What is a Kubernetes namespace for?

A namespace is a virtual cluster that isolates resources for a team, environment, or application. Names only need to be unique within a namespace, and you can attach quotas, network policies, and RBAC rules per namespace for multi-tenancy.

What does a ResourceQuota enforce?

A ResourceQuota caps the aggregate resource consumption of a namespace — total CPU and memory requests and limits, and counts of objects like pods. Once the quota is hit, new pods that would exceed it are rejected at admission time.

Why do I also need a LimitRange?

A ResourceQuota that caps total limits requires every pod to declare requests and limits, or admission fails. A LimitRange supplies default requests and limits to containers that omit them, and enforces per-container min and max, so the quota works smoothly.

What happens when a quota is exceeded?

The Kubernetes admission controller rejects the create or update request with a quota-exceeded error. Existing workloads keep running, but you cannot schedule more until usage drops or the quota is raised.

Can I change quotas later?

Yes. Edit and re-apply the ResourceQuota or LimitRange at any time. Lowering a quota below current usage does not evict running pods, but it blocks new ones until consumption falls under the new limit.

Kubernetes Namespace & ResourceQuota Builder

Email me this result

Get this tool's output sent to your inbox, plus one useful tool a week. No spam, unsubscribe any time.

Stand up a safe multi-tenant namespace

When several teams share a cluster, an unbounded namespace can starve everyone else by scheduling too many pods or oversized containers. This builder generates the three objects that fence off a namespace: the Namespace itself, a ResourceQuota capping aggregate usage, and a LimitRange providing sensible per-container defaults.

How it works

The ResourceQuota sets hard ceilings on the sum of requests.cpu, requests.memory, limits.cpu, limits.memory, and the pod count across the whole namespace. Kubernetes enforces these at admission time — any request that would push the namespace over a cap is rejected.

A quota that limits limits.cpu/limits.memory forces every container to declare those values. The LimitRange fills the gap: it injects default and defaultRequest values into containers that omit them, and sets per-container max ceilings. Together they guarantee that every workload is accounted for and the quota math always has the numbers it needs.

Tips and notes

Keep defaultRequest modest — it is the floor each container reserves and counts against the quota even when idle.
Set the LimitRange max to your largest sane container so a single workload cannot consume the entire namespace.
Add a team label to the namespace for cost attribution and to target it with network policies or RBAC.
Apply all three documents together; the LimitRange should exist before workloads are deployed so defaults take effect.