diff --git a/sapl/audiencia/views.py b/sapl/audiencia/views.py
index d5ea7f710..0490c3b4b 100755
--- a/sapl/audiencia/views.py
+++ b/sapl/audiencia/views.py
@@ -13,7 +13,7 @@ from ratelimit.decorators import ratelimit
 from django.utils.decorators import method_decorator
 
 from ..settings import RATE_LIMITER_RATE
-from ..utils import ratelimit_ip
+from sapl.middleware.ratelimit import ratelimit_ip
 
 
 def index(request):
diff --git a/sapl/middleware/ratelimit.py b/sapl/middleware/ratelimit.py
index ae75b1200..103983d33 100644
--- a/sapl/middleware/ratelimit.py
+++ b/sapl/middleware/ratelimit.py
@@ -26,7 +26,6 @@ no per-request lookup is needed or correct.
 
 import hashlib
 import logging
-import os
 import time
 
 from django.conf import settings
@@ -36,20 +35,12 @@ from django.http import HttpResponse
 logger = logging.getLogger('sapl.ratelimit')
 
 # ---------------------------------------------------------------------------
-# Tenant namespace — pod-level constant
+# Tenant namespace — resolved once at startup from settings.POD_NAMESPACE.
+# On K8s: the k8s namespace (e.g. "patobranco-pr"), set by start.sh.
+# On bare-metal / VM / docker-compose: the machine hostname (default).
 # ---------------------------------------------------------------------------
 
-def _resolve_namespace():
-    ns = os.environ.get('POD_NAMESPACE', '')
-    if ns:
-        return ns
-    try:
-        with open('/var/run/secrets/kubernetes.io/serviceaccount/namespace') as f:
-            return f.read().strip()
-    except OSError:
-        return 'global'
-
-_NAMESPACE = _resolve_namespace()
+_NAMESPACE = settings.POD_NAMESPACE
 
 # ---------------------------------------------------------------------------
 # Redis key templates — module-level constants, never inline strings
diff --git a/sapl/settings.py b/sapl/settings.py
index 92859fb23..a178438a1 100644
--- a/sapl/settings.py
+++ b/sapl/settings.py
@@ -205,12 +205,13 @@ SPECTACULAR_SETTINGS = {
 }
 
 # ---------------------------------------------------------------------------
-# Tenant namespace — identifies this pod's municipality (e.g. patobranco-pr).
-# Resolved by start.sh from POD_NAMESPACE env var (K8s Downward API) or the
-# service-account namespace file, then written into .env before Gunicorn starts.
-# Used as KEY_PREFIX so each tenant's cache keys are isolated in shared Redis.
+# Tenant namespace — used as Redis KEY_PREFIX and rate-limiter scope.
+# Defaults to the machine hostname so self-hosted (bare-metal / VM /
+# docker-compose) deployments work without any extra config.
+# On Kubernetes, POD_NAMESPACE is set by start.sh via the Downward API or
+# the service-account namespace file (e.g. "patobranco-pr").
 # ---------------------------------------------------------------------------
-POD_NAMESPACE = config('POD_NAMESPACE', default='sapl')
+POD_NAMESPACE = config('POD_NAMESPACE', default=host)
 
 # ---------------------------------------------------------------------------
 # Cache — switches between file-based (default) and Redis at pod startup.