It's time to share Capsule, a multi-tenant #Kubernetes operator, licensed Apache 2.0, and #CNCF compatible.
github.com/clastix/capsule
Drilling down the Capsule capabilities! 👇👇👇
github.com/clastix/capsule
Drilling down the Capsule capabilities! 👇👇👇
All the business logic is handled by a **single** Custom Resource Definition, named Tenant: github.com/clastix/capsul…
No more pain with the CRDs mayhem (yeah, Istio: I'm looking at you)
No more pain with the CRDs mayhem (yeah, Istio: I'm looking at you)
A Tenant owner is going to interact with the Kubernetes CaaS as a normal cluster: `kubectl create namespace my-ns` and that's all, Capsule is wrapping all the complexity, adding the Namespace to the Tenant with some Dynamic Admission Controllers!
github.com/clastix/capsul…
github.com/clastix/capsul…
The Tenant owners are **not** Service Accounts but rather users provided by your OIDC service: just need to put them in the group `capsule.clastix.io` (github.com/clastix/capsul…) and the Dynamic Admission Webhooks will do the job for you.
The CRD is pretty straightforward: github.com/clastix/capsul…
You can limit the maximum amount of Namespace a Tenant owner can create using `namespaceQuota`...
You can limit the maximum amount of Namespace a Tenant owner can create using `namespaceQuota`...
Or specify which Ingress or Storage Classes can be used.
Furthermore, you can enforce resource limits (e.g.: avoiding Pods without limits) with the `limitRanges` key or force the Node Selector to provide tiering according to your needs.
Furthermore, you can enforce resource limits (e.g.: avoiding Pods without limits) with the `limitRanges` key or force the Node Selector to provide tiering according to your needs.
But what about for Networking? NetworkPolicy to the rescue: limit networking only to Pods on the same Tenant, or hack it according to your needs.
Last but not least, what about Tenant overall resource quotas?
We implemented the `resourceQuotas`: just specify the ResourceQuotaSpec as list and these will be enforced at **Tenant** level, providing a higher abstraction of a set of Namespace.
We implemented the `resourceQuotas`: just specify the ResourceQuotaSpec as list and these will be enforced at **Tenant** level, providing a higher abstraction of a set of Namespace.
We're looking for feedback and we're eager to get an open discussion on the next step: you can start the project, take a look at the Issue section, and open also your questions, we'd love to answer them!
The production-grade of the project is still in Alpha, the next steps are an e2e test coverage (KinD for the rescue!) and a GitHub Pages documentation: take a look to the `help-wanted` labels, looking forward to your help!
@threadreaderapp unroll
