Note: HNC v0.9.0 and later are now available from our new repo. This repo will no longer be updated with the latest HNC releases.
HNC v0.8.0 fixes some minor issues with Exceptions, improves the stability of your cluster by protecting critical system namespaces, and adds support for the latest versions of Kubernetes.
Installing
WARNING: if your cluster already has HNC installed, please ensure you are using HNC v0.7.0 or later.
You can install or upgrade HNC on your cluster using the following commands (admin privileges required):
# Select the latest version of HNC
HNC_VERSION=v0.8.0
# Forbid HNC from modifying system namespaces
kubectl label ns kube-system hnc.x-k8s.io/excluded-namespace=true --overwrite
kubectl label ns kube-public hnc.x-k8s.io/excluded-namespace=true --overwrite
kubectl label ns kube-node-lease hnc.x-k8s.io/excluded-namespace=true --overwrite
# Install HNC. Afterwards, wait up to 30s for HNC to refresh the certificates on its webhooks.
kubectl apply -f https://github.com/kubernetes-sigs/multi-tenancy/releases/download/hnc-${HNC_VERSION}/hnc-manager.yaml
To install the kubectl plugin on your workstation, either use Krew or install manually:
-
Via Krew: Install Krew if you don't have it already, then run the commandKrew now installs HNC v0.9.0 or laterkubectl krew install hns
. -
Manually: Switch to any directory in your
PATH
(e.g.~/bin
) and run the following commands:HNC_VERSION=v0.8.0 HNC_PLATFORM=linux_amd64 # also supported: darwin_amd64 curl -L https://github.com/kubernetes-sigs/multi-tenancy/releases/download/hnc-${HNC_VERSION}/kubectl-hns_${HNC_PLATFORM} -o ./kubectl-hns chmod +x ./kubectl-hns # Ensure the plugin is working kubectl hns # The help text should be displayed
For more instructions, see the user guide.
Known issues
- Tree labels can be briefly modified before HNC resets them (#1494)
- Annotations can be added to propagated objects (#1500)
- HNC is broken on K8s 1.22 (kubernetes-sigs/hierarchical-namespaces#86)
Changelog
Since HNC v0.7
- Exceptions were not correctly reapplied if the labels were changed on a namespace (#1448)
- Updated all dependencies to use v1 CRD and v1 webhooks to support newer version of Kubernetes (#1270, #1371)
- Exclude HNC from critical system namespaces (#1023)
- Built-in
admin
clusterrole now includes permissions to modify all HNC objects, including subnamespace anchors and hierarchy configs (#1341) - HNC can now propagate
cluster-admin
rolebindings in namespaces (#1311)
Testing signoff
Target | Tests | By | When | Result |
---|---|---|---|---|
KIND 1.20 | make test-e2e |
@adrianludwin | apr 29 | passed (as RC1) |
GKE 1.19 (rapid channel) | " | @adrianludwin | apr 30 | passed |
GKE 1.18 (regular channel) | " | @adrianludwin | apr 29 | passed (as RC1) |
GKE 1.17 (stable channel) | " | @adrianludwin | apr 29 | passed (as RC1) |
GKE 1.19 (rapid channel) | Upgrade from v0.7.0 | @adrianludwin | apr 29 | subns creation worked before and after; verified admin cluster role includes HNC permissions (as RC1) |