From https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ :

• Namespaces are a way to divide cluster resources between multiple users
• via Resource Quotas : https://kubernetes.io/docs/concepts/policy/resource-quotas/
• and RBAC : https://kubernetes.io/docs/reference/access-authn-authz/rbac/

There are benefits to deploying per-user namespaces:

• Ability to give the user control over their own namespace via RBAC (deploying other objects / API Isolation)
• Ability to persist expensive objects like cert-manager certs / let encrypt (some objects take a lot of time)
• Ability to isolate traffic between multiple users / namespaces

We create a namespace per user, and do not destroy it when a workspace is torn down. This allows expensive objects (like cert-manager/letsencrypt certs/dns) to persist and be reused for multiple workspaces (from the same user) to access them.

Some resources we use per user/namespace:

• Issuer (Cert-Manager w/ DNS01 for wildcard)
• Certificate (this can take 40 seconds to provision from Lets Encrypt)
• tls-secret (generated by TLS Cert from Certificate)
• wildcard ingress (each user get's there own namespace AND *.username.coder.website [accessible without coder])
• RoleBinding w/ admin over their own namespace (we allow them to create whatever other resources they want within their namespace) : RBAC
• We use Resource Quotas to ensure one user doesn't take over all the resources on a node