Install Capsule
This article explains how the KubeRocketCI leverages Capsule capabilities to enable isolation for both the core platform components and the business applications workload.
KubeRocketCI uses Capsule to ensure resource isolation. It is essential to define constraints through the Capsule tenant approach. This approach serves two primary objectives: limiting the resources allocated to the KubeRocketCI components and regulating the resources utilized by each deployed environment.
To ensure isolation for the core platform components, create the edp
namespace under the Capsule tenant. Use the template provided in this instruction to create the Capsule tenant specifically for the core components.
Integration​
The following diagram outlines the general steps involved in configuring Capsule for seamless integration with KubeRocketCI. This process ensures efficient resource isolation, allowing for the deployment and management of both KubeRocketCI core platform components and business application workloads. Follow the sequential flow of the diagram to successfully integrate Capsule with the KubeRocketCI platform:
-
Capsule Installation - This initial step involves setting up Capsule on your environment.
-
Tenant Configuration - Once Capsule is installed, the next critical step is configuring the Capsule tenant. This involves defining specific parameters and constraints to regulate the allocation of resources to KubeRocketCI components.
-
Impersonation - Impersonation plays a role in managing user identities and permissions within the Capsule environment. This step ensures secure and controlled access to resources.
-
Create Namespace - The creation of a dedicated namespace under Capsule is crucial for isolating and managing the core components of the platform. This step establishes the environment where KubeRocketCI will be deployed (
edp
by default). -
Deploy KubeRocketCI - The final step involves deploying the platform within the configured Capsule environment.
Installation​
The installation procedure consists of two steps:
-
Define the namespace where KubeRocketCI will be installed in Capsule values:
values.yamlmanager:
options:
# -- Boolean, enforces the Tenant owner, during Namespace creation, to name it using the selected Tenant name as prefix, separated by a dash
forceTenantPrefix: true
# enable capsule for KubeRocketCI tenant and cd-pipeline-operator
# NOTE: Capsule cannot manage cluster system namespaces
capsuleUserGroups:
- capsule.clastix.io
# enable for cd-pipeline-operator https://github.com/epam/edp-cd-pipeline-operator/blob/release/2.17/deploy-templates/values.yaml#L10
- system:serviceaccounts:edp # edp - Namespace where KubeRocketCI will be installed.
- masters # Kubernetes group that manages the KubeRocketCI tenant.
# uncomment if Argo CD manage main KubeRocketCI tenant
#- system:serviceaccounts:argocd
# uncomment if edp-oidc-admins group manage main KubeRocketCI tenant
#- edp-oidc-admins -
To install the Capsule tool, use the Cluster Add-Ons approach. For more details, please refer to the Capsule official page.
Configuration​
After installing Capsule, the next crucial step is configuration. Follow the guidelines provided below to configure Capsule and ensure seamless integration with your system:
-
Specify the Capsule tenant configuration:
edp-tenant-example.yamlapiVersion: capsule.clastix.io/v1beta2
kind: Tenant
metadata:
name: edp-tenant
spec:
...
owners:
- clusterRoles:
- admin
- capsule-namespace-manager
kind: Group
name: system:masters
#
# Uncomment if Argo CD manage KubeRocketCI tenant
#- clusterRoles:
# - admin
# - capsule-namespace-manager
# kind: ServiceAccount
# name: system:serviceaccount:argocd:argocd-application-controller
#
# Uncomment if edp-oidc-admins group manage KubeRocketCI tenant
#- clusterRoles:
# - admin
# - capsule-namespace-manager
# kind: Group
# name: edp-oidc-admins
...system:masters
Group that manages the KubeRocketCI tenant. Must be declared in the above configuration of thecapsuleUserGroups
.The following example includes additional specifications that can be used to manage the KubeRocketCI tenant:
Tenant configuration exampleapiVersion: capsule.clastix.io/v1beta2
kind: Tenant
metadata:
name: edp-tenant
spec:
ingressOptions:
allowWildcardHostnames: false
allowedHostnames:
allowedRegex: ^.*example.com$ # DNSwildcard for KubeRocketCI usage
hostnameCollisionScope: Tenant
limitRanges:
items:
- limits:
# The default limits apply to each container unless otherwise specified by default
- default:
cpu: 768m
memory: 768Mi
# The default requests apply to each container unless otherwise specified by default
defaultRequest:
cpu: 256m
memory: 512Mi
type: Container
- limits:
# In case Tekton pipelines need to use volume workspaces. If use emptydir please set it to 0.
- max:
storage: 3Gi
min:
storage: 3Gi
type: PersistentVolumeClaim
# Since EDKubeRocketCIP uses one namespace, the namespace quota is set to 1
namespaceOptions:
quota: 1
networkPolicies:
items:
- ingress:
- from:
- namespaceSelector:
matchLabels:
capsule.clastix.io/tenant: edp-tenant
- podSelector: {}
- ipBlock:
cidr: 172.32.0.0/16
podSelector: {}
policyTypes:
- Ingress
# Default KubeRocketCI admins group to make admin users tenant owners
owners:
- clusterRoles:
- admin
- capsule-namespace-manager
kind: Group
name: system:masters
#
# Uncomment if Argo CD manage main KubeRocketCI tenant
#- clusterRoles:
# - admin
# - capsule-namespace-manager
# kind: ServiceAccount
# name: system:serviceaccount:argocd:argocd-application-controller
#
# Uncomment if edp-oidc-admins group manage main KubeRocketCI tenant
#- clusterRoles:
# - admin
# - capsule-namespace-manager
# kind: Group
# name: sandbox-oidc-cluster-admins
resourceQuotas:
items:
# The maximum CPU and Memory capacity for the KubeRocketCI tenant
- hard:
limits.cpu: '2'
limits.memory: 2Gi
# The maximum number of pods that can be deployed within a namespace
- hard:
pods: '15'
scope: Tenant
serviceOptions:
# Enable the capabilities to create ClusterIP service types only
allowedServices:
externalName: false
loadBalancer: false
nodePort: false -
To install the Capsule tenant, use the Cluster Add-Ons approach.
-
Create namespace for the KubeRocketCI tenant:
-
Log in as a
system:masters
member and create a namespace for platform deployment under the Capsule tenant using the following command:kubectl create namespace edp
-
To ensure that the
edp
namespace is successfully created under the Capsule tenant, you can verify the status of the Capsule tenant using the following command:kubectl get tenant edp-tenant -o yaml
Expected output:
...
status:
namespaces:
- edp
size: 1
state: Active
-
-
Enable Capsule in the values.yaml file to make it possible to manage deployable environments:
values.yamlcd-pipeline-operator:
tenancyEngine: "capsule"
By following these instructions, Capsule policies are utilized to manage the KubeRocketCI core components and deployable environments. By adhering to these guidelines, you should successfully install KubeRocketCI with Capsule enabled as the tenancyEngine
.