目录

使用capsule管理k8s多租户(tenants)

https://cdn.agou-ops.cn/blog-images/capsule-operator.d853076.ce76636fce3e3130134a6f768700f6f7.svg

Capsule implements a multi-tenant and policy-based environment in your Kubernetes cluster. It is designed as a micro-services-based ecosystem with the minimalist approach, leveraging only on upstream Kubernetes.

官方文档地址:https://capsule.clastix.io/

helm快速安装

1
2
3
helm repo add projectcapsule https://projectcapsule.github.io/charts

helm install capsule projectcapsule/capsule -n capsule-system --create-namespace

快速开始

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
# 创建一个租户,租户里面有用户suofeiya
kubectl create -f - << EOF
apiVersion: capsule.clastix.io/v1beta2
kind: Tenant
metadata:
  name: tenant
spec:
  owners:
  - name: suofeiya
    kind: User
EOF

# 创建完成之后
kubectl get tenants
# 示例输出
NAME     STATE    NAMESPACE QUOTA   NAMESPACE COUNT   NODE SELECTOR   AGE
suofeiya Active                     0                                 10s

然后使用hack/create-user.sh脚本配置用户证书以及kubeconfig等:

1
2
3
4
5
# 第一个参数为用户,第二个为租户名称
./create-user.sh suofeiya tenant

# 使用创建出来用户的Context
export KUBECONFIG=suofeiya-tenant.kubeconfig

使用该context创建命名空间,推荐以租户名称为前缀,中间以空格分割:

1
2
3
kubectl create ns tenant-demo

kubectl run nginx --image=nginx -n tenant-demo

附录:tenant配置

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
apiVersion: capsule.clastix.io/v1beta1
kind: Tenant
metadata:
  name: tenants-sample
spec:
  apiVersion: <string>
  kind: <string>
  metadata: {}
  spec:
    additionalRoleBindings:
    - clusterRoleName: <string>
      subjects:
      - apiGroup: <string>
        kind: <string>
        name: <string>
        namespace: <string>
    containerRegistries:
      allowed:
      - <string>
      allowedRegex: <string>
    imagePullPolicies:
    - <string>
    ingressOptions:
      allowedClasses:
        allowed:
        - <string>
        allowedRegex: <string>
      allowedHostnames:
        allowed:
        - <string>
        allowedRegex: <string>
      hostnameCollisionScope: <string>
    limitRanges:
      items:
      - limits:
        - default: {}
          defaultRequest: {}
          max: {}
          maxLimitRequestRatio: {}
          min: {}
          type: <string>
    namespaceOptions:
      additionalMetadata:
        annotations: {}
        labels: {}
      quota: 0
    networkPolicies:
      items:
      - egress:
        - ports:
          - endPort: 0
            port: <nil>
            protocol: <string>
          to:
          - ipBlock:
              cidr: <string>
              except:
              - <string>
            namespaceSelector:
              matchExpressions:
              - key: <string>
                operator: <string>
                values:
                - <string>
              matchLabels: {}
            podSelector:
              matchExpressions:
              - key: <string>
                operator: <string>
                values:
                - <string>
              matchLabels: {}
        ingress:
        - from:
          - ipBlock:
              cidr: <string>
              except:
              - <string>
            namespaceSelector:
              matchExpressions:
              - key: <string>
                operator: <string>
                values:
                - <string>
              matchLabels: {}
            podSelector:
              matchExpressions:
              - key: <string>
                operator: <string>
                values:
                - <string>
              matchLabels: {}
          ports:
          - endPort: 0
            port: <nil>
            protocol: <string>
        podSelector:
          matchExpressions:
          - key: <string>
            operator: <string>
            values:
            - <string>
          matchLabels: {}
        policyTypes:
        - <string>
    nodeSelector: {}
    owners:
    - kind: <string>
      name: <string>
      proxySettings:
      - kind: <string>
        operations:
        - <string>
    priorityClasses:
      allowed:
      - <string>
      allowedRegex: <string>
    resourceQuotas:
      items:
      - hard: {}
        scopeSelector:
          matchExpressions:
          - operator: <string>
            scopeName: <string>
            values:
            - <string>
        scopes:
        - <string>
      scope: <string>
    serviceOptions:
      additionalMetadata:
        annotations: {}
        labels: {}
      allowedServices:
        externalName: true
        loadBalancer: true
        nodePort: true
      externalIPs:
        allowed:
        - <string>
      forbiddenAnnotations:
        denied:
        - <string>
        deniedRegex: <string>
      forbiddenLabels:
        denied:
        - <string>
        deniedRegex: <string>
    storageClasses:
      allowed:
      - <string>
      allowedRegex: <string>
  status:
    namespaces:
    - <string>
    size: 0
    state: <string>

参考链接