캡슐이 있는 세입자
6639 단어 tipskubernetes
뭐
Capsule from Clastix 네임스페이스가 테넌트라는 가벼운 추상화로 집계되는 다중 테넌시에 대한 CRD 기반 접근 방식입니다.
Within each tenant, users are free to create their namespaces and share all the assigned resources. On the other side, the Capsule Policy Engine keeps the different tenants isolated from each other. Network and Security Policies, Resource Quota, Limit Ranges, RBAC, and other policies defined at the tenant level are automatically inherited by all the namespaces in the tenant. Then users are free to operate their tenants in autonomy, without the intervention of the cluster administrator.
건축물
Image credit: https://capsule.clastix.io/docs#whats-the-problem-with-the-current-status
설치
❯ helm repo add clastix https://clastix.github.io/charts
"clastix" has been added to your repositories
❯ helm install capsule clastix/capsule -n capsule-system --create-namespace
NAME: capsule
LAST DEPLOYED: Thu Jul 7 11:26:28 2022
NAMESPACE: capsule-system
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
- Capsule Operator Helm Chart deployed:
...
테넌트 생성
❯ cat tenant-a.yaml
apiVersion: capsule.clastix.io/v1beta1
kind: Tenant
metadata:
name: team-a
spec:
owners:
- name: adam
kind: User
- name: alice
kind: User
❯ k create -f tenant-a.yaml -f tenant-b.yaml
tenant.capsule.clastix.io/team-a created
tenant.capsule.clastix.io/team-b created
❯ k get tenants
NAME STATE NAMESPACE QUOTA NAMESPACE COUNT NODE SELECTOR AGE
team-a Active 0 48s
team-b Active 0 48s
테넌트 사용
# Create users using below script (users will come in through an OIDC group in real world which maps to the tenant name)
# link: https://raw.githubusercontent.com/clastix/capsule/master/hack/create-user.sh
❯ ./create_user.sh adam team-a
creating certs in TMPDIR /var/folders/1w/9brxn3wn27b3xgk2t7hj5ns40000gn/T/tmp.VnLVNs1q
merging groups /O=capsule.clastix.io
Generating RSA private key, 2048 bit long modulus
..............+++
.........................................................................................................+++
e is 65537 (0x10001)
certificatesigningrequest.certificates.k8s.io/adam-team-a created
certificatesigningrequest.certificates.k8s.io/adam-team-a approved
kubeconfig file is: adam-team-a.kubeconfig
to use it as adam export KUBECONFIG=adam-team-a.kubeconfig
# Create namespace as user: adam
❯ k create ns a-one-ns --kubeconfig=/tmp/capsule/adam-team-a.kubeconfig
namespace/a-one-ns created
# Create a workload
❯ k run test-pod --image=nginx --restart=Never -n a-one-ns
pod/test-pod created
# Try creating another workload as another user:ben
❯ k run test-pod2 --image=nginx --restart=Never -n a-one-ns --kubeconfig=/tmp/capsule/ben-team-b.kubeconfig
Error from server (Forbidden): pods is forbidden: User "ben" cannot create resource "pods" in API group "" in the namespace "a-one-ns"
할당량 적용
❯ cat tenant-quota.yaml
apiVersion: capsule.clastix.io/v1beta1
kind: Tenant
metadata:
name: team-alpha
spec:
owners:
- name: adam
kind: User
- name: alice
kind: User
namespaceOptions:
quota: 3
resourceQuotas:
scope: Tenant
items:
- hard:
limits.cpu: "8"
limits.memory: 16Gi
requests.cpu: "8"
requests.memory: 16Gi
- hard:
pods: "10"
limitRanges:
items:
- limits:
- default:
cpu: 500m
memory: 512Mi
defaultRequest:
cpu: 100m
memory: 10Mi
type: Container
❯ k create -f tenant-quota.yaml
tenant.capsule.clastix.io/team-alpha created
❯ k get tenants.capsule.clastix.io
NAME STATE NAMESPACE QUOTA NAMESPACE COUNT NODE SELECTOR AGE
team-a Active 2 23m
team-alpha Active 3 0 8s
team-b Active 0 23m
Administration and more use cases
Reference
이 문제에 관하여(캡슐이 있는 세입자), 우리는 이곳에서 더 많은 자료를 발견하고 링크를 클릭하여 보았다 https://dev.to/ashokan/tenants-with-capsule-3428텍스트를 자유롭게 공유하거나 복사할 수 있습니다.하지만 이 문서의 URL은 참조 URL로 남겨 두십시오.
우수한 개발자 콘텐츠 발견에 전념 (Collection and Share based on the CC Protocol.)