DEV Community

Cover image for Tenants with Capsule
Ashok Nagaraj
Ashok Nagaraj

Posted on

Tenants with Capsule

#kubernetes #tips
What

Capsule from Clastix is a CRD based approach for multi-tenancy where namespaces are aggregated into a lightweight abstraction called Tenant.

Within each tenant, users are free to create their namespaces and share all the assigned resources. On the other side, the Capsule Policy Engine keeps the different tenants isolated from each other. Network and Security Policies, Resource Quota, Limit Ranges, RBAC, and other policies defined at the tenant level are automatically inherited by all the namespaces in the tenant. Then users are free to operate their tenants in autonomy, without the intervention of the cluster administrator.

Architecture

Image description

Image credit: https://capsule.clastix.io/docs#whats-the-problem-with-the-current-status

Installation 
❯ helm repo add clastix https://clastix.github.io/charts "clastix" has been added to your repositories ❯ helm install capsule clastix/capsule -n capsule-system --create-namespace NAME: capsule LAST DEPLOYED: Thu Jul 7 11:26:28 2022 NAMESPACE: capsule-system STATUS: deployed REVISION: 1 TEST SUITE: None NOTES: - Capsule Operator Helm Chart deployed: ...
Enter fullscreen mode Exit fullscreen mode
Create tenants 
cat tenant-a.yaml apiVersion: capsule.clastix.io/v1beta1 kind: Tenant metadata: name: team-a spec: owners: - name: adam kind: User - name: alice kind: User ❯ k create -f tenant-a.yaml -f tenant-b.yaml tenant.capsule.clastix.io/team-a created tenant.capsule.clastix.io/team-b created ❯ k get tenants NAME STATE NAMESPACE QUOTA NAMESPACE COUNT NODE SELECTOR AGE team-a Active 0 48s team-b Active 0 48s
Enter fullscreen mode Exit fullscreen mode
Use tenants 
# Create users using below script (users will come in through an OIDC group in real world which maps to the tenant name) # link: https://raw.githubusercontent.com/clastix/capsule/master/hack/create-user.sh ❯ ./create_user.sh adam team-a creating certs in TMPDIR /var/folders/1w/9brxn3wn27b3xgk2t7hj5ns40000gn/T/tmp.VnLVNs1q merging groups /O=capsule.clastix.io Generating RSA private key, 2048 bit long modulus ..............+++ .........................................................................................................+++ e is 65537 (0x10001) certificatesigningrequest.certificates.k8s.io/adam-team-a created certificatesigningrequest.certificates.k8s.io/adam-team-a approved kubeconfig file is: adam-team-a.kubeconfig to use it as adam export KUBECONFIG=adam-team-a.kubeconfig # Create namespace as user: adam ❯ k create ns a-one-ns --kubeconfig=/tmp/capsule/adam-team-a.kubeconfig namespace/a-one-ns created # Create a workload ❯ k run test-pod --image=nginx --restart=Never -n a-one-ns pod/test-pod created # Try creating another workload as another user:ben ❯ k run test-pod2 --image=nginx --restart=Never -n a-one-ns --kubeconfig=/tmp/capsule/ben-team-b.kubeconfig Error from server (Forbidden): pods is forbidden: User "ben" cannot create resource "pods" in API group "" in the namespace "a-one-ns"
Enter fullscreen mode Exit fullscreen mode
Applying quotas 
cat tenant-quota.yaml apiVersion: capsule.clastix.io/v1beta1 kind: Tenant metadata: name: team-alpha spec: owners: - name: adam kind: User - name: alice kind: User namespaceOptions: quota: 3 resourceQuotas: scope: Tenant items: - hard: limits.cpu: "8" limits.memory: 16Gi requests.cpu: "8" requests.memory: 16Gi - hard: pods: "10" limitRanges: items: - limits: - default: cpu: 500m memory: 512Mi defaultRequest: cpu: 100m memory: 10Mi type: Container ❯ k create -f tenant-quota.yaml tenant.capsule.clastix.io/team-alpha created ❯ k get tenants.capsule.clastix.io NAME STATE NAMESPACE QUOTA NAMESPACE COUNT NODE SELECTOR AGE team-a Active 2 23m team-alpha Active 3 0 8s team-b Active 0 23m
Enter fullscreen mode Exit fullscreen mode

Administration and more use cases

Top comments (0)