DEV Community 👩‍💻👨‍💻

Cover image for Tenants with Capsule
Ashok Nagaraj
Ashok Nagaraj

Posted on

Tenants with Capsule

What

Capsule from Clastix is a CRD based approach for multi-tenancy where namespaces are aggregated into a lightweight abstraction called Tenant.

Within each tenant, users are free to create their namespaces and share all the assigned resources. On the other side, the Capsule Policy Engine keeps the different tenants isolated from each other. Network and Security Policies, Resource Quota, Limit Ranges, RBAC, and other policies defined at the tenant level are automatically inherited by all the namespaces in the tenant. Then users are free to operate their tenants in autonomy, without the intervention of the cluster administrator.

Architecture

Image description

Image credit: https://capsule.clastix.io/docs#whats-the-problem-with-the-current-status

Installation
❯ helm repo add clastix https://clastix.github.io/charts
"clastix" has been added to your repositories
❯ helm install capsule clastix/capsule -n capsule-system --create-namespace
NAME: capsule
LAST DEPLOYED: Thu Jul  7 11:26:28 2022
NAMESPACE: capsule-system
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
- Capsule Operator Helm Chart deployed:
...
Enter fullscreen mode Exit fullscreen mode
Create tenants
cat tenant-a.yaml
apiVersion: capsule.clastix.io/v1beta1
kind: Tenant
metadata:
  name: team-a
spec:
  owners:
  - name: adam
    kind: User
  - name: alice
    kind: User
❯ k create -f tenant-a.yaml -f tenant-b.yaml
tenant.capsule.clastix.io/team-a created
tenant.capsule.clastix.io/team-b created
❯ k get tenants
NAME     STATE    NAMESPACE QUOTA   NAMESPACE COUNT   NODE SELECTOR   AGE
team-a   Active                     0                                 48s
team-b   Active                     0                                 48s
Enter fullscreen mode Exit fullscreen mode
Use tenants
# Create users using below script (users will come in through an OIDC group in real world which maps to the tenant name)
# link: https://raw.githubusercontent.com/clastix/capsule/master/hack/create-user.sh
❯ ./create_user.sh adam team-a
creating certs in TMPDIR /var/folders/1w/9brxn3wn27b3xgk2t7hj5ns40000gn/T/tmp.VnLVNs1q
merging groups /O=capsule.clastix.io
Generating RSA private key, 2048 bit long modulus
..............+++
.........................................................................................................+++
e is 65537 (0x10001)
certificatesigningrequest.certificates.k8s.io/adam-team-a created
certificatesigningrequest.certificates.k8s.io/adam-team-a approved
kubeconfig file is: adam-team-a.kubeconfig
to use it as adam export KUBECONFIG=adam-team-a.kubeconfig

# Create namespace as user: adam
❯ k create ns a-one-ns --kubeconfig=/tmp/capsule/adam-team-a.kubeconfig
namespace/a-one-ns created

# Create a workload
❯ k run test-pod --image=nginx --restart=Never -n a-one-ns
pod/test-pod created

# Try creating another workload as another user:ben
❯ k run test-pod2 --image=nginx --restart=Never -n a-one-ns --kubeconfig=/tmp/capsule/ben-team-b.kubeconfig
Error from server (Forbidden): pods is forbidden: User "ben" cannot create resource "pods" in API group "" in the namespace "a-one-ns"
Enter fullscreen mode Exit fullscreen mode
Applying quotas
cat tenant-quota.yaml
apiVersion: capsule.clastix.io/v1beta1
kind: Tenant
metadata:
  name: team-alpha
spec:
  owners:
  - name: adam
    kind: User
  - name: alice
    kind: User
  namespaceOptions:
    quota: 3
  resourceQuotas:
    scope: Tenant
    items:
    - hard:
        limits.cpu: "8"
        limits.memory: 16Gi
        requests.cpu: "8"
        requests.memory: 16Gi
    - hard:
        pods: "10"
  limitRanges:
    items:
    - limits:
      - default:
          cpu: 500m
          memory: 512Mi
        defaultRequest:
          cpu: 100m
          memory: 10Mi
        type: Container
❯ k create -f tenant-quota.yaml
tenant.capsule.clastix.io/team-alpha created

❯ k get tenants.capsule.clastix.io
NAME         STATE    NAMESPACE QUOTA   NAMESPACE COUNT   NODE SELECTOR   AGE
team-a       Active                     2                                 23m
team-alpha   Active   3                 0                                 8s
team-b       Active                     0                                 23m
Enter fullscreen mode Exit fullscreen mode

Administration and more use cases

Top comments (0)

🌚 Life is too short to browse without dark mode