Kubernetes Namespace-Level vs. Global Cluster-Level Objects
This is a complete breakdown of Kubernetes objects categorized by their scope: Namespace-level (bound to a specific namespace) vs. Cluster-level (global objects shared across the entire cluster).
The Golden Rule
If you ever need to check this on your own cluster, run these commands:
- List all Namespace-level objects:
kubectl api-resources --namespaced=true - List all Global-level objects:
kubectl api-resources --namespaced=false
1. Cluster-Level Objects (Global)
These objects exist everywhere. They are not contained inside any namespace and often represent physical infrastructure or cluster-wide policies.
| Category | Object Name | Description |
| Architecture | Nodes | The physical or virtual machines that run your workloads. |
| Namespaces | The “folders” themselves are global objects (you cannot put a namespace inside a namespace). | |
| Storage | PersistentVolumes (PV) | The actual storage resource (disk/SSD). Note that the claim (PVC) is namespaced, but the volume (PV) is global. |
| StorageClasses | Defines the “profiles” of storage available (e.g., standard, ssd, gold). | |
| CSIDrivers / CSINodes | Drivers and node mappings for Container Storage Interfaces. | |
| Access & Auth | ClusterRoles | Permissions defined globally (e.g., “read-only access to all pods in all namespaces”). |
| ClusterRoleBindings | Grants a ClusterRole to a user or group across the entire cluster. | |
| Policy & Config | PriorityClasses | Defines scheduling importance (e.g., system-critical vs. low-priority). |
| RuntimeClasses | Defines different container runtimes (e.g., gVisor, Kata Containers). | |
| IngressClasses | Defines different Ingress controllers available to the cluster. | |
| Extensions | CustomResourceDefinitions (CRDs) | The definition of a new custom object (e.g., PrometheusRule). Once defined, the instances of that object can be namespaced. |
| Mutating/Validating WebhookConfigurations | Rules for intercepting API requests cluster-wide. |
2. Namespace-Level Objects (Local)
These objects must live inside a specific namespace (e.g., default, kube-system). If you delete the namespace, these objects are deleted with it.
| Category | Object Name | Description |
| Workloads | Pods | The smallest deployable unit. |
| Deployments | Manages stateless apps. | |
| StatefulSets | Manages stateful apps (databases). | |
| DaemonSets | Runs one pod per node. | |
| Jobs / CronJobs | Batch tasks and scheduled tasks. | |
| ReplicaSets / ReplicationControllers | Ensures a specified number of pod replicas are running. | |
| Networking | Services | Stable IP/DNS for a set of Pods. |
| Ingresses | HTTP/HTTPS routing rules. | |
| NetworkPolicies | Firewalls rules for Pod communication. | |
| Endpoints / EndpointSlices | The list of IP addresses a Service targets. | |
| Config & Storage | ConfigMaps | Non-sensitive configuration data. |
| Secrets | Sensitive data (passwords, keys). | |
| PersistentVolumeClaims (PVC) | A request for storage. (Links a Namespaced Pod to a Global PV). | |
| ServiceAccounts | Identity for processes running in a Pod. | |
| Access & Policy | Roles | Permissions limited to a single namespace. |
| RoleBindings | Grants a Role to a user within that specific namespace. | |
| ResourceQuotas | Limits total resource usage (CPU/RAM) in a namespace. | |
| LimitRanges | Limits resource usage per Pod/Container in a namespace. | |
| PodDisruptionBudgets | Limits how many pods can be down simultaneously during maintenance. | |
| Other | Events | Logs of state changes (e.g., “Pod scheduled”, “Pull failed”). |
| Leases | Used by controllers for leader election. |
Common Confusion Points
- PV vs. PVC:
- PV (Global): Represents the physical hard drive. It belongs to the cluster.
- PVC (Namespaced): Represents a user’s ticket to use that hard drive. It belongs to a specific app in a namespace.
- Role vs. ClusterRole:
- Role (Namespaced): “Can read pods in this namespace.”
- ClusterRole (Global): “Can read pods in all namespaces.”