Managing namespaces
Users are assigned to organizational units called namespaces.
Namespaces are also known as tenants or accounts. In your product, users are assigned to teams. You can assign multiple namespaces to a team. Users of a team are members of the team's namespaces.
A namespace in your product cluster corresponds to a single namespace in Kubernetes. All deployments, pods, and volumes that are created in a single namespace, belongs to the same Kubernetes namespace.
The following namespaces are reserved by your product:
| Namespace | Description | Permission to access and deploy resources |
|---|---|---|
| cert-manager | Reserved for your product certificate manager component. | Cluster administrator |
| default | Available when you install your product and used as the default namespace for objects that do not specify a namespace. This namespace must not be used for any production workloads and must not be deleted. | Cluster administrator |
| icp-system | Reserved for your product. This namespace must not be used for production workloads. | Cluster administrator |
| istio-system | Reserved for Istio platform services. | Cluster administrator |
| kube-public | Reserved by Kubernetes and your product to store reference information that is available to any authenticated user. This namespace must not be used for production workloads. | Open access Only the cluster administrator can deploy resources |
| kube-system | Reserved for Kubernetes, your cluster, and other trusted workloads. This namespace must not be used for production workloads. | Cluster administrator |
| platform | Reserved for your product. This namespace must not be used for production workloads. | Cluster administrator |
| services | Reserved for the IBM Cloud Automation Manager product. | Cluster administrator |
The Namespace overview page in the consoledisplays the list of pod security policies that are associated to every namespace.