Capsule is an awesome, open-source solution that helps you manage multiple tenants in Kubernetes clusters, making it super easy to handle multi-tenancy. Whether youโre running Kubernetes for a big company or providing services for others, Capsule ensures your clusters stay organized and secure!
In this guide, weโll dive into what Capsule is, why itโs a great choice, and show you how to set it up on an Azure Kubernetes Service (AKS) cluster. Ready? Letโs go! ๐
What is Capsule? ๐ค
Capsule adds an extra layer on top of Kubernetes, making it easier for you to manage multiple tenants. These tenants get their own space, resources, and security without interfering with each other. Some cool features of Capsule include:
- Tenant Isolation: Each tenant gets its own sandbox, so they donโt step on each otherโs toes. ๐ง
- Resource Quotas: You can limit how much CPU, memory, and other resources each tenant can use. No more hogging! ๐ท
- Namespace Management: Tenants can create and manage their own namespaces, keeping things tidy. ๐๏ธ
- Security Policies: Capsule ensures that each tenant has its own security settings, keeping everything safe. ๐
- Cluster Sharing: You can share the same Kubernetes cluster with multiple tenants while keeping them separated. ๐
Why Should You Use Capsule? ๐ก
- Multi-tenancy Made Easy: Capsule makes managing tenants a breeze, giving you better control over shared clusters.
- Efficient Resource Use: Share resources among tenants without worrying about one tenant taking everything.
- Top-notch Security: Keep tenants isolated with network and security policies.
- Centralized Management: Simplifies managing Kubernetes resources by organizing them under tenants.
Capsuleโs Architecture
Capsule operates as a Kubernetes controller, managing tenants using Capsule Custom Resource Definitions (CRDs). When you create a new tenant, Capsule links it to specific namespaces, ensuring isolation. Plus, it enforces policies to keep everything in check. Easy-peasy! ๐
Setting Up Capsule on an AKS Cluster ๐ง
Letโs walk through the steps of getting Capsule up and running on your AKS cluster.
Prerequisites โ
Make sure you have the following set up:
- Azure CLI: Installed and logged in to your Azure account.
- kubectl: Installed and configured to work with your AKS cluster.
- Helm: Installed for managing packages in Kubernetes.
Step 1: Create Your AKS Cluster โ๏ธ
If you donโt have an AKS cluster yet, create one using Azure CLI:
az aks create --resource-group <RESOURCE_GROUP> --name <CLUSTER_NAME> --node-count 3 --enable-managed-identity --generate-ssh-keys
Now connect to your AKS cluster:
az aks get-credentials --resource-group <RESOURCE_GROUP> --name <CLUSTER_NAME>
Check that youโre connected by listing your nodes:
kubectl get nodes
Step 2: Install Cert-Manager ๐
Capsule requires cert-manager to handle certificates for webhooks. Install cert-manager using Helm:
helm repo add jetstack https://charts.jetstack.io
helm repo update
helm install cert-manager jetstack/cert-manager --namespace cert-manager --create-namespace --version v1.10.1 --set installCRDs=true
Ensure that cert-manager is running:
kubectl get pods --namespace cert-manager
Step 3: Install Capsule ๐ฏ
Now letโs install Capsule! You can use Helm for this:
helm repo add clastix https://clastix.github.io/charts
helm repo update
helm install capsule clastix/capsule --namespace capsule-system --create-namespace
Check that Capsule is installed:
kubectl get pods --namespace capsule-system
Step 4: Create a Tenant ๐ข
With Capsule installed, letโs create your first tenant! Here's an example of a Tenant
resource:
apiVersion: capsule.clastix.io/v1alpha1
kind: Tenant
metadata:
name: my-tenant
spec:
owners:
- kind: User
name: john@example.com
namespacesMetadata:
additionalMetadata:
labels:
owner: john@example.com
Save this as tenant.yaml
and apply it:
kubectl apply -f tenant.yaml
Boom! Youโve just created your first tenant ๐
Step 5: Verify Your Tenant ๐ง
To confirm your tenant was created, run:
kubectl get tenants
You should see your brand-new tenant listed!
Step 6: Set Resource Limits ๐ช
Capsule allows you to assign resource quotas to each tenant. Update the tenant definition to include CPU and memory limits:
spec:
resourceQuotas:
- hard:
requests.cpu: "4"
requests.memory: "8Gi"
limits.cpu: "8"
limits.memory: "16Gi"
Apply the updated tenant:
kubectl apply -f tenant.yaml
This makes sure your tenant stays within its resource limits! ๐๏ธ
Step 7: Let Tenants Manage Their Namespaces ๐
You can let tenants create and manage their namespaces! Add the following to your tenant definition:
spec:
namespacesMetadata:
additionalMetadata:
annotations:
capsule.clastix.io/allowed-namespaces-range: "^mytenant-.*"
This ensures tenants can only create namespaces with a specific prefix, keeping things organized!
Examples for a Shared Kubernetes Cluster ๐
In a shared Kubernetes cluster, tenants can coexist but maintain separation in terms of resources and namespaces. Capsule helps ensure this, but letโs look at a few examples of how you can configure a shared cluster.
1. Shared Infrastructure for Multiple Teams ๐ข
Imagine you're running Kubernetes for multiple development teams, like Team A and Team B, on a shared AKS cluster. Capsule allows you to create separate tenants for each team, and each team can manage its own namespaces, but they canโt interfere with each other.
Hereโs how you can define tenants for both teams:
apiVersion: capsule.clastix.io/v1alpha1
kind: Tenant
metadata:
name: team-a
spec:
owners:
- kind: User
name: team-a-admin@example.com
namespacesMetadata:
additionalMetadata:
labels:
team: team-a
---
apiVersion: capsule.clastix.io/v1alpha1
kind: Tenant
metadata:
name: team-b
spec:
owners:
- kind: User
name: team-b-admin@example.com
namespacesMetadata:
additionalMetadata:
labels:
team: team-b
Each team gets its own tenant with an admin user who can manage the namespaces. You can also set resource quotas for each team to prevent overuse:
spec:
resourceQuotas:
- hard:
requests.cpu: "6"
requests.memory: "10Gi"
limits.cpu: "12"
limits.memory: "20Gi"
2. Tenant-Specific Network Policies ๐
In a shared environment, you might want to restrict network access between tenants. With Capsule, you can set network policies that prevent one tenant from communicating with another tenantโs resources:
spec:
networkPolicies:
egress:
- to:
namespaceSelector:
matchLabels:
capsule.clastix.io/tenant: team-a
ports:
- protocol: TCP
port: 80
This ensures that only specific network traffic is allowed between tenants, keeping resources safe and secure.
3. Shared Services Across Tenants โ๏ธ
Sometimes, tenants need access to shared services (like a database). Capsule allows for such shared services while maintaining isolation for other resources:
spec:
additionalRoleBindings:
- roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: shared-service-access
subjects:
- kind: User
name: team-a
- kind: User
name: team-b
This allows Team A and Team B to access a shared database service without violating the isolation of other resources within the cluster.
Wrapping Up ๐
Capsule is a fantastic tool for managing multi-tenancy in Kubernetes. With features like tenant isolation, resource quotas, and namespace control, it takes the complexity out of handling multiple users or teams in a single cluster.
By following the steps in this guide, youโve set up Capsule on your AKS cluster and created your first tenant! Now you can manage tenants with ease and scale your Kubernetes infrastructure confidently. ๐
Happy clustering !
Top comments (0)