As a consequence, it is invalid to have a *resourceType* managed by a namespace whose kind is *finalize*.
This enables k8s service to WATCH /registry/{resourceType} for changes across namespace of a particular {resourceType}.
To interact with content associated with a Namespace:
Upon scheduling a pod to a particular host, the pod's namespace must be in the key path as follows:
| Action | HTTP Verb | Path | Description |
| ---- | ---- | ---- | ---- |
| CREATE | POST | /api/{version}/namespaces/{namespace}/{resourceType}/ | Create instance of {resourceType} in namespace {namespace} |
| GET | GET | /api/{version}/namespaces/{namespace}/{resourceType}/{name} | Get instance of {resourceType} in namespace {namespace} with {name} |
| UPDATE | PUT | /api/{version}/namespaces/{namespace}/{resourceType}/{name} | Update instance of {resourceType} in namespace {namespace} with {name} |
| DELETE | DELETE | /api/{version}/namespaces/{namespace}/{resourceType}/{name} | Delete instance of {resourceType} in namespace {namespace} with {name} |
| LIST | GET | /api/{version}/namespaces/{namespace}/{resourceType} | List instances of {resourceType} in namespace {namespace} |
| WATCH | GET | /api/{version}/watch/namespaces/{namespace}/{resourceType} | Watch for changes to a {resourceType} in namespace {namespace} |
| WATCH | GET | /api/{version}/watch/{resourceType} | Watch for changes to a {resourceType} across all namespaces |
| LIST | GET | /api/{version}/list/{resourceType} | List instances of {resourceType} across all namespaces |
/host/{host}/pod/{pod.Namespace}/{pod.Name}
The API server verifies the *Namespace* on resource creation matches the *{namespace}* on the path.
## k8s Authorization service
The API server will associate a resource with a *Namespace* if not populated by the end-user based on the *Namespace* context
of the incoming request. If the *Namespace* of the resource being created, or updated does not match the *Namespace* on the request,
then the API server will reject the request.
This design assumes the existence of an authorization service that filters incoming requests to the k8s API Server in order
### Storage
to enforce user authorization to a particular k8s resource. It performs this action by associating the *subject* of a request
with a *policy* to an associated HTTP path and verb. This design encodes the *namespace* in the resource path in order to enable
external policy servers to function by resource path alone. If a request is made by an identity that is not allowed by
policy to the resource, the request is terminated. Otherwise, it is forwarded to the apiserver.
## k8s controller-manager
A namespace provides a unique identifier space and therefore must be in the storage path of a resource.
The controller-manager will provision pods in the same namespace as the associated replicationController.
In etcd, we want to continue to still support efficient WATCH across namespaces.
## k8s Kubelet
Resources that persist content in etcd will have storage paths as follows:
There is no major change to the kubelet introduced by this proposal.