Kubernetes Namespaces¶

Overview¶

Namespaces provide logical separation of resources within the cluster. Each major component or application group has its own namespace.

Namespace Layout¶

graph TB
    subgraph Cluster
        subgraph System
            KS[kube-system]
            LS[longhorn-system]
        end

        subgraph Platform
            ARGO[argocd]
            CF[cloudflared]
        end

        subgraph Observability
            MON[monitoring]
        end

        subgraph Data
            DB[databases]
        end

        subgraph Applications
            HUB[hub]
            NC[nextcloud]
            FVTT[foundryvtt]
            PAL[palworld]
            STAT[homelab-status]
            PAR[parquet-api]
            SS[streamsets]
        end
    end

Namespace Details¶

kube-system¶

Purpose: Core Kubernetes components

Component	Description
coredns	Cluster DNS
metrics-server	Resource metrics
local-path-provisioner	Basic storage

longhorn-system¶

Purpose: Distributed block storage

Component	Description
longhorn-manager	Storage orchestration
longhorn-driver	CSI driver
longhorn-ui	Management interface

argocd¶

Purpose: GitOps continuous deployment

Component	Description
argocd-server	API and UI server
argocd-repo-server	Git repository sync
argocd-application-controller	Reconciliation loop
argocd-redis	Caching

cloudflared¶

Purpose: Secure tunnel to Cloudflare

Component	Description
cloudflared	Tunnel daemon

monitoring¶

Purpose: Observability stack

Component	Description
prometheus	Metrics collection
grafana	Dashboards
alertmanager	Alert routing
elasticsearch	Log storage
kibana	Log analysis
elastic-agent	Log collection

databases¶

Purpose: Data storage services

Component	Description
influxdb	Time series metrics
mongodb	Document database
mysql	Relational database

hub¶

Purpose: Hub application suite

Component	Description
hub-web	Frontend application
hub-api	Backend API

nextcloud¶

Purpose: Self-hosted cloud storage and collaboration

Component	Description
nextcloud	Main application (PHP)
mariadb	Database backend
redis	Session/cache storage
graph-mail-relay	Microsoft Graph email relay

foundryvtt¶

Purpose: Virtual tabletop for TTRPGs

Component	Description
foundryvtt	FoundryVTT server

palworld¶

Purpose: Palworld dedicated game server

Component	Description
palworld	Game server

homelab-status¶

Purpose: Service health monitoring dashboard

Component	Description
homelab-status	Status dashboard (Flask)

alert-manager-ui¶

Purpose: AlertManager web interface

Component	Description
alert-manager-ui	AlertManager UI

alertmanager-discord¶

Purpose: Discord notifications for alerts

Component	Description
alertmanager-discord	Discord webhook relay

parquet-api¶

Purpose: Parquet file service

Component	Description
parquet-api	File processing API

streamsets¶

Purpose: Data pipeline processing

Component	Description
streamsets	Data Collector

Creating Namespaces¶

Standard Namespace Template¶

apiVersion: v1
kind: Namespace
metadata:
  name: <namespace-name>
  labels:
    app: <app-name>
    environment: production

With Resource Quota¶

apiVersion: v1
kind: Namespace
metadata:
  name: <namespace-name>
---
apiVersion: v1
kind: ResourceQuota
metadata:
  name: quota
  namespace: <namespace-name>
spec:
  hard:
    requests.cpu: "2"
    requests.memory: 4Gi
    limits.cpu: "4"
    limits.memory: 8Gi

Namespace Policies¶

Network Isolation¶

Each namespace has default-deny ingress policy:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny
  namespace: <namespace>
spec:
  podSelector: {}
  policyTypes:
  - Ingress

Cross-Namespace Access¶

Explicitly allowed connections:

From	To	Purpose
monitoring	all	Metrics scraping
hub	databases	Data access
argocd	all	Deployment

Best Practices¶

One app per namespace: Isolate applications
Resource quotas: Prevent resource exhaustion
Network policies: Limit blast radius
Labels: Consistent labeling for management
RBAC: Namespace-scoped permissions