Namespace inheritance overview

This page describes how Config Sync applies configs to namespaces in your clusters in a hierarchy, based on the structure of the repo. You can also learn about Configuring namespaces and namespace-scoped objects.

How namespace inheritance works

One of the most powerful aspects of Config Sync is the ability to apply configs to groups of namespaces automatically, in all the clusters where those namespaces exist (or should exist), based on where the configs are located in the repo.

Config Sync introduces a notion of inheritance in the namespaces/ directory of the repo and all its subdirectories. Configs in other directories in the repo, such as cluster/, are not subject to inheritance.

In the repo, the namespaces/ directory can contain two different types of subdirectories:

  • A namespace directory contains a config for a namespace. The name of the file containing the config is not important, but the config must have kind: Namespace. A namespace directory can also contain configs for other kinds of Kubernetes objects. A namespace directory cannot contain subdirectories. A namespace config represents an actual namespace in a cluster.

  • An abstract namespace directory contains namespace directories. It can also contain configs for other Kubernetes objects, but it cannot directly contain a config for a namespace. An abstract namespace directory does not represent an object in a Kubernetes cluster, but its descendant namespace directories do.

If you forget to add a config for a namespace to a namespace directory, or you add a directory to a namespace subdirectory or add a config for a namespace to an abstract namespace directory, the result is error KNV1003: IllegalNamespaceSubdirectoryError

Configs in a namespace directory only apply to that namespace, while configs in an abstract namespace directory are applied to all of that abstract namespace's descendant namespace directories (or those descendant namespaces that match a config's NamespaceSelector, if one is present).

Because inheritance of a config in the namespaces/ directory is based largely on its location within the directory tree in the repo, you can browse the repo to understand which configs are being applied to a given namespace in a given cluster.

The following diagram shows the way configs are inherited within the namespaces/ directory of the example repo. The blue rectangles represent abstract namespace directories, and the orange rectangles represent actual namespaces in Kubernetes.

Diagram showing config inheritance in example repo

For example, open the viewers-rolebinding.yaml file in your browser. It grants anyone in the system:serviceaccounts:audit Group the view ClusterRole in every namespace, managed by Config Sync, of every enrolled cluster, because it exists in the namespaces directory itself.

Now open the namespaces/online/ directory in your browser. The online directory is an abstract namespace directory, because it doesn't have a config for a namespace. Click the shipping-app-backend directory. It's also an abstract namespace directory, and contains two configs (pod-creator-rolebinding.yaml and quota.yaml). Each of its three subdirectories is a namespace directory, because it contains a config for a namespace. The name of the file is not significant, but this repo uses that file name for all namespace configs, by convention. Each of those namespaces inherits the pod-creator-rolebinding.yaml and quota.yaml configs in the shipping-app-backend abstract namespace directory.

The shipping-dev namespace directory has an additional config for the job-creators RoleBinding, but the other two namespace directories do not have this config, so they do not have that RoleBinding (unless someone creates it manually).

Disallowed names in namespaces/

The following are reserved and cannot be used as either namespaces or abstract namespace directories within the namespaces/ directory of the repo:

  • config-management-system

Example configs

Namespace configs

This config creates a namespace called audit.

apiVersion: v1
kind: Namespace
  name: audit

When you create a namespace config, you can also add a label to the namespace. This can be useful in conjunction with NamespaceSelector.

The following config creates a namespace called shipping-prod if it doesn't already exist or it already exists without the label, and assigns it the env: prod. It also ensures that an annotation named audit is set to true for the namespace. If someone manually modifies or removes that annotation, Config Sync quickly resets it to the value in the config.

apiVersion: v1
kind: Namespace
  name: shipping-prod
    env: prod
    audit: "true"

ResourceQuota config

This example creates a ResourceQuota called quota, which sets a hard limit of 1 Pod, 0.1 CPU (100 milli-CPUs), and 100 MiB of memory.

kind: ResourceQuota
apiVersion: v1
  name: quota
    pods: "1"
    cpu: "100m"
    memory: 100Mi

If you place this config within a directory that applies to a specific namespace (namespaces/[NAMESPACE_NAME]), the config applies only to that namespace. If you place this config within an abstract namespace directory (namespaces/) that contains namespace descendants, a separate ResourceQuota is applied to each descendant namespace.

Excluding namespaces from inheritance

Namespace selectors can be used to exempt particular namespaces from inheriting a resource in the tree.

The following example allows a properly annotated ResourceQuota object in the root /namespaces directory to be inherited by every namespace except those labeled quota-exempt: exempt:

kind: NamespaceSelector
   name: excludes-exempt-namespaces
       - key: quota-exempt
         operator: NotIn
            - exempt

To learn more about NamesspaceSelectors in Config Sync, see Limiting which namespaces a config affects.

Effects of Git operations on namespaces

Git operations that create or delete namespace directories from within the namespaces/ directory may cause different effects than you initially expect. This section covers those interactions.

Creating a directory in namespaces/

When a valid namespaces/ hierarchy is committed to the repo, Config Sync creates namespaces, and then creates Kubernetes objects in those namespaces for each config that the namespace directory contains or inherits.

Deleting a directory from namespaces/

Deleting a namespace directory is a destructive operation. The namespace is deleted, along with all its contents, on every cluster managed by Config Sync where the namespace exists.

If you delete an abstract namespace directory containing descendant namespace directories, all of those namespaces and their contents are deleted from every cluster managed by Config Sync.

Renaming a directory in namespaces/

Renaming a namespace directory is a deletion followed by a creation, and thus is also a destructive operation.

Renaming an abstract namespace directory has no externally-visible effect.

Moving a directory in namespaces/

Moving a namespace or an abstract namespace directory within namespaces/ does not delete the namespace or objects within it, except where the namespace starts or stops inheriting a config from an abstract namespace directory, due to a change in its hierarchy.

Integration with Hierarchy Controller

Hierarchy Controller has a very similar concept of namespace inheritance to that supported by abstract namespaces, as described in the documentation for Hierarchy Controller. However, they support some additional features such as self-service namespaces and hierarchical resource quotas.

Selecting related namespaces

There are times when you might want to apply policies to sets of namespaces that are related through a common ancestor. Hierarchy Controller supports this by using a concept known as tree labels, and these are also supported by abstract namespaces, even if Hierarchy Controller is not enabled.

Tree labels are Kubernetes labels that have the following format:

<namespace-name> <depth>

These labels let you write namespace selectors that can, for example, be used as a part of a network policy to allow traffic within a subtree of related namespaces, but disallow traffic outside of that subtree.

We can illustrate this concept by returning to the diagram of the example repo.

Diagram showing config inheritance in example repo

As an example, the shipping-prod namespace has the following tree labels: 0 1 2 3

You can use kubectl to inspect these relationships directly on the cluster, without having access to the Git repository:

# View all descendants of 'root'
kubectl get namespaces -l ''

# View any immediate children of 'shipping-app-backend'
kubectl get namespaces -l ''

Hierarchy Controller also propagates any tree labels from the abstract namespaces to any descendant namespaces. For example, if you create a child namespace of shipping-prod as follows:

kubectl hns create shipping-prod-v1 -n shipping-prod

In this case, the shipping-prod-v1 namespace would include all the labels from its parent, plus its own, with the depth suitably adjusted: 0 1 2 3 4

What's next