins configure role-based access policies for each namespace. With Rancher, user permissions are assigned on the project level instead, and permissions are automatically inherited by any namespace owned by the particular project.
Note: If you create a namespace with
kubectl, it may be unusable because
kubectldoesn't require your new namespace to be scoped within a project that you have access to. If your permissions are restricted to the project level, it is better to create a namespace through Rancher to ensure that you will have permission to access the namespace.
Create a new namespace to isolate apps and resources in a project.
Tip: When working with project resources that you can assign to a namespace (i.e., workloads, certificates, ConfigMaps, etc.) you can create a namespace on the fly.
From the Global view, open the project where you want to create a namespace.
Tip: As a best practice, we recommend creating namespaces from the project level. However, cluster owners and members can create them from the cluster level as well.
From the main menu, select Namespace. The click Add Namespace.
Optional: If your project has Resource Quotas in effect, you can override the default resource Limits (which places a cap on the resources that the namespace can consume).
Enter a Name and then click Create.
Result: Your namespace is added to the project. You can begin assigning cluster resources to the namespace.
Moving Namespaces to Another Project
Cluster admins and members may occasionally need to move a namespace to another project, such as when you want a different team to start using the application.
From the Global view, open the cluster that contains the namespace you want to move.
From the main menu, select Projects/Namespaces.
Select the namespace(s) that you want to move to a different project. Then click Move. You can move multiple namespaces at one.
- Don't move the namespaces in the
Systemproject. Moving these namespaces can adversely affect cluster networking.
- You cannot move a namespace into a project that already has a resource quota configured.
- If you move a namespace from a project that has a quota set to a project with no quota set, the quota is removed from the namespace.
- Don't move the namespaces in the
Choose a new project for the new namespace and then click Move. Alternatively, you can remove the namespace from all projects by selecting None.
Result: Your namespace is moved to a different project (or is unattached from all projects). If any project resources are attached to the namespace, the namespace releases them and then attached resources from the new project.
Editing Namespace Resource Quotas
You can always override the namespace default limit to provide a specific namespace with access to more (or less) project resources.
For more information, see how to edit namespace resource quotas.