DEV Community

Hamdi KHELIL
Hamdi KHELIL

Posted on

Capsule: How to Use It and First Steps to Set It Up on an AKS Cluster ๐Ÿš€

Capsule is an awesome, open-source solution that helps you manage multiple tenants in Kubernetes clusters, making it super easy to handle multi-tenancy. Whether youโ€™re running Kubernetes for a big company or providing services for others, Capsule ensures your clusters stay organized and secure!

In this guide, weโ€™ll dive into what Capsule is, why itโ€™s a great choice, and show you how to set it up on an Azure Kubernetes Service (AKS) cluster. Ready? Letโ€™s go! ๐ŸŽ‰

What is Capsule? ๐Ÿค”

Capsule adds an extra layer on top of Kubernetes, making it easier for you to manage multiple tenants. These tenants get their own space, resources, and security without interfering with each other. Some cool features of Capsule include:

  • Tenant Isolation: Each tenant gets its own sandbox, so they donโ€™t step on each otherโ€™s toes. ๐Ÿšง
  • Resource Quotas: You can limit how much CPU, memory, and other resources each tenant can use. No more hogging! ๐Ÿท
  • Namespace Management: Tenants can create and manage their own namespaces, keeping things tidy. ๐Ÿ—‚๏ธ
  • Security Policies: Capsule ensures that each tenant has its own security settings, keeping everything safe. ๐Ÿ”’
  • Cluster Sharing: You can share the same Kubernetes cluster with multiple tenants while keeping them separated. ๐ŸŒ

Why Should You Use Capsule? ๐Ÿ’ก

  1. Multi-tenancy Made Easy: Capsule makes managing tenants a breeze, giving you better control over shared clusters.
  2. Efficient Resource Use: Share resources among tenants without worrying about one tenant taking everything.
  3. Top-notch Security: Keep tenants isolated with network and security policies.
  4. Centralized Management: Simplifies managing Kubernetes resources by organizing them under tenants.

Capsuleโ€™s Architecture

Capsule operates as a Kubernetes controller, managing tenants using Capsule Custom Resource Definitions (CRDs). When you create a new tenant, Capsule links it to specific namespaces, ensuring isolation. Plus, it enforces policies to keep everything in check. Easy-peasy! ๐ŸŒŸ

Setting Up Capsule on an AKS Cluster ๐Ÿ”ง

Letโ€™s walk through the steps of getting Capsule up and running on your AKS cluster.

Prerequisites โœ…

Make sure you have the following set up:

  1. Azure CLI: Installed and logged in to your Azure account.
  2. kubectl: Installed and configured to work with your AKS cluster.
  3. Helm: Installed for managing packages in Kubernetes.

Step 1: Create Your AKS Cluster โ˜๏ธ

If you donโ€™t have an AKS cluster yet, create one using Azure CLI:

az aks create --resource-group <RESOURCE_GROUP> --name <CLUSTER_NAME> --node-count 3 --enable-managed-identity --generate-ssh-keys
Enter fullscreen mode Exit fullscreen mode

Now connect to your AKS cluster:

az aks get-credentials --resource-group <RESOURCE_GROUP> --name <CLUSTER_NAME>
Enter fullscreen mode Exit fullscreen mode

Check that youโ€™re connected by listing your nodes:

kubectl get nodes
Enter fullscreen mode Exit fullscreen mode

Step 2: Install Cert-Manager ๐Ÿ”‘

Capsule requires cert-manager to handle certificates for webhooks. Install cert-manager using Helm:

helm repo add jetstack https://charts.jetstack.io
helm repo update
helm install cert-manager jetstack/cert-manager --namespace cert-manager --create-namespace --version v1.10.1 --set installCRDs=true
Enter fullscreen mode Exit fullscreen mode

Ensure that cert-manager is running:

kubectl get pods --namespace cert-manager
Enter fullscreen mode Exit fullscreen mode

Step 3: Install Capsule ๐ŸŽฏ

Now letโ€™s install Capsule! You can use Helm for this:

helm repo add clastix https://clastix.github.io/charts
helm repo update
helm install capsule clastix/capsule --namespace capsule-system --create-namespace
Enter fullscreen mode Exit fullscreen mode

Check that Capsule is installed:

kubectl get pods --namespace capsule-system
Enter fullscreen mode Exit fullscreen mode

Step 4: Create a Tenant ๐Ÿข

With Capsule installed, letโ€™s create your first tenant! Here's an example of a Tenant resource:

apiVersion: capsule.clastix.io/v1alpha1
kind: Tenant
metadata:
  name: my-tenant
spec:
  owners:
    - kind: User
      name: john@example.com
  namespacesMetadata:
    additionalMetadata:
      labels:
        owner: john@example.com
Enter fullscreen mode Exit fullscreen mode

Save this as tenant.yaml and apply it:

kubectl apply -f tenant.yaml
Enter fullscreen mode Exit fullscreen mode

Boom! Youโ€™ve just created your first tenant ๐ŸŽ‰

Step 5: Verify Your Tenant ๐Ÿง

To confirm your tenant was created, run:

kubectl get tenants
Enter fullscreen mode Exit fullscreen mode

You should see your brand-new tenant listed!

Step 6: Set Resource Limits ๐Ÿ’ช

Capsule allows you to assign resource quotas to each tenant. Update the tenant definition to include CPU and memory limits:

spec:
  resourceQuotas:
    - hard:
        requests.cpu: "4"
        requests.memory: "8Gi"
        limits.cpu: "8"
        limits.memory: "16Gi"
Enter fullscreen mode Exit fullscreen mode

Apply the updated tenant:

kubectl apply -f tenant.yaml
Enter fullscreen mode Exit fullscreen mode

This makes sure your tenant stays within its resource limits! ๐ŸŽ›๏ธ

Step 7: Let Tenants Manage Their Namespaces ๐Ÿ“‚

You can let tenants create and manage their namespaces! Add the following to your tenant definition:

spec:
  namespacesMetadata:
    additionalMetadata:
      annotations:
        capsule.clastix.io/allowed-namespaces-range: "^mytenant-.*"
Enter fullscreen mode Exit fullscreen mode

This ensures tenants can only create namespaces with a specific prefix, keeping things organized!

Examples for a Shared Kubernetes Cluster ๐ŸŒ

In a shared Kubernetes cluster, tenants can coexist but maintain separation in terms of resources and namespaces. Capsule helps ensure this, but letโ€™s look at a few examples of how you can configure a shared cluster.

1. Shared Infrastructure for Multiple Teams ๐Ÿข

Imagine you're running Kubernetes for multiple development teams, like Team A and Team B, on a shared AKS cluster. Capsule allows you to create separate tenants for each team, and each team can manage its own namespaces, but they canโ€™t interfere with each other.

Hereโ€™s how you can define tenants for both teams:

apiVersion: capsule.clastix.io/v1alpha1
kind: Tenant
metadata:
  name: team-a
spec:
  owners:
    - kind: User
      name: team-a-admin@example.com
  namespacesMetadata:
    additionalMetadata:
      labels:
        team: team-a
---
apiVersion: capsule.clastix.io/v1alpha1
kind: Tenant
metadata:
  name: team-b
spec:
  owners:
    - kind: User
      name: team-b-admin@example.com
  namespacesMetadata:
    additionalMetadata:
      labels:
        team: team-b
Enter fullscreen mode Exit fullscreen mode

Each team gets its own tenant with an admin user who can manage the namespaces. You can also set resource quotas for each team to prevent overuse:

spec:
  resourceQuotas:
    - hard:
        requests.cpu: "6"
        requests.memory: "10Gi"
        limits.cpu: "12"
        limits.memory: "20Gi"
Enter fullscreen mode Exit fullscreen mode

2. Tenant-Specific Network Policies ๐Ÿ”

In a shared environment, you might want to restrict network access between tenants. With Capsule, you can set network policies that prevent one tenant from communicating with another tenantโ€™s resources:

spec:
  networkPolicies:
    egress:
      - to:
          namespaceSelector:
            matchLabels:
              capsule.clastix.io/tenant: team-a
        ports:
          - protocol: TCP
            port: 80
Enter fullscreen mode Exit fullscreen mode

This ensures that only specific network traffic is allowed between tenants, keeping resources safe and secure.

3. Shared Services Across Tenants โš™๏ธ

Sometimes, tenants need access to shared services (like a database). Capsule allows for such shared services while maintaining isolation for other resources:

spec:
  additionalRoleBindings:
    - roleRef:
        apiGroup: rbac.authorization.k8s.io
        kind: ClusterRole
        name: shared-service-access
      subjects:
        - kind: User
          name: team-a
        - kind: User
          name: team-b
Enter fullscreen mode Exit fullscreen mode

This allows Team A and Team B to access a shared database service without violating the isolation of other resources within the cluster.

Wrapping Up ๐ŸŽ

Capsule is a fantastic tool for managing multi-tenancy in Kubernetes. With features like tenant isolation, resource quotas, and namespace control, it takes the complexity out of handling multiple users or teams in a single cluster.

By following the steps in this guide, youโ€™ve set up Capsule on your AKS cluster and created your first tenant! Now you can manage tenants with ease and scale your Kubernetes infrastructure confidently. ๐ŸŒŸ

Happy clustering !

Top comments (0)