Skaffold can deploy your applications to dedicated namespaces, but it doesn’t actually isolate them in the way you might think.
Let’s see Skaffold in action. Imagine you have a simple web service and a database. We’ll configure Skaffold to deploy these to separate namespaces.
Here’s a skaffold.yaml that does just that:
apiVersion: skaffold/v2b
kind: Config
deploy:
kubectl:
manifests:
- k8s/deployment.yaml
- k8s/service.yaml
- k8s/database-deployment.yaml
- k8s/database-service.yaml
profiles:
- name: dev
deploy:
kubectl:
manifests:
- k8s/deployment.yaml
- k8s/service.yaml
# Deploy the web service to the 'web-app' namespace
namespace: web-app
- name: db
deploy:
kubectl:
manifests:
- k8s/database-deployment.yaml
- k8s/database-service.yaml
# Deploy the database to the 'database' namespace
namespace: database
And here are some example Kubernetes manifests:
k8s/deployment.yaml:
apiVersion: apps/v1
kind: Deployment
metadata:
name: web-service
spec:
replicas: 1
selector:
matchLabels:
app: web-service
template:
metadata:
labels:
app: web-service
spec:
containers:
- name: web-service
image: nginx:latest
ports:
- containerPort: 80
k8s/service.yaml:
apiVersion: v1
kind: Service
metadata:
name: web-service-svc
spec:
selector:
app: web-service
ports:
- protocol: TCP
port: 80
targetPort: 80
type: ClusterIP
k8s/database-deployment.yaml:
apiVersion: apps/v1
kind: Deployment
metadata:
name: database
spec:
replicas: 1
selector:
matchLabels:
app: database
template:
metadata:
labels:
app: database
spec:
containers:
- name: database
image: postgres:latest
ports:
- containerPort: 5432
k8s/database-service.yaml:
apiVersion: v1
kind: Service
metadata:
name: database-svc
spec:
selector:
app: database
ports:
- protocol: TCP
port: 5432
targetPort: 5432
type: ClusterIP
When you run skaffold dev --profile dev,db, Skaffold will execute two separate kubectl apply commands. The first will target the web-app namespace for the web service resources, and the second will target the database namespace for the database resources.
The core problem Skaffold’s namespace feature solves is organizational complexity and avoiding naming collisions within a single Kubernetes cluster. When you’re developing multiple microservices or working on different features, you don’t want their deployments to clash. By deploying to separate namespaces, you create distinct logical environments. This allows you to:
- Manage resources independently: You can delete, scale, or update resources in one namespace without affecting others.
- Apply different RBAC policies: You can grant specific permissions to users or service accounts only within certain namespaces.
- Avoid naming conflicts:
web-serviceinweb-appis distinct from a hypotheticalweb-serviceinstaging.
Under the hood, Skaffold is simply adding the --namespace <namespace-name> flag to its kubectl apply commands. It’s not implementing any advanced network policies or resource quotas by itself. The actual isolation (or lack thereof) is entirely dependent on your Kubernetes cluster’s configuration and network policies.
The mental model is that each skaffold dev command, when using profiles with different namespaces, becomes a set of independent kubectl apply operations. Skaffold orchestrates these operations. If you specified the same namespace for multiple Skaffold profiles or multiple resource groups within a single profile, those resources would all land in that single namespace, potentially overwriting each other if they share names and types.
A common misconception is that specifying a namespace in Skaffold automatically provides security or resource boundaries. This is not true. Kubernetes namespaces are primarily an organizational tool. True isolation requires explicit configuration of Network Policies, Resource Quotas, and Role-Based Access Control (RBAC) within your Kubernetes cluster. Skaffold simply targets the resources to the specified namespace; it doesn’t enforce isolation within that namespace.
When you apply these configurations using Skaffold, the Kubernetes API server is instructed to create or update resources within the specified namespaces. If a namespace doesn’t exist, Kubernetes will typically create it for you upon the first resource creation within it.
The next step in managing your Kubernetes deployments with Skaffold would be to explore how to manage different environments (dev, staging, prod) more robustly, potentially using Helm or Kustomize within Skaffold profiles.