Capsule implements a multi-tenant and policy-based environment in your Kubernetes cluster. It is designed as a micro-services-based ecosystem with the minimalist approach, leveraging only on upstream Kubernetes.
官方文档地址:https://capsule.clastix.io/
helm快速安装
1
2
3
| helm repo add projectcapsule https://projectcapsule.github.io/charts
helm install capsule projectcapsule/capsule -n capsule-system --create-namespace
|
快速开始
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
| # 创建一个租户,租户里面有用户suofeiya
kubectl create -f - << EOF
apiVersion: capsule.clastix.io/v1beta2
kind: Tenant
metadata:
name: tenant
spec:
owners:
- name: suofeiya
kind: User
EOF
# 创建完成之后
kubectl get tenants
# 示例输出
NAME STATE NAMESPACE QUOTA NAMESPACE COUNT NODE SELECTOR AGE
suofeiya Active 0 10s
|
然后使用hack/create-user.sh脚本配置用户证书以及kubeconfig等:
1
2
3
4
5
| # 第一个参数为用户,第二个为租户名称
./create-user.sh suofeiya tenant
# 使用创建出来用户的Context
export KUBECONFIG=suofeiya-tenant.kubeconfig
|
使用该context创建命名空间,推荐以租户名称为前缀,中间以空格分割:
1
2
3
| kubectl create ns tenant-demo
kubectl run nginx --image=nginx -n tenant-demo
|
附录:tenant配置
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
| apiVersion: capsule.clastix.io/v1beta1
kind: Tenant
metadata:
name: tenants-sample
spec:
apiVersion: <string>
kind: <string>
metadata: {}
spec:
additionalRoleBindings:
- clusterRoleName: <string>
subjects:
- apiGroup: <string>
kind: <string>
name: <string>
namespace: <string>
containerRegistries:
allowed:
- <string>
allowedRegex: <string>
imagePullPolicies:
- <string>
ingressOptions:
allowedClasses:
allowed:
- <string>
allowedRegex: <string>
allowedHostnames:
allowed:
- <string>
allowedRegex: <string>
hostnameCollisionScope: <string>
limitRanges:
items:
- limits:
- default: {}
defaultRequest: {}
max: {}
maxLimitRequestRatio: {}
min: {}
type: <string>
namespaceOptions:
additionalMetadata:
annotations: {}
labels: {}
quota: 0
networkPolicies:
items:
- egress:
- ports:
- endPort: 0
port: <nil>
protocol: <string>
to:
- ipBlock:
cidr: <string>
except:
- <string>
namespaceSelector:
matchExpressions:
- key: <string>
operator: <string>
values:
- <string>
matchLabels: {}
podSelector:
matchExpressions:
- key: <string>
operator: <string>
values:
- <string>
matchLabels: {}
ingress:
- from:
- ipBlock:
cidr: <string>
except:
- <string>
namespaceSelector:
matchExpressions:
- key: <string>
operator: <string>
values:
- <string>
matchLabels: {}
podSelector:
matchExpressions:
- key: <string>
operator: <string>
values:
- <string>
matchLabels: {}
ports:
- endPort: 0
port: <nil>
protocol: <string>
podSelector:
matchExpressions:
- key: <string>
operator: <string>
values:
- <string>
matchLabels: {}
policyTypes:
- <string>
nodeSelector: {}
owners:
- kind: <string>
name: <string>
proxySettings:
- kind: <string>
operations:
- <string>
priorityClasses:
allowed:
- <string>
allowedRegex: <string>
resourceQuotas:
items:
- hard: {}
scopeSelector:
matchExpressions:
- operator: <string>
scopeName: <string>
values:
- <string>
scopes:
- <string>
scope: <string>
serviceOptions:
additionalMetadata:
annotations: {}
labels: {}
allowedServices:
externalName: true
loadBalancer: true
nodePort: true
externalIPs:
allowed:
- <string>
forbiddenAnnotations:
denied:
- <string>
deniedRegex: <string>
forbiddenLabels:
denied:
- <string>
deniedRegex: <string>
storageClasses:
allowed:
- <string>
allowedRegex: <string>
status:
namespaces:
- <string>
size: 0
state: <string>
|
参考链接
