What
Capsule from Clastix is a CRD based approach for multi-tenancy where namespaces are aggregated into a lightweight abstraction called Tenant.
Within each tenant, users are free to create their namespaces and share all the assigned resources. On the other side, the Capsule Policy Engine keeps the different tenants isolated from each other. Network and Security Policies, Resource Quota, Limit Ranges, RBAC, and other policies defined at the tenant level are automatically inherited by all the namespaces in the tenant. Then users are free to operate their tenants in autonomy, without the intervention of the cluster administrator.
Architecture
Image credit: https://capsule.clastix.io/docs#whats-the-problem-with-the-current-status
Installation
❯ helm repo add clastix https://clastix.github.io/charts
"clastix" has been added to your repositories
❯ helm install capsule clastix/capsule -n capsule-system --create-namespace
NAME: capsule
LAST DEPLOYED: Thu Jul 7 11:26:28 2022
NAMESPACE: capsule-system
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
- Capsule Operator Helm Chart deployed:
...
Create tenants
❯ cat tenant-a.yaml
apiVersion: capsule.clastix.io/v1beta1
kind: Tenant
metadata:
name: team-a
spec:
owners:
- name: adam
kind: User
- name: alice
kind: User
❯ k create -f tenant-a.yaml -f tenant-b.yaml
tenant.capsule.clastix.io/team-a created
tenant.capsule.clastix.io/team-b created
❯ k get tenants
NAME STATE NAMESPACE QUOTA NAMESPACE COUNT NODE SELECTOR AGE
team-a Active 0 48s
team-b Active 0 48s
Use tenants
# Create users using below script (users will come in through an OIDC group in real world which maps to the tenant name)
# link: https://raw.githubusercontent.com/clastix/capsule/master/hack/create-user.sh
❯ ./create_user.sh adam team-a
creating certs in TMPDIR /var/folders/1w/9brxn3wn27b3xgk2t7hj5ns40000gn/T/tmp.VnLVNs1q
merging groups /O=capsule.clastix.io
Generating RSA private key, 2048 bit long modulus
..............+++
.........................................................................................................+++
e is 65537 (0x10001)
certificatesigningrequest.certificates.k8s.io/adam-team-a created
certificatesigningrequest.certificates.k8s.io/adam-team-a approved
kubeconfig file is: adam-team-a.kubeconfig
to use it as adam export KUBECONFIG=adam-team-a.kubeconfig
# Create namespace as user: adam
❯ k create ns a-one-ns --kubeconfig=/tmp/capsule/adam-team-a.kubeconfig
namespace/a-one-ns created
# Create a workload
❯ k run test-pod --image=nginx --restart=Never -n a-one-ns
pod/test-pod created
# Try creating another workload as another user:ben
❯ k run test-pod2 --image=nginx --restart=Never -n a-one-ns --kubeconfig=/tmp/capsule/ben-team-b.kubeconfig
Error from server (Forbidden): pods is forbidden: User "ben" cannot create resource "pods" in API group "" in the namespace "a-one-ns"
Applying quotas
❯ cat tenant-quota.yaml
apiVersion: capsule.clastix.io/v1beta1
kind: Tenant
metadata:
name: team-alpha
spec:
owners:
- name: adam
kind: User
- name: alice
kind: User
namespaceOptions:
quota: 3
resourceQuotas:
scope: Tenant
items:
- hard:
limits.cpu: "8"
limits.memory: 16Gi
requests.cpu: "8"
requests.memory: 16Gi
- hard:
pods: "10"
limitRanges:
items:
- limits:
- default:
cpu: 500m
memory: 512Mi
defaultRequest:
cpu: 100m
memory: 10Mi
type: Container
❯ k create -f tenant-quota.yaml
tenant.capsule.clastix.io/team-alpha created
❯ k get tenants.capsule.clastix.io
NAME STATE NAMESPACE QUOTA NAMESPACE COUNT NODE SELECTOR AGE
team-a Active 2 23m
team-alpha Active 3 0 8s
team-b Active 0 23m
Top comments (0)