Multitenancy

Kubernetes also has an additional construct for isolation at the cluster level. In most cases, you can run Kubernetes and never worry about namespaces; everything will run in the default namespace if not specified. However, in cases where you run multitenancy communities or want broad-scale segregation and isolation of the cluster resources, namespaces can be used to this end. True, end-to-end multitenancy is not yet feature complete in Kubernetes, but you can get very close using RBAC, container permissions, ingress rules, and clear network policing. If you're interested in enterprise-strength multitenancy right now, Red Hat's Openshift Origin (OO) would be a good place to learn.

You can check out OO at https://github.com/openshift/origin.

To start, Kubernetes has two namespaces—default and kube-system. The kube-system namespace is used for all the system-level containers we saw in Chapter 1, Introduction to Kubernetes, in the Services running on the minions section. UI, logging, DNS, and so on are all run in kube-system. Everything else the user creates runs in the default namespace. However, our resource definition files can optionally specify a custom namespace. For the sake of experimenting, let's take a look at how to build a new namespace.

First, we'll need to create a namespace definition file test-ns.yaml like the one in the following lines of code:

apiVersion: v1 
kind: Namespace 
metadata: 
  name: test

We can go ahead and create this file with our handy create command:

$ kubectl create -f test-ns.yaml

Now, we can create resources that use the test namespace. The following listing, ns-pod.yaml, is an example of a pod using this new namespace:

apiVersion: v1 
kind: Pod 
metadata: 
  name: utility 
  namespace: test 
spec: 
  containers: 
  - image: debian:latest 
    command: 
      - sleep 
      - "3600" 
    name: utility

While the pod can still access services in other namespaces, it will need to use the long DNS form of <service-name>.<namespace-name>.cluster.local. For example, if you were to run a command from inside the container in listing ns-pod.yaml, you could use node-js.default.cluster.local to access the Node.js example from Chapter 2, Pods, Services, Replication Controllers, and Labels.

Here is a note about resource utilization. At some point in this book, you may run out of space on your cluster to create new Kubernetes resources. The timing will vary based on cluster size, but it's good to keep this in mind and do some cleanup from time to time. Use the following commands to remove old examples:
 $ kubectl delete pod <pod name>
 $ kubectl delete svc <service name>
 $ kubectl delete rc <replication controller name>
 $ kubectl delete rs <replicaset name>.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.225.55.151