Does a namespace have to be unique across projects?

#1

Does a Namespace need to be unique across all Projects?

I have a test cluster. I’m testing it with two local users: localuser1 & localuser3. I’ve created a Rancher project for each user.

I logged in as localuser1, browsed to the localuser1 project, and created a namespace named ‘webapp’.

Then, I logged in as localuser3, browsed to the localuser3 project, and created a namespace named ‘webapp’. This time it failed with the error ‘namespaces “webapp” already exists’.

In a multiuser environment, it seems normal for users to use common names for their software, such as ‘webapp’ or ‘database’. Must the namespaces all be unique?

#2

A namespace is the actual native k8s resource and must be unique within a cluster. A namespace can be associated to 0 or 1 project, and a project can have 0 or more namespaces.

Projects are a “group of namespaces” abstraction added by Rancher to allow you to define RBAC, share secrets, etc once (or fewer times) instead of defining and duplicating them manually for every individual namespace.

(Project and Cluster names do not need to be unique, because unrelated users might want to use the same name, but you will be generally confused if one user has access to two of the same name…)

#3

Okay. I suppose this make sense if I look at it from the Kubernetes perspective. It was just a confusing when I looked at it from the Project perspective. We’ll need to keep in mind that Projects are not ‘real’ things like Kubernetes objects.

#4

Well I think you will find that they are ‘real’ K8s objects (whatever that means). K8s isn’t a fixed set of resources, it’s extensible via CRDs. Rancher doesn’t break the K8s model, it adds to it.

#5

That is technically true but not really relevant to the question… They are not a resource in the user clusters. An annotation on namespace links them to a project, which causes appropriate role bindings to be applied and shared secrets to be copied.

They do exist as a resource in the rancher management cluster, but that may or may not be visible depending on installation type (and should not be directly manipulated). And they have generated random names, because the name field must be unique and we don’t want project names to be installion-wide unique.

1 Like
#6

Vincent, are Rancher ‘Projects’ actually a Kubernetes CRD?

#7

Like I said above, in individual user clusters, no; within the one management cluster that you may or may not have access to, yes.

Everything rancher-specific is a CRD because that is the generic storage mechanism provided by k8s. They are the equivalent of the 1.x mysql database (except mysql had…features…).

This isn’t at all ready yet, but since I’m working on it and it happens to show what you’re asking about: