4f34483dee
* Update README.md Proof Read the README.md * Update index.md Proof Read index.md * Update overview.md Proof Read overview.md * Update onboarding.md Proof Read onboarding.md * Update create-namespaces.md Proof Read create-namespaces.md * Update permissions.md Proof Read permissons.md * Update resources-quota-limits.md Proof Read resources-quota-limits.md * Update nodes-pool.md Proof Read nodes-pool.md * Update ingress-classes.md Proof Read ingress-classes.md * Update ingress-hostnames.md Proof Read ingress-hostnames.md * Update storage-classes.md Proof Read storage-classes.md * Update images-registries.md Proof Read images-registries.md * Update custom-resources.md Proof Read custom-resources.md * Update multiple-tenants.md Proof Read multiple-tenants.md * Update README.md Updated the Suggested text * Update README.md Made the correction * Update docs/operator/use-cases/images-registries.md Co-authored-by: Don High <donghigh@yahoo.com> Co-authored-by: Dario Tranchitella <dario@tranchitella.eu>
3.0 KiB
Create namespaces
Alice can create a new namespace in her tenant, as simply:
alice@caas# kubectl create ns oil-production
Note that Alice started the name of her namespace with an identifier of her tenant: this is not a strict requirement but it is highly suggested because it is likely that many different tenants would like to call their namespaces as
production,test, ordemo, etc.The enforcement of this naming convention is optional and can be controlled by the cluster administrator with the
--force-tenant-prefixoption as an argument of the Capsule controller.
When Alice creates the namespace, the Capsule controller listening for creation and deletion events assigns to Alice the following roles:
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: namespace:admin
namespace: oil-production
subjects:
- kind: User
name: alice
roleRef:
kind: ClusterRole
name: admin
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: namespace-deleter
namespace: oil-production
subjects:
- kind: User
name: alice
roleRef:
kind: ClusterRole
name: namespace-deleter
apiGroup: rbac.authorization.k8s.io
Alice is the admin of the namespaces:
alice@caas# kubectl get rolebindings -n oil-production
NAME ROLE AGE
namespace:admin ClusterRole/admin 9m5s
namespace-deleter ClusterRole/admin 9m5s
The said Role Binding resources are automatically created by Capsule when Alice creates a namespace in the tenant.
Alice can deploy any resource in the namespace, according to the predefined
admin cluster role.
alice@caas# kubectl -n oil-development run nginx --image=docker.io/nginx
alice@caas# kubectl -n oil-development get pods
Alice can create additional namespaces, according to the namespaceQuota field of the tenant manifest:
alice@caas# kubectl create ns oil-development
alice@caas# kubectl create ns oil-test
While Alice creates namespace resources the Capsule controller updates the status of the tenant so Bill, the cluster admin, can check its status:
bill@caas# kubectl describe tenant oil
...
status:
namespaces:
oil-development
oil-production
oil-test
size: 3 # current namespace count
...
Once the namespace quota assigned to the tenant has been reached, Alice cannot create further namespaces
alice@caas# kubectl create ns oil-training
Error from server (Cannot exceed Namespace quota: please, reach out the system administrators): admission webhook "quota.namespace.capsule.clastix.io" denied the request.
The enforcement on the maximum number of Namespace resources per Tenant is the responsibility of the Capsule controller via its Dynamic Admission Webhook capability.
What’s next
See how Alice, the tenant owner, can assign different user roles in the tenant. Assign permissions.