github/capsule
1
0
Fork 0
mirror of https://github.com/projectcapsule/capsule.git synced 2026-03-05 03:00:47 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
bdce4a7b4ff30007fda27124d023ba080ed67724
capsule/docs/operator/use-cases/nodes-pool.md
Don High 4f34483dee Documentation Spelling Mistakes #197 (#203) 
* Update README.md

Proof Read the README.md

* Update index.md

Proof Read index.md

* Update overview.md

Proof Read overview.md

* Update onboarding.md

Proof Read onboarding.md

* Update create-namespaces.md

Proof Read create-namespaces.md

* Update permissions.md

Proof Read permissons.md

* Update resources-quota-limits.md

Proof Read resources-quota-limits.md

* Update nodes-pool.md

Proof Read nodes-pool.md

* Update ingress-classes.md

Proof Read ingress-classes.md

* Update ingress-hostnames.md

Proof Read ingress-hostnames.md

* Update storage-classes.md

Proof Read storage-classes.md

* Update images-registries.md

Proof Read images-registries.md

* Update custom-resources.md

Proof Read custom-resources.md

* Update multiple-tenants.md

Proof Read multiple-tenants.md

* Update README.md

Updated the Suggested text

* Update README.md

Made the correction

* Update docs/operator/use-cases/images-registries.md

Co-authored-by: Don High <donghigh@yahoo.com>

Co-authored-by: Dario Tranchitella <dario@tranchitella.eu>
2021-02-19 11:40:20 +01:00

1.8 KiB
Raw Blame History

Assign a node's pool

Bill, the cluster admin, can dedicate a pool of worker nodes to the oil tenant, to isolate the tenant applications from other noisy neighbors.

These nodes are labeled by Bill as pool=oil

bill@caas# kubectl get nodes --show-labels

NAME                      STATUS   ROLES             AGE   VERSION   LABELS
...
worker06.acme.com         Ready    worker            8d    v1.18.2   pool=oil
worker07.acme.com         Ready    worker            8d    v1.18.2   pool=oil
worker08.acme.com         Ready    worker            8d    v1.18.2   pool=oil

The label pool=oil is defined as node selector in the tenant manifest:

apiVersion: capsule.clastix.io/v1alpha1
kind: Tenant
metadata:
  name: oil
spec:
  owner:
    name: alice
    kind: User
  nodeSelector:
    pool: oil
  ...

The Capsule controller makes sure that any namespace created in the tenant has the annotation: scheduler.alpha.kubernetes.io/node-selector: pool=oil. This annotation tells the scheduler of Kubernetes to assign the node selector pool=oil to all the pods deployed in the tenant.

The effect is that all the pods deployed by Alice are placed only on the designated pool of nodes.

Any attempt of Alice to change the selector on the pods will result in the following error from the PodNodeSelector Admission Controller plugin:

Error from server (Forbidden): pods "busybox" is forbidden:
pod node label selector conflicts with its namespace node label selector

RBAC prevents Alice to change the annotation on the namespace:

alice@caas# kubectl auth can-i edit ns -n production
Warning: resource 'namespaces' is not namespace scoped
no

Whats next

See how Bill, the cluster admin, can assign an Ingress Class to Alice's tenant. Assign Ingress Classes.

Reference in New Issue View Git Blame Copy Permalink