Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Applies to: ✔️ AKS Automatic (preview) ✔️ AKS Standard
Managed namespaces in Azure Kubernetes Service (AKS) provide a way to logically isolate workloads and teams within a cluster. This feature enables administrators to enforce resource quotas, apply network policies, and manage access control at the namespace level. For a detailed overview of managed namespaces, see the managed namespaces overview.
Important
AKS preview features are available on a self-service, opt-in basis. Previews are provided "as is" and "as available," and they're excluded from the service-level agreements and limited warranty. AKS previews are partially covered by customer support on a best-effort basis. As such, these features aren't meant for production use. For more information, see the following support articles:
Before you begin
Prerequisites
- An Azure account with an active subscription. If you don't have one, you can create an account.
- An AKS cluster set up in your Azure environment with Azure role-based access control for Kubernetes authorization.
- To use the network policy feature, the AKS cluster needs to be configured with a network policy engine. Cilium is our recommended engine.
| Prerequisite | Notes |
|---|---|
| Azure CLI | 2.74.0 or later installed. To find the version, run az --version. If you need to install or upgrade, see Install Azure CLI. |
Azure CLI aks-preview extension |
18.0.0b10 or later. To find the version, run az --version. If you need to install or upgrade, see Manage Azure CLI extensions. |
| AKS API Version | 2025-05-02-preview or later. |
| Feature Flag(s) | ManagedNamespacePreview must be registered to use managed namespaces. |
| Required permission(s) | Microsoft.ContainerService/managedClusters/managedNamespaces/* or Azure Kubernetes Service Namespace Contributor built-in role. Microsoft.Resources/deployments/* on the resource group containing the cluster. For more information, see Managed namespaces built-in roles. |
Limitations
- Trying to on-board system namespaces such as
kube-system,app-routing-system,istio-system,gatekeeper-system, etc. to be managed namespaces isn't allowed. - When a namespace is a managed namespace, changes to the namespace via the Kubernetes API are blocked.
- Listing existing namespaces to convert in the portal doesn't work with private clusters. You can add new namespaces.
Install the aks-preview CLI extension
To install the aks-preview extension, run the az extension add command.
az extension add --name aks-preview
Run the following command to update to the latest version of the extension released.
az extension update --name aks-preview
Register the feature flag
To use managed namespaces in preview, register the following flag using the az feature register command.
az feature register --namespace Microsoft.ContainerService --name ManagedNamespacePreview
Verify the registration status by using the az feature show command. It takes a few minutes for the status to show Registered.
az feature show --namespace Microsoft.ContainerService --name ManagedNamespacePreview
When the status reflects Registered, refresh the registration of the Microsoft.ContainerService resource provider by using the az provider register command.
az provider register --namespace Microsoft.ContainerService
Install the aks-preview CLI extension
To install the aks-preview extension, run the following command.
az extension add --name aks-preview
Run the following command to update to the latest version of the extension released.
az extension update --name aks-preview
Register the feature flag
To use managed namespaces in preview, register the following flag using the az feature register command.
az feature register --namespace Microsoft.ContainerService --name ManagedNamespacePreview
Verify the registration status by using the az feature show command. It takes a few minutes for the status to show Registered.
az feature show --namespace Microsoft.ContainerService --name ManagedNamespacePreview
When the status reflects Registered, refresh the registration of the Microsoft.ContainerService resource provider by using the az provider register command.
az provider register --namespace Microsoft.ContainerService
Create a managed namespace on a cluster and assign users
Note
When you create a managed namespace, a component is installed on the cluster to reconcile the namespace with the state in Azure Resource Manager (ARM). This component blocks changes to the managed fields and resources from the Kubernetes API, ensuring consistency with the desired configuration.
The following Bicep example demonstrates how to create a managed namespace as a subresource of a managed cluster. Make sure to select the appropriate value for defaultNetworkPolicy, adoptionPolicy, and deletePolicy. For more information about what those parameters mean, see the managed namespaces overview.
resource existingCluster 'Microsoft.ContainerService/managedClusters@2024-03-02-preview' existing = {
name: 'contoso-cluster'
}
resource managedNamespace 'Microsoft.ContainerService/managedClusters/managedNamespaces@2025-05-02-preview' = {
parent: existingCluster
name: 'retail-team'
location: location
properties: {
defaultResourceQuota: {
cpuRequest: '1000m'
cpuLimit: '2000m'
memoryRequest: '512Mi'
memoryLimit: '1Gi'
}
defaultNetworkPolicy: {
ingress: 'AllowSameNamespace'
egress: 'AllowAll'
}
adoptionPolicy: 'IfIdentical'
deletePolicy: 'Keep'
labels: {
environment: 'dev'
}
annotations: {
owner: 'retail'
}
}
}
Save the Bicep file managedNamespace.bicep to your local computer.
Deploy the Bicep file using the Azure CLI.
az deployment group create --resource-group <resource-group> --template-file managedNamespace.bicep
Define variables
Define the following variables to be used in the subsequent steps.
RG_NAME=cluster-rg
CLUSTER_NAME=contoso-cluster
NAMESPACE_NAME=retail-team
LABELS="environment=dev"
ANNOTATIONS="owner=retail"
Create the managed namespace
To customize its configuration, managed namespaces have various parameter options to choose from during creation. Make sure to select the appropriate value for ingress-network-policy, egress-network-policy, adoption-policy, and delete-policy. For more information about what those parameters mean, see the managed namespaces overview.
az aks namespace add \
--name ${NAMESPACE_NAME} \
--cluster-name ${CLUSTER_NAME} \
--resource-group ${RG_NAME} \
--cpu-request 1000m \
--cpu-limit 2000m \
--memory-request 512Mi \
--memory-limit 1Gi \
--ingress-policy [AllowSameNamespace|AllowAll|DenyAll] \
--egress-policy [AllowSameNamespace|AllowAll|DenyAll] \
--adoption-policy [Never|IfIdentical|Always] \
--delete-policy [Keep|Delete] \
--labels ${LABELS} \
--annotations ${ANNOTATIONS}
Assign role
After the namespace is created, you can assign one of the built-in roles for the control plane and data plane.
ASSIGNEE="user@contoso.com"
NAMESPACE_ID=$(az aks namespace show --name ${NAMESPACE_NAME} --cluster-name ${CLUSTER_NAME} --resource-group ${RG_NAME} --query id -o tsv)
Assign a control plane role to be able to view the managed namespace in the portal, Azure CLI output, and ARM. This role also allows the user to retrieve the credentials to connect to this namespace.
az role assignment create \
--assignee ${ASSIGNEE} \
--role "Azure Kubernetes Service Namespace User" \
--scope ${NAMESPACE_ID}
Assign data plane role to be able to get access to create resources within the namespace using the Kubernetes API.
az role assignment create \
--assignee ${ASSIGNEE} \
--role "Azure Kubernetes Service RBAC Writer" \
--scope ${NAMESPACE_ID}
- Sign in to the Azure portal.
- On the Azure portal home page, select Create a resource.
- In the Categories section, select Managed Kubernetes Namespaces.
- On the Basics tab, under Project details configure the following settings:
- Select the target cluster to create the namespace on.
- If you're creating a new namespace, leave the default create new, otherwise choose change existing to managed to convert an existing namespace.
- Configure the networking policy to be applied on the namespace.
- Configure the resource requests and limits for the namespace.
- Select the members (users or groups) and their role.
- Assign the Azure Kubernetes Service Namespace User role to give them access to view the managed namespace in the portal, Azure CLI output, and ARM. This role also allows the user to retrieve the credentials to connect to this namespace.
- Assign the Azure Kubernetes Service RBAC Writer role to give them access to create resources within the namespace using the Kubernetes API.
- Select Review + create to run validation on the configuration. After validation completes, select Create.
List managed namespaces
You can list managed namespaces at different scopes using the Azure CLI.
At a subscription level
Run the following command to list all managed namespaces in a subscription.
az aks namespace list --subscription <subscription-id>
At a resource group level
Run the following command to list all managed namespaces in a specific resource group.
az aks namespace list --resource-group <rg-name>
At a cluster level
Run the following command to list all managed namespaces in a specific cluster.
az aks namespace list --resource-group <rg-name> --cluster-name <cluster-name>
List managed namespaces
You can list managed namespaces at different scopes using the Azure CLI.
At a subscription level
Run the following command to list all managed namespaces in a subscription.
az aks namespace list --subscription <subscription-id>
At a resource group level
Run the following command to list all managed namespaces in a specific resource group.
az aks namespace list --resource-group <rg-name>
At a cluster level
Run the following command to list all managed namespaces in a specific cluster.
az aks namespace list --resource-group <rg-name> --cluster-name <cluster-name>
Connect to the cluster
You can retrieve the credentials to connect to a namespace via the following command.
az aks namespace get-credentials --name <namespace-name> --resource-group <rg-name> --cluster-name <cluster-name>
Connect to the cluster
You can retrieve the credentials to connect to a namespace via the following command.
az aks namespace get-credentials --name <namespace-name> --resource-group <rg-name> --cluster-name <cluster-name>
Next steps
This article focused on using the managed namespaces feature to logically isolate teams and applications. You can further explore other guardrails and best practices to apply via deployment safeguards.