You're viewing documentation for Anthos Config Management 1.3. This version has reached end of life and is no longer supported. View the latest documentation.

Namespace inheritance overview

This page describes how Anthos Config Management applies configs to namespaces in your clusters in a hierarchy, based on the structure of the repo. You can also learn about Configuring namespaces and namespace-scoped objects.

How namespace inheritance works

One of the most powerful aspects of Anthos Config Management is the ability to apply configs to groups of namespaces automatically, in all the clusters where those namespaces exist (or should exist), based on where the configs are located in the repo.

Anthos Config Management introduces a notion of inheritance in the namespaces/ directory of the repo and all its subdirectories. Configs in other directories in the repo, such as cluster/, are not subject to inheritance.

In the repo, the namespaces/ directory can contain two different types of subdirectories:

  • A namespace directory contains a config for a namespace. The name of the file containing the config is not important, but the config must have kind: Namespace. A namespace directory can also contain configs for other kinds of Kubernetes objects. A namespace directory cannot contain subdirectories. A namespace config represents an actual namespace in a cluster.

  • An abstract namespace directory contains namespace directories. It can also contain configs for other Kubernetes objects, but it cannot directly contain a config for a namespace. An abstract namespace directory does not represent an object in a Kubernetes cluster, but its descendant namespace directories do.

If you forget to add a config for a namespace to a namespace directory, or you add a directory to a namespace subdirectory or add a config for a namespace to an abstract namespace directory, the result is error KNV1003: IllegalNamespaceSubdirectoryError

Configs in a namespace directory only apply to that namespace, while configs in an abstract namespace directory are applied to all of that abstract namespace's descendant namespace directories (or those descendant namespaces that match a config's NamespaceSelector, if one is present).

Because inheritance of a config in the namespaces/ directory is based largely on its location within the directory tree in the repo, you can browse the repo to understand which configs are being applied to a given namespace in a given cluster.

The following diagram shows the way configs are inherited within the namespaces/ directory of the example repo. The blue rectangles represent abstract namespace directories, and the orange rectangles represent actual namespaces in Kubernetes.

Diagram showing config inheritance in example repo

For example, open the viewers-rolebinding.yaml file in your browser. It grants anyone in the system:serviceaccounts:audit Group the view ClusterRole in every namespace, managed by Anthos Config Management, of every enrolled cluster, because it exists in the namespaces directory itself.

Now open the namespaces/online/ directory in your browser. The online directory is an abstract namespace directory, because it doesn't have a config for a namespace. Click the shipping-app-backend directory. It's also an abstract namespace directory, and contains two configs (pod-creator-rolebinding.yaml and quota.yaml). Each of its three subdirectories is a namespace directory, because it contains a config for a namespace. The name of the file is not significant, but this repo uses that file name for all namespace configs, by convention. Each of those namespaces inherits the pod-creator-rolebinding.yaml and quota.yaml configs in the shipping-app-backend abstract namespace directory.

The shipping-dev namespace directory has an additional config for the job-creators RoleBinding, but the other two namespace directories do not have this config, so they do not have that RoleBinding (unless someone creates it manually).

Disallowed names in namespaces/

The following are reserved and cannot be used as either namespaces or abstract namespace directories within the namespaces/ directory of the repo:

  • config-management-system

Example configs

Namespace configs

This config creates a namespace called audit.

apiVersion: v1
kind: Namespace
metadata:
  name: audit

When you create a namespace config, you can also add a label to the namespace. This can be useful in conjunction with NamespaceSelector.

The following config creates a namespace called shipping-prod if it doesn't already exist or it already exists without the configmanagement.gke.io/managed label, and assigns it the env: prod. It also ensures that an annotation named audit is set to true for the namespace. If someone manually modifies or removes that annotation, Anthos Config Management quickly resets it to the value in the config.

apiVersion: v1
kind: Namespace
metadata:
  name: shipping-prod
  labels:
    env: prod
  annotations:
    audit: "true"

ResourceQuota config

This example creates a ResourceQuota called quota, which sets a hard limit of 1 Pod, 0.1 CPU (100 milli-CPUs), and 100 MiB of memory.

kind: ResourceQuota
apiVersion: v1
metadata:
  name: quota
spec:
  hard:
    pods: "1"
    cpu: "100m"
    memory: 100Mi

If you place this config within a directory that applies to a specific namespace (namespaces/[NAMESPACE_NAME]), the config applies only to that namespace. If you place this config within an abstract namespace directory (namespaces/) that contains namespace descendants, a separate ResourceQuota is applied to each descendant namespace.

Excluding namespaces from inheritance

Namespace selectors can be used to exempt particular namespaces from inheriting a resource in the tree.

The following example allows a properly annotated ResourceQuota object in the root /namespaces directory to be inherited by every namespace except those labeled quota-exempt: exempt:

kind: NamespaceSelector
 apiVersion: configmanagement.gke.io/v1
 metadata:
   name: excludes-exempt-namespaces
 spec:
   selector:
     matchExpressions:
       - key: quota-exempt
         operator: NotIn
          values:
            - exempt

To learn more about NamesspaceSelectors in Anthos Config Management, see Limiting which namespaces a config affects.

Effects of Git operations on namespaces

Git operations that create or delete namespace directories from within the namespaces/ directory may cause different effects than you initially expect. This section covers those interactions.

Creating a directory in namespaces/

When a valid namespaces/ hierarchy is committed to the repo, Anthos Config Management creates namespaces, and then creates Kubernetes objects in those namespaces for each config that the namespace directory contains or inherits.

Deleting a directory from namespaces/

Deleting a namespace directory is a destructive operation. The namespace is deleted, along with all its contents, on every cluster managed by Anthos Config Management where the namespace exists.

If you delete an abstract namespace directory containing descendant namespace directories, all of those namespaces and their contents are deleted from every cluster managed by Anthos Config Management.

Renaming a directory in namespaces/

Renaming a namespace directory is a deletion followed by a creation, and thus is also a destructive operation.

Renaming an abstract namespace directory has no externally-visible effect.

Moving a directory in namespaces/

Moving a namespace or an abstract namespace directory within namespaces/ does not delete the namespace or objects within it, except where the namespace starts or stops inheriting a config from an abstract namespace directory, due to a change in its hierarchy.

What's next