OpenShift Namespace Configuration Management

2 min readNov 10, 2020

Once you have your shiny new OpenShift cluster set up, you face the task of deciding how you want to manage your namespaces (projects).

A namespace is a unit of organization that brings with it some management implications. If you put time into a designing a good namespace configuration, you get a lot of administrative functions for free, such as RBAC policies.

RBAC role bindings are done at the namespace scope, which means a user will generally have the same access permissions to each type of object in the namespace. For this reason, it is useful to group objects together based on what sort of access permissions user’s may have to them.

Another administrative aspect is resource quotas. Quotas are administered on a Project-level. While quotas can be adjusted as needed, it does often require an administrator to make the change. If you can define sensible quotas based on expected needs, you get some benefits.

Here is an example. If your organization uses a microservice architecture and teams often own services that are related to each other, it can be beneficial to have a namespace per environment, per team. For example, if the team’s name is “Phoenix” then you might have namespaces like this:

phoenix-dev
phoenix-qa
phoenix-prod

Inside each namespace then you may deploy the services that the team owns.

If you have a strict security posture and want a more “whitelist” approach to permissions, you can use a different namespace for each service such that permissions can be strictly tailored. A namespace scheme may look more like this:

auth-dev
auth-qa
auth-prod
notifications-dev
notifications-qa
notifications-prod
profiles-dev
profiles-qa
profiles-prod

It is worth putting in some thought about the optimal approach, as your decision can become either an asset or a liability. The optimal namespace policies will vary depending on both technical organization as well as administrative organization.

Final thoughts

Once you have decided on your approach, you may want to take the next steps of setting a default quota in the project template, or possibly adopting an operator to help such as the Namespace Configuration Controller.

If you would like a guide, I have published a guide on adding default limits and quotas to the new project template here.

OpenShift Namespace Configuration Management

Final thoughts

Written by Benjamin Porter

More from Benjamin Porter

What is mTLS and How Does it Work?

Inspired by the ELI5 approach

Introduction to “oc” — the OpenShift Command Line Power Tool

Learn to use the ultimate efficiency and automation power house tool for configuring and using OpenShift, the Kubernetes-based PaaS

DNS Debugging with dig

DNS records are a critical part of any internet presence, and debugging them is likewise critical. Dig can be used to easily examine DNS…

Configuring Default Resource Requests, Limits, and Quotas on your new OpenShift 4 Cluster

There are numerous tasks that need to be done to ready a newly installed OpenShift cluster for use by developers. One such task is…

Recommended from Medium

Unleashing the Power of OpenShift: Industry Use Cases and How It Works

OpenShift, a Kubernetes-based container platform developed by Red Hat, has gained immense popularity in recent years for its ability to…

Exploring OpenShift

Introduction:

Lists

Natural Language Processing

🚀 OpenShift: Unleashing the Galactic Power of Container Orchestration! 🌌🌟

Hey there, fellow tech explorers!

Research for industry use cases of Openshift

Introduction

Unlocking the Power of OpenShift: Revolutionizing Industry with Container Orchestration 🌐

Introduction 👋

Introduction to Code Ready Containers: Simplify Your OpenShift Development Environment

CRC — Code Ready Container