diff --git a/docs/docs-content/clusters/cluster-management/backup-restore/backup-restore.md b/docs/docs-content/clusters/cluster-management/backup-restore/backup-restore.md index ee8a318c0a..885eba1b69 100644 --- a/docs/docs-content/clusters/cluster-management/backup-restore/backup-restore.md +++ b/docs/docs-content/clusters/cluster-management/backup-restore/backup-restore.md @@ -42,8 +42,9 @@ To get started with creating a backup, check out the :::info -If you are using a workspace, refer to the [Manage Palette Workspace](../../../workspace/workload-features.md) guide to -learn more about backup and restore actions for a workspace. +If you are using a workspace, refer to the +[Manage Palette Workspace](../../../workspace/workspace-mgmt/workspace-mgmt.md) guide to learn more about workspace +backup and restore actions. ::: diff --git a/docs/docs-content/vm-management/rbac/vm-roles-permissions.md b/docs/docs-content/vm-management/rbac/vm-roles-permissions.md index f42aac7b13..e2180a1232 100644 --- a/docs/docs-content/vm-management/rbac/vm-roles-permissions.md +++ b/docs/docs-content/vm-management/rbac/vm-roles-permissions.md @@ -37,7 +37,4 @@ to specify bindings to configure granular Role-Based Access Control (RBAC) rules You can configure namespaces and RBAC from within a cluster or from a Palette workspace that contains a cluster group. In a cluster group, all RoleBindings must occur at the namespace level. For details, review the [Cluster RBAC](../../clusters/cluster-management/cluster-rbac.md) and -[workspace RBAC](../../workspace/workspace.md#role-based-access-controlrbac) guides. - -Palette leverages Regex Pattern matching so you can select multiple namespaces to apply role bindings. Check out -[Regex for Namespaces](../../workspace/workload-features.md#regex-for-namespaces) to learn more. +[workspace RBAC](../../workspace/workspace-mgmt/configure-rbac.md) guides. diff --git a/docs/docs-content/workspace/adding-a-new-workspace.md b/docs/docs-content/workspace/adding-a-new-workspace.md index 0f22cd824b..2beec35090 100644 --- a/docs/docs-content/workspace/adding-a-new-workspace.md +++ b/docs/docs-content/workspace/adding-a-new-workspace.md @@ -1,72 +1,136 @@ --- -sidebar_label: "Adding a Workspace" -title: "Adding a workspace" -description: "How to create multi-cluster workspace in Palette" +sidebar_label: "Create a Workspace" +title: "Create a Workspace" +description: "How to create a multi-cluster workspace in Palette." icon: "" hide_table_of_contents: false sidebar_position: 0 tags: ["workspace"] --- -Palette enables multi-cluster management and governance capabilities by introducing Workspaces. This section explains -how a workspace can be created in the Palette console. +Palette enables multi-cluster management and governance capabilities by introducing workspaces. This page teaches you +how to create a workspace in Palette. All workspace settings can be updated after creation. ## Prerequisites -- One or more running workload clusters within the project. -- Cluster must not be imported with read-only mode. -- RBAC should not be set at cluster level but to be included at workspace level. -- Palette Virtual Clusters cannot be part of the workspace. +- One or more active workload clusters within the project where the workspace is to be created. The clusters cannot be + imported in read-only mode. Palette virtual clusters also cannot be part of a workspace. +- You have the permission to create workspaces. For more information, refer to + [Permissions](../user-management/palette-rbac/permissions.md). ## Create Your Workspace -1. Add the Basic Information Provide the basic information for the workspace such as: +1. Log in to [Palette](https://console.spectrocloud.com). - - Unique Name - - Optional Description - - Optional Tag +2. In the **Drop-Down Menu** at the top of the page, choose the project you want to create the workspace in. Workspaces + are always scoped to a project. -2. Associate Clusters +3. On the left **Main Menu**, click **Workspaces**. Then click **New Workspace**. - - Select the clusters to be added to the workspace. (See [New Clusters](../clusters/clusters.md) to learn how to add - a new Cluster.) Palette clusters, as well as brownfield clusters, can be added to your workspace. +4. Provide the basic information for the workspace. - - Configure the Cluster Role Binding (optional). Role bindings can be created on all workspace clusters. + - **Name**: The workspace name must be unique in the project. + - **Description**: An optional description for the workspace. + - **Tag**: Optional tags for the workspace. - - As step 2 of the new Workspace creation, select **Add Cluster Role Binding**. - - Provide the name of the role for which the cluster role binding needs to be created. The role should be - pre-existing or an in-built system role. Palette does not create cluster roles. - - Subjects for the cluster role binding can be groups, users, or service accounts. + When you are finished, click **Next**. - | **Subject Type** | **Subject Name** | **Subject Namespace** | - | ------------------- | ------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ | - | **User** | a valid path segment name | NA | - | **Group** | a valid path segment name | NA | - | **Service Account** | a valid path segment name | Granting super-user access to all service accounts
cluster-wide is strongly discouraged. Hence, grant a
role to all service accounts in a namespace. | +5. Choose clusters you want to include in the workspace. A cluster may be included in multiple workspaces. Refer to + [Create a Cluster](../clusters/clusters.md) to learn how to add a new cluster. -3. Associate Namespaces +6. On the **Clusters** page, you can optionally create cluster role bindings. To create a new cluster role binding, + click **Add New Binding**. Enter the name of the cluster role you want to reference in the cluster role binding. - - Enter one or more namespaces that need to be part of the workspace. The combination of workspace and cluster is - unique across workspaces in a project. Palette ensures that all the namespaces are created for all the clusters in - the workspaces, in case they are not pre-existing. + After specifying the role, you need to specify the subject to which the cluster role binding is applied to. Select + the subject type and then enter the name of the subject. The name of the subject must be the same as it is defined in + the cluster. - - Add the resource quota for the namespaces by specifying CPU and Memory limits (optional). + :::info - - Configure the Role Binding (optional). The following information is required for each role binding: - - Select a namespace name or the Regex for namespaces for selecting multiple namespaces. - - Specific name for the role which is pre-existing - - Make the selection of Subjects from the dropdown list (User, Group, or ServiceAccount). For the subject selected, - provide a valid path segment name. For the subject, ServiceAccount select namespace name as granting super-user - access to all service accounts cluster-wide is strongly discouraged due to security concerns. - - Confirm the information provided to complete the configuration of role binding. + Unlike Palette RBAC, the users you reference here are Kubernetes user objects in the cluster, not users in your + Palette environment. -4. Settings + ::: - - [Schedule Backups](../clusters/cluster-management/backup-restore/backup-restore.md) - set the backup and restore - policies. - - [Container Image](workload-features.md#restrict-container-images-to-a-workspace) - list out the container images to - be restricted within a Workspace namespace. + While this action will create the same role binding across all the clusters that are part of the workspace, it does + not define the cluster role nor the subject the role is bound to. You need to define the role yourself in each + cluster as well as define the subject the role is bound to. Otherwise, the cluster role binding will not have any + effect. -## Validation + :::info -Review and finish the configuration and complete the deployment. + If the cluster role in each cluster has different permissions, then the subjects that the role is bound to will also + have different permissions across clusters, even though they have the same cluster role binding. The same applies to + namespace-scoped role bindings defined in the next step. + + ::: + +7. Enter the namespaces you want to include in the workspace. If a cluster that is part of your workspace has that + namespace, the namespace and all resources that are scoped within it will be included in the workspace. If any + cluster in the workspace is missing the namespace you entered, the namespace will be created on that cluster. + + You must use the names of the namespaces exactly, not regular expressions. The regular expression entries are only + used for creating role bindings in a later step. + +8. After selecting the namespaces, you can specify resource limits that the workspace is allowed to consume in the + **Workspace Quota** section. The **Maximum CPU** and **Maximum Memory** allow you to specif the maximum amount of CPU + cores and memory that all resources in the entire workspace are allowed to consume. + +9. You may also specify resource limits on specific namespaces. + + For example, if you have two clusters, `cluster1` and `cluster2`, and they each have a namespace called `default`. If + you impose a 2 Gi memory limit on the namespace default, then the `default` namespace in both clusters will be able + to consume 2 Gi memory each. For more information about resource quotas, refer to + [Resource Management](./workspace-mgmt/resource-mgmt.md). + + You must ensure that the namespaced limits, when added together, do not exceed the total workspace limit you + configured. If you impose a workspace quota of 4 Gi memory for a two-cluster workspace, then a namespace cannot have + more than 2 Gi of memory as its limit, since there are two such namespaces in the workspace and both of them added + together are allowed 4 Gi of memory. + +10. On the same **Namsespaces** page, you can optionally configure role bindings. When you configure a role binding for + a namespace, you are configuring the same role binding in that namespace in every cluster. Like in Kubernetes, you + can use either a role or a cluster role in a role binding. Similar to cluster role bindings, this action does not + create the roles or the subject for you. You must ensure that the corresponding role and subject referenced in the + role binding exists in the namespaces you configured. + + You can use Regular Expressions (regex) to create role bindings in multiple namespaces that match a certain pattern. + To do so, enter the regex in the namespace field. For example, `/palette-.*/` will match all namespaces that start + with `palette-`. When creating the role binding, you can select the regex as the namespace. + + :::info + + Regex entries in the **Namespaces** field do not add the namespaces that match the regex to the workspace. You will + not be able to monitor resource usage, impose resource limits, or create backups unless you specifically add a + namespace by its name. + + ::: + + When you are finished, click **Next**. + +11. In the **Setting** page, you can schedule backups for select namespaces. These backups are created for each cluster + in the workspace. + + Like cluster backups in Palette, restoring a backup requires the source cluster to be available. When you restore a + backup, the namespaces that are backed up are restored to each cluster in the workspace. If you delete a cluster + from the workspace, that cluster's backup will not be restored. + + For more information about backups, refer to + [Backup and Restore](../clusters/cluster-management/backup-restore/backup-restore.md). + +12. Lastly, you can restrict certain container images from being loaded in the namespaces that are managed by the + workspace. To restrict images from being loaded by resources in a namespace, click **Add New Container Image**. + Select a namespace you want to restrict the image in, and enter the image URLs in a comma-separated list. When you + are done, click **Next**. + +13. Review your configurations and click **Finish Configuration** to create the workspace. + +## Validate + +1. Log in to [Palette](https://console.spectrocloud.com). + +2. In the **drop-down Menu** at the top of the page, choose the project you created the workspace in. + +3. On the left **Main Menu**, click **Workspaces**. + +4. Confirm the workspace has been created with the right configurations. diff --git a/docs/docs-content/workspace/workload-features.md b/docs/docs-content/workspace/workload-features.md deleted file mode 100644 index bfb990561e..0000000000 --- a/docs/docs-content/workspace/workload-features.md +++ /dev/null @@ -1,545 +0,0 @@ ---- -sidebar_label: "Workspace Management" -title: "The additional features to optimize workspace performance" -description: "How to get unified view of workloads in logically grouped namespaces and clusters" -icon: "" -hide_table_of_contents: false -sidebar_position: 10 -tags: ["workspace"] ---- - -# Manage Palette Workspace - -Palette supports several day 2 operations to manage the end-to-end lifecycle of the Kubernetes clusters through -Workspaces. It also provides several capabilities across new and imported clusters to keep your clusters secure, -compliant, up to date, and perform ongoing management operations like Backup and Restore. Additionally, you can have -visibility into the workloads running inside your cluster and cluster costs. - -The following sections describe these capabilities in detail: - - - - -## Workload Visibility - -Workspace provides visibility into workloads deployed across clusters. - -| **Resource** | **Description availed from Workspace** | -| ---------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| **Namespaces** | Cluster Specific namespaces with CPU and Memory utilization. | -| **Pods** | Lists all the pods running on a particular namespace with cluster names with the detailed health status, age, and resource utilization of each of them. | -| **Deployments** | All the running deployments specific to clusters belonging to the Workspace with namespace to which these deployments belong, pods details, replicas, and age are enumerated | -| **DaemonSets** | DaemonSet resource utilization is described, with details on namespaces, pods, and age of individual Daemon sets | -| **StatefulSets** | All the active StatefulSets specific to clusters belonging to the Workspace with corresponding namespace, pods details, replicas, and age are enumerated | -| **Jobs** | A Job creates one or more Pods and will continue to retry execution of the Pods until a specified number of them successfully terminate. | -| **CronJobs** | Cron Jobs are regularly scheduled actions or jobs such as backups, report generation, etc. Each of these jobs will recur as scheduled. | -| **RoleBinding** | A role binding grants the permissions defined in a role to a user or set of users. | -| **ClusterRoleBinding** | A Cluster Role binding defines the permissions defined across a cluster. | - - - - - -## Workspace Backup and Restore - -Palette users can create cluster backups from within a workspace (usually consisting of multiple clusters) and restore -them later time as desired. Palette allows granular controls within a workspace for users to perform specific tasks -within the workspace, without having the ability to update workspace details. To provide granular access within a -workspace for specific actions, Palette provides the following two Roles: - -## Workspace Operator - -Users assigned the **Workspace Operator** Role can only perform Backup and Restore actions within the Workspace. - -## Workspace Admin - -A Role that has all administrative permissions and privileges within the Workspace. - -## Create your Workspace Roles - -To create your **Workspace Role**, follow the steps below: - -1. Log in to the Palette Management Console as **Tenant Admin**. - -2. Go to the **Users and Teams** option. - -3. From the listed users, select the user to be assigned with Workspace Roles. Check out the - [Create a User](../user-management/users-and-teams/create-user.md) guide to learn how to create a user. - -4. Select the **Workspace Roles** tab and click **+ New Workspace Role** to create a new role. - -5. Fill the following information into the **Add Roles to User-Name** wizard: - - - Project - - Workspace - - Choose the role from the options: - - Workspace Admin - - Workspace Operator - -6. Confirm the information provided to complete the wizard. - -7. The user set with the Workspace Role can take Workspace-wide Backups and Restores in compliance with their - permissions and privileges. - -Palette leverages the BackUps to the following locations: - -- Amazon Web Services (AWS) S3 Buckets: [Prerequisites](#for-an-amazon-web-services-aws-bucket-as-backup-location), - [Configure your Backup](#configure-your-backup-in-aws-s3) - -- Google Cloud Platform (GCP) Buckets: [Prerequisites](#for-a-google-cloud-platform-gcp-backup-location), - [Configure your Backup](#configure-your-backup-in-gcp-bucket) - -- MinIO S3 Buckets: [Prerequisites](#for-minio-s3-backup), [Configure your Backup](#configure-your-backup-in-minio) - -- Azure Blob: [Prerequisites](#for-azure-blob-backup), - [Configure your Backup](#configure-your-backup-in-azure-azure-blob) - -## Prerequisites - -### For an Amazon Web Services (AWS) Bucket as Backup Location - -- The AWS S3 permissions listed in the next section need to be configured in the AWS account to provision Backup through - Palette. - -- Pre-create a bucket at the AWS or MinIO object-store. - -### For a Google Cloud Platform (GCP) Backup Location - -- GCP service account with a **Storage Admin** role. - -- Pre-create a bucket at the GCP object storage. - -### For MinIO S3 Backup - -- S3 bucket with Read/Write Access - -- A unique access key (username) and corresponding secret key (password) from MinIO Console. - -- Service provider certificate (Optional) - -### For Azure Blob Backup - -- An active Azure cloud account with the following pieces of information noted down: - - - Tenant Id - - Client Id - - Subscription Id - - Client Secret created - -- An - [Azure storage account](https://learn.microsoft.com/en-us/azure/storage/common/storage-account-create?tabs=azure-portal) - created with the following information to be noted down for Palette use: - - - Storage Name: Custom name given to the Azure storage created. - - Stock-keeping unit - -- A container to be created in the Azure Storage account - -## Backup Locations - -AWS Simple Cloud Storage (S3) and other S3 compliant object stores such as MinIO and GCP Buckets are currently supported -as backup locations. These locations can be configured and managed under the **Project** > **Settings** option and can -be selected as a backup location, while backing up any cluster in the project. - -### Configure your Backup in AWS S3 - -The following details are required to configure a backup location in AWS: - -1. **Location Name** - Name of your choice. - -2. **Location Provider** - AWS (This is currently the only choice on the UI. Choose this option when backing up to AWS - S3 or any S3 compliance object store). - -3. **Certificate** - Required for MinIO. - -4. **S3 Bucket** - S3 bucket name must be pre-created on the object-store. - -5. **Configuration** - region=\{region-name},s3ForcePathStyle=\{true/false},s3Url=\{S3 URL}. S3 URL need not be provided - for AWS S3. - -6. **Account Information** - Details of the account which hosts the S3 bucket to be specified as Credentials or STS. - - - Credentials - Provide access key and secret key. - - STS - Provide the ARN and External ID of the IAM role that has permission to perform all S3 operations. The STS - role provided in the backup location should have a trust set up with the account used to launch the cluster itself - and should have the permission to assume the role. - -7. Palette mandates the AWS S3 Permissions while users use the static role to provision worker nodes. - - #### AWS S3 Permissions - - ```json - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "ec2:DescribeVolumes", - "ec2:DescribeSnapshots", - "ec2:CreateTags", - "ec2:CreateVolume", - "ec2:CreateSnapshot", - "ec2:DeleteSnapshot" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "s3:GetObject", - "s3:DeleteObject", - "s3:PutObject", - "s3:AbortMultipartUpload", - "s3:ListMultipartUploadParts" - ], - "Resource": ["arn:aws:s3:::BUCKET-NAME/*"] - }, - { - "Effect": "Allow", - "Action": ["s3:ListBucket"], - "Resource": ["arn:aws:s3:::BUCKET-NAME"] - } - ] - } - ``` - - #### Trust Setup Example - - ```json - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "AWS": "arn:aws:iam::141912899XX99:root" - }, - "Action": "sts:AssumeRole", - "Condition": {} - } - ] - } - ``` - -## Configure your Backup in GCP Bucket - -These locations can be configured and managed from the **Settings** option under **Project** and can be selected as a -backup location while backing up any cluster in the project. - -The following details are required to configure a backup location in GCP: - -1. **Location Name** - Name of your choice. - -2. **Location Provider** - Google Cloud (Choose this option when backing up to the GCP bucket object store). - -3. **Bucket** - The name of the bucket name pre-created on the object store. - -4. **JSON Credentials** - For external authentication of the GCP storage. - -## Configure your Backup in MinIO - -The following details are required to configure a backup location in AWS: - -1. **Location Name**: Name of your choice. - -2. **Location Provider**: Minio - -3. **Certificate**: Optionally required for MinIO. - -4. **S3 Bucket**: S3 bucket name must be pre-created on the MinIO object-store. - -5. **Region**: Region in which the S3 bucket is created. Example: us-east-1 - -6. **S3 URL**: Url of the MinIO object storage console. Example: `http://12.123.234.567:0000` - -7. **Force S3 path style** : To force S3 pathstyle addressing or else the url will be converted to virtual-hosted style - addressing with bucket name appended to the url.This is an optional setting. - -8. **Authenticate** using MinIo access key and secret access key. - -9. Click **Create** to complete the location creation wizard. - -## Configure your Backup in Azure: Azure Blob - -The following details are required to configure a backup location in Azure: - -1. **Location Name**: A custom name for the storage location getting created. - -2. **Location Provider:** Select **Azure** from the drop-down. - -3. **Container Name:** The container created in Azure Storage. - -4. **Storage Name**: Name of the Azure storage created. - -5. **Stock-Keeping Unit**: Information from the Azure storage. - -6. **Resource Group:** Azure Resource Group name - -7. **Tenant ID:** Azure Account Credential. - -8. **Client ID:** Azure Account Credential. - -9. **Subscription ID**: Azure Account Credential. - -10. **Client Secret:** Secret created in the Azure console needs to be validated. - -11. Click **Create** to complete the location creation wizard. - -## Add a Backup Location - -Go to **Project Settings** > **Backup locations** > **Add a New Backup location**. - -## Create a Workspace Backup - -Backups can be scheduled or initiated in an on demand basis, during the workspace creation. The following information is -required for configuring a Workspace Backup, on demand- - -1. **Backup Prefix / Backup Name**: For scheduled backup, a name will be generated internally, add a prefix of our - choice to append with the generated name. For an on demand backup, a name of user choice can be used. - -2. Select the Backup location. - -3. **Backup Schedule** - Create a backup schedule of your choice from the dropdown list, applicable only to scheduled - backups. - -4. **Expiry Date** - Select an expiry date for the backups. The backup will be automatically removed on the expiry date. - -5. **Include all disks** - Optionally, backup persistent disks as part of the backup. - -6. **Include Cluster Resources** - Select or deselect on your choice. - - | On Demand Backup | - | ------------------------------------------------------------------------ | - | Select the **Workspace to Backup** > **Settings** > **Schedule Backups** | - - | Scheduled Backup | - | ----------------------------------------------------------- | - | **Workspace Creation** > **Policies** > **Backup Policies** | - -## Backup Scheduling Options - -Both the cluster and workspace backup support the following scheduling options: - -- Customize your backup for the exact month, day, hour, and minute of the user's choice. -- Every week on Sunday at midnight -- Every two weeks at midnight -- Every month on the 1st at midnight -- Every two months on the 1st at midnight - -## Restore a Backup - -Backups created manually or as part of the schedule are listed under the Backup/Restore page of the cluster. - -1. Restore operation can be initiated by selecting the restore option for a specific backup. - -2. Next, you will be prompted to select a target cluster where you would like the backup to be restored. The progress of - the restore operation can be tracked from the target cluster's Backup/Restore page. - -3. Finally, restore operations can be done to the cluster running on the same project. - -## Restore Your Backup - -To initiate a restore operation: - -1. Log in to the Palette console as the **Project Admin** and go to **Workspaces** page. - -2. Select the **Workspace Name** to be restored. - -3. From the selected Workspace overview, select **Backups** from the top menu. - -4. The Backup option lists all the backups scheduled for the selected Workspace. Towards the name of the backup, click - the meatball (three horizontal dots) button to open the restore wizard. - -5. Click on the **Restore Backup** option to complete the wizard: - - - Choose of the namespaces to be restored - - Three options are available to filter the resources to be restored: - - - **Include Cluster Resources** - To restore all the cluster scoped resources. - - **Preserve Node Ports** - To preserve ports for node port service running in the cluster. - - **Restore PVs** - To restore the persistent volumes. - -
- - :::tip - - Check **Include Cluster Resource** and **Restore PVs** options together. - - ::: - -6. Make the appropriate choice of resources as per user requirements to complete the wizard. - -
- - - -## Workspace Quota - -Palette enables the users to limit resource usage within the workspace optionally. The Quota is specified in terms of -the maximum CPU and memory. Therefore, the resource utilization within the namespace should be below the Quota allocated -across all the clusters. - -## To set your Resource Quota: - -1. During [Step: 3 Associate Namespaces](./adding-a-new-workspace.md#create-your-workspace) of Namespace creation, - **Workspace Quota** can be set by giving the **Maximum CPU** and **Maximum Memory**. Then, all the clusters launched - within the Namespace can use the set Quota. - -2. Namespace Quota can be set for an already deployed workspace as: - `Workspace Settings -> Namespaces -> Workspace Quota` - -### Workspace Quota Notes: - -- The quota allocated to the workspace scope is split across all the namespaces under that workspace per their resource - requirements. - -- The palette allows quotas to be allocated to individual namespaces under a specific workspace. In that case, - individual clusters belonging to that namespace can utilize the quota per their resource requirements. When a - namespace is allocated with a quota, all the clusters belonging to that namespace get allocated with that resource - quota individually. - - **Example**: If Namespace palette-ns belongs to two (2) clusters, p1 and p2, and palette-ns is allocated a quota of 1 - CPU and 1 Gb memory, each of p1 and p2 gets allocated 1 CPU and 1 GB memory individually. - -- Palette allows quota to be allocated to individual clusters under a specific workspace. In that case, the allocated - quota should not exceed the namespace quota. - -- To set an unlimited quota, set the quota value as -1. - - If -1 is set as the quota for a cluster, then we cannot set a quota for the workspace to which the cluster belongs. - - If -1 is set as the quota for a Workspace, then we cannot set a quota for the clusters belonging that Workspace. - - - - -## Regex for Namespaces - -Palette leverages Regex Pattern matching to select multiple namespaces to apply Role binding concurrently. When we have -many namespaces to be configured for role binding, the user can provide a Regex pattern matching multiple namespaces -instead of giving a single namespace. This will help select all the namespaces matching the given Regex pattern to be -selected together for role binding. - -## Use Cases - -1. A Regex pattern that start and end with " / ", will select all the workspace names matching the given Regex pattern. - - **Example:** `/^palette-ns/` - -2. A Regex pattern that starts with `negation symbol(~)`, will select all the namespaces that _does not match_ with the - regex expression given. - - **Example:** `~/^(kube|cluster|capi|jet|cert)[-].+/` - - :::info - - Don't add any spaces between the `~` operator and the `expression`. - - ::: - - - - - -## Workspace Role Binding - -Workspace Role Binding is a Project scope operation. There are two available options for setting up Roll Binding for a -Workspace: - -- **Cluster** to create a RoleBinding with cluster-wide scope (ClusterRoleBinding). - -- **Namespaces** to create a RoleBinding within namespaces scope (RoleBinding). - -Palette users can choose role creation based on their resource requirements. - -## Configure cluster role bindings - -- Login to Palette as Project admin and select the Workspace to which the Role Binding need to configured. - -- Select Settings -> Cluster - -- Select the clusters from the workspace to Role Bind. - -- Click on “Add new binding” to open the “Add Cluster Role Binding” wizard. Fill in the following details: - - - Role Name: Define a custom role name to identify the cluster role - - Subjects: Subjects are a group of users, services, or teams using the Kubernetes API. It defines the operations a - user, service, or a team can perform. There are three types of subjects: - - Subject Type: - - Users: These are global and meant for humans or processes living outside the cluster. - - Groups: Set of users. - - Service Accounts: Kubernetes uses service accounts to authenticate and authorize requests by pods to the - Kubernetes API server. These are namespaced and meant for intra-cluster processes running inside pods. - - Subject Name: Custom name to identify a subject. A single RoleBinding can have multiple subjects. - -- “Confirm” the information to complete the creation of the ClusterRoleBinding. - -## Configure role bindings: Namespace Scope - -Users can now allocate CPU and Memory [quotas](#workspace-quota) for each **namespace** at the cluster level. - -- Login to Palette as Project admin and select the Workspace to which the Role Binding need to be configured. - -- Select Cluster Settings -> Namespace. - -- Create a namespace with a custom name and add it to the list of the namespace by clicking on “add to the list”. - -- [Allocate resources](workload-features.md#workspace-quota) to the created namespace (CPU and Memory). - -- Click on “Add new binding” to open the “Add ClusterRoleBinding” wizard. Fill in the following details: - - - Namespace: Select the namespace from the drop-down Menu. The list will display the namespaces created during the - previous step. - - Role Type: Select the role type from the drop-down. Either Role or Cluster Role. - - :::info - - A RoleBinding may reference any Role in the same namespace. Alternatively, a RoleBinding can reference a ClusterRole - and bind that ClusterRole to the namespace of the RoleBinding. For example, if you want to bind a ClusterRole to all - the namespaces in your cluster, you use a ClusterRoleBinding. - - ::: - -- Role Name: Define a custom role name to identify the cluster role - -- Subjects: Subjects are a group of users, services, or teams using the Kubernetes API. It defines the operations a - user, service, or group can perform. There are three types of subjects: - - - Subject Type: - - Users: These are global, and meant for humans or processes living outside the cluster. - - Groups: Set of users. - - Service Accounts: Kubernetes uses service accounts to authenticate and authorize requests by pods to the - Kubernetes API server. These are name spaced and meant for intra-cluster processes running inside pods. - - Subject Name: Custom name to identify a subject. A single RoleBinding can have multiple subjects. - -- “Confirm” the information to complete the creation of the RoleBinding. - - - - - -## Restricted Container Images - -Palette users can restrict a few container images from getting deployed into a specific Namespace. This helps the -tenants from accidentally installing a delisted or unwanted container to that specific namespace. - -## Restrict container images to a workspace - -To restrict a container image for a particular namespace within the workspace: - -1. During [Step: 4 Settings](adding-a-new-workspace.md#create-your-workspace) of workspace creation, select the - **Container Images** tab from the left ribbon. - -2. Click on **+ Add New Container Image** and provide the **Namespace** and **Restricted Images**. Multiple images can - be restricted within a namespace by separating them with commas. - -## Restrict container images to a deployed workspace - -The user can add a list of restricted images to an already deployed workspace as: - -1. **Workspace Settings** > **Container Images** - -2. Click on **Add New Container Image** and provide the **Namespace** and **Restricted Images**. Multiple images can be - restricted within a Namespace by separating them with commas. - - -
diff --git a/docs/docs-content/workspace/workspace-mgmt/backup-restore.md b/docs/docs-content/workspace/workspace-mgmt/backup-restore.md new file mode 100644 index 0000000000..831b70a61b --- /dev/null +++ b/docs/docs-content/workspace/workspace-mgmt/backup-restore.md @@ -0,0 +1,157 @@ +--- +sidebar_label: Backup and Restore +title: Backup and Restore +description: "Learn how to configure backup and restore for your workspaces." +hide_table_of_contents: false +sidebar_position: 30 +tags: ["workspace"] +--- + +Palette allows you to create backups at the workspace-level. A workspace backup may include any or all namespaces +included in the workspace, across every cluster in the workspace. The backup feature for workspaces uses the same +Velero-based approach as regular cluster backups and are subject to the same limitations. For more information, refer to +[Cluster Backup and Restore](../../clusters/cluster-management/backup-restore/backup-restore.md). + +The backup files will be stored in a backup location you configure. Each cluster will have its own backup files. When +you delete a workspace, the backup files will not be deleted. + +## Create a Workspace Backup + +Backing up a workspace creates a backup file for every cluster in your workspace. Each cluster backup file will contain +all Kubernetes objects as well as volumes in the namespaces selected. + +### Prerequisites + +- You have configured at least one backup location for cluster backups. Refer to + [Add Backup Location using Static Credentials](../../clusters/cluster-management/backup-restore/add-backup-location-static.md). + +- You are logged in as a Palette user that has the permission to back up workspaces. For more information, refer to + [Permissions](../../user-management/palette-rbac/permissions.md). + +- The clusters in the workspace you want to backup are healthy and available. Unhealthy clusters will not be backed up. + + +- If you want to include volume snapshots in the backup, ensure that your CSI driver supports volume snapshots. For more + information about volume support, review the CSI pack README for your CSI driver in use. Refer to the [Volume Snapshots](../../clusters/cluster-management/backup-restore/backup-restore.md#volume-snapshots) section for more information. + + :::warning + + Ensure that `manifests.volume-snapshot-class.deletionPolicy` is set to the `Retain` value if you have configured as a layer in your cluster profile. This setting allows volume snapshot content to be retained when volume snapshots are deleted, facilitating backup and restore functionality. + + ```yaml hideClipboard {5} + volume-snapshot-class: + create: true + name: "spectro-volume-snapshot-class" + driver: "" + deletionPolicy: "Retain" + ``` + + Additionally, you must add the following snippet under the `manifests.volume-snapshot-class` field if you are using as your CSI layer on a cluster deployed to a MAAS environment. These labels ensure that the pack installs correctly. + + ```yaml + extraLabels: + pod-security.kubernetes.io/enforce: privileged + pod-security.kubernetes.io/audit: privileged + pod-security.kubernetes.io/warn: privileged + ``` + + ::: + +### Procedure + +1. Log in to [Palette](https://console.spectrocloud.com). + +2. In the **drop-down Menu** at the top of the page, choose the project that has your workspace. + +3. On the left **Main Menu**, click **Workspaces**. + +4. Click on the workspace you want to back up. + +5. Click **Settings** in the upper-right corner. + +6. Click **Schedule backups**. + +7. Fill in the following basic information about your scheduled backups. + + | Parameter | Description | + | ------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | + | Backup prefix | The prefix to your backup file names. | + | Select backup location | Select a location to store your backup files. | + | Backup schedule | Configure a schedule for your backups. | + | Select expiry | The period for which your backup files are kept. Backup files past the expiry date are deleted automatically. | + | Include all disks | Select this checkbox if you want to include all the disks in the backup. | + | Include cluster-wide resources | Cluster wide resources are resources that are not namespaced but are scoped to the whole cluster, such as cluster roles. **Auto** option includes persistent volumes that are linked to claims within the selected namespaces, but exclude other cluster-wide resources. | + +8. Enter the namespaces you want to back up. + +9. Select the clusters you want to back up. + +10. Click **Save Changes**. + +The backup process will take some time ranging from 15 minutes to hours depending on the scope of the backup. + +### Validate + +1. Log in to [Palette](https://console.spectrocloud.com). + +2. In the **drop-down Menu** at the top of the page, choose the project that has your workspace. + +3. On the left **Main Menu**, click **Workspaces**. + +4. Click on the workspace you backed up. + +5. Click on the **Backups** tab. + +6. Confirm that your backup is in progress or completed. + +## Restore a Workspace Backup + +Restoring a workspace will restore the selected namespaces in every cluster that is currently in the workspace to the +same state from which the backup was created. The clusters being restored must be healthy and reachable, because the +restore process relies on access to the Kubernetes API. If you have deleted a cluster from the workspace, the deleted +cluster will not be restored. + +### Prerequisites + +- You have created a backup file for the workspace. + +- You are logged in as a Palette user that has the permission to restore workspaces. For more information, refer to + [Permissions](../../user-management/palette-rbac/permissions.md). + +- The clusters you want to restore are healthy and available. + +### Procedure + +1. Log in to [Palette](https://console.spectrocloud.com). + +2. In the **drop-down Menu** at the top of the page, choose the project that has your workspace. + +3. On the left **Main Menu**, click **Workspaces**. + +4. Click on the workspace you want to restore. + +5. Click on **Backups** to switch to the backup tab. + +6. Click on a backup file you want to restore from. + +7. You have the following options for restoring the backup. + + | Option | Description | + | ------------------------- | ------------------------------------------------------------------------- | + | Include Cluster Resources | Check the box to restore all the cluster scoped resources. | + | Preserve Node Ports | Check the box to preserve ports for the node port service in the cluster. | + | Restore PVs | Check the box to restore the persistent volumes. | + +8. Click **Restore Backup**. + +### Validate + +1. Log in to [Palette](https://console.spectrocloud.com). + +2. In the **drop-down Menu** at the top of the page, choose the project that has your workspace. + +3. On the left **Main Menu**, click **Workspaces**. + +4. Click on the workspace you restored. + +5. Ensure that the result of the restore was successful. diff --git a/docs/docs-content/workspace/workspace-mgmt/configure-rbac.md b/docs/docs-content/workspace/workspace-mgmt/configure-rbac.md new file mode 100644 index 0000000000..46bea51dd4 --- /dev/null +++ b/docs/docs-content/workspace/workspace-mgmt/configure-rbac.md @@ -0,0 +1,159 @@ +--- +sidebar_label: "Configure RBAC in Workspaces" +title: "Configure RBAC in Workspaces" +description: "Learn how to configure RBAC in workspaces." +hide_table_of_contents: false +sidebar_position: 0 +tags: ["workspace", "rbac"] +--- + +Workspaces extends Kubernetes' native Role-Based Access Control (RBAC) model to allow you to create role bindings and +cluster role bindings at the workspace level, unifying authorization across different clusters. This page teaches you +how to create workspace-level role bindings and cluster role bindings. + +RBAC in workspaces is distinct from Palette RBAC. Palette RBAC regulates access to Palette resources such as clusters, +workspaces, and Edge hosts and its subjects are Palette users. Workspace RBAC is an extension of Kubernetes' native RBAC +model. It regulates access to Kubernetes objects in the clusters encompassed by the workspace, and its subjects are +Kubernetes users, groups, and service accounts. + +| | Workspace RBAC | Palette RBAC | +| --------------------- | -------------------------------------------------------- | -------------------------------------------------------- | +| Access control domain | Kubernetes API objects in the clusters in the workspace. | Palette resources. | +| Subjects | Kubernetes users, groups, and service accounts. | Palette users and teams. | +| Example resources | ConfigMaps, Secrets, Pods, StatefulSets, etc. | Cluster profiles, clusters, workspaces, Edge hosts, etc. | + +Because workspace RBAC is built on top of Kubernetes RBAC, we recommend you becoming familiar with Kubernetes' RBAC +model before using workspace RBAC. For more information about RBAC in Kubernetes, refer to the +[Kubernetes Documentation](https://kubernetes.io/docs/reference/access-authn-authz/rbac/). + +## Create Workspace-Level Role Bindings + +By creating a workspace-level role binding, you create role bindings in all clusters in the workspace in the namespaces +you choose. You can also use Regular Expressions (regex) to create role bindings in all namespaces that match the regex. + +For example, if you create a role binding that binds the cluster role `podReader` to the service account +`podReaderAccount` in the `default` namespace, every cluster in your workspace will get a role binding that binds the +cluster role `podReader` to the service account `podReaderAccount` in that cluster's `default` namespace. + +### Prerequisites + +- An existing workspace. Refer to [Create a Workspace](../adding-a-new-workspace.md) to learn how to create a workspace. + +- You are logged in as a Palette user that has the permission to modify workspaces. For more information, refer to + [Permissions](../../user-management/palette-rbac/permissions.md). + +### Procedure + +1. Log in to [Palette](https://console.spectrocloud.com). + +2. In the **drop-down Menu** at the top of the page, choose the project that has your workspace. + +3. On the left **Main Menu**, click **Workspaces**. + +4. Click on the workspace you want to update. + +5. In the upper-right corner, click **Settings**. Then click **Namespaces**. + +6. If the namespace where you want to include is already in the workspace, skip this step. + + At the top of the page, enter the namespace you want to create the role bindings in. Note that doing so will include + the namespace in the workspace and Palette users who have access to this workspace will be able to view its workloads + and resource consumption. + + Alternatively, enter a regex that matches the namespaces where you want to create the role binding. Each regex needs + to start and end with a forward slash `/`. For example `/palette-.*/` will match any namespace that starts with + `palette-`. You may also use the negation symbol `~` to select all namespaces that do not match the regex. For + example, `~/palette-.*/` matches everything that does not start with `palette-`. + + :::info + + Using regex will _not_ include the namespaces that match the regex in the workspace. It will still allow you to + create the role bindings, but the workloads in those namespaces will not be visible, and you cannot backup those + namespaces. + + ::: + +7. Click **Add New Binding**. + +8. In the **Namespace** field, select a namespace or the regex. Then enter the **Role type** and **Role name**. As is in + Kubernetes, you can use either a role or a cluster role to create a role binding. If you use a cluster role, the + privilege of the cluster role will still be limited to the namespace where the role binding exists. + + :::info + + This action only creates the role bindings, but does not create the role or the subject referenced in the role + binding. Kubernetes allows you to create role bindings without creating the role or the subject, but the role binding + will have no effect until it can match with a role and a subject. You must make sure to create the role and the + subject in the namespaces or clusters yourself. + + ::: + +9. In the **Subject** fields, choose the type of the subject and enter the subject name. You can enter as many subjects + as you need. + +10. Click **Confirm**. + +### Validate + +1. Log in to [Palette](https://console.spectrocloud.com). + +2. In the **drop-down Menu** at the top of the page, choose the project that has your workspace. + +3. On the left **Main Menu**, click **Workspaces**. Select your workspace. + +4. Switch to the **Role Bindings** tab. + +5. Search for entries that starts with **spectro-on-demand-**. Open these entries to confirm that the role bindings bind + the expected role to the expected subject. + +## Configure Cluster Role Binding in All Clusters + +By creating a workspace-level cluster role binding, you create the same cluster role binding in every cluster in your +workspace. + +For example, if you create a cluster role binding that binds the cluster role `podReader` to the service account +`podReaderAccount`, every cluster will get the role binding that binds the cluster role `podReader` to the service +account `podReaderAccount`. + +### Prerequisites + +- An existing workspace. Refer to [Create a Workspace](../adding-a-new-workspace.md) to learn how to create a workspace. + +- You are logged in as a Palette user that has the permission to modify workspaces. For more information, refer to + [Permissions](../../user-management/palette-rbac/permissions.md). + +### Procedure + +1. Log in to [Palette](https://console.spectrocloud.com). + +2. In the **drop-down Menu** at the top of the page, choose the project that has your workspace. + +3. On the left **Main Menu**, click **Workspaces**. + +4. Click on the workspace you want to update. + +5. In the upper-right corner, click **Settings**. Then click **Clusters**. + +6. Click **Add New Binding**. + +7. In the **Cluster Role name** field, enter the name of the cluster role. In the **Subjects** field, enter the type and + name of the subject. You can enter as many subjects as you need. + + As is with role bindings, neither the cluster role nor the subjects referenced need to exist when you create the + cluster role binding. However, you must create them in each cluster. Otherwise, the cluster role binding will have no + effect. + +8. Click **Confirm**. + +### Validate + +1. Log in to [Palette](https://console.spectrocloud.com). + +2. In the **drop-down Menu** at the top of the page, choose the project that has your workspace. + +3. On the left **Main Menu**, click **Workspaces**. Select your workspace. + +4. Switch to the **Cluster Role Bindings** tab. + +5. Search for entries that start with **spectro-on-demand-**. Open these entries to confirm that the role bindings bind + the expected role to the expected subject. diff --git a/docs/docs-content/workspace/workspace-mgmt/delete-workspace.md b/docs/docs-content/workspace/workspace-mgmt/delete-workspace.md new file mode 100644 index 0000000000..0c54bb959c --- /dev/null +++ b/docs/docs-content/workspace/workspace-mgmt/delete-workspace.md @@ -0,0 +1,47 @@ +--- +sidebar_label: Delete Workspace +title: Delete Workspace +description: "Learn how to delete a workspace. " +hide_table_of_contents: false +sidebar_position: 40 +tags: ["workspace"] +--- + +This page teaches you how to delete a workspace. Deleting a workspace removes resources in the cluster that you created +using the workspace, such as role bindings, cluster role bindings, and resource quotas. Deleting a workspace does not +delete any of the clusters inside the workspace. + +Deleting the workspace will not automatically delete any backup files you created for the workspace. + +## Prerequisites + +- An existing workspace. Refer to [Create a Workspace](../adding-a-new-workspace.md) to learn how to create a workspace. + +- You are logged in as a Palette user that has the permission to delete workspaces. For more information, refer to + [Permissions](../../user-management/palette-rbac/permissions.md). + +## Delete a Workspace + +1. Log in to [Palette](https://console.spectrocloud.com). + +2. In the **drop-down Menu** at the top of the page, choose the project that has your workspace. + +3. On the left **Main Menu**, click **Workspaces**. + +4. Click on the workspace you want to delete. + +5. In the upper-right corner, click **Settings**. + +6. Click **Delete Workspace**. + +7. Enter the workspace name to confirm the deletion. + +## Validate + +1. Log in to [Palette](https://console.spectrocloud.com). + +2. In the **drop-down Menu** at the top of the page, choose the project that has your workspace. + +3. On the left **Main Menu**, click **Workspaces**. + +4. Confirm that the workspace has been deleted. diff --git a/docs/docs-content/workspace/workspace-mgmt/resource-mgmt.md b/docs/docs-content/workspace/workspace-mgmt/resource-mgmt.md new file mode 100644 index 0000000000..a74247e7b6 --- /dev/null +++ b/docs/docs-content/workspace/workspace-mgmt/resource-mgmt.md @@ -0,0 +1,107 @@ +--- +sidebar_label: "Resource Management" +title: "Resource Management" +description: "Learn how to monitor workload resource consumption and implement resource quotas for your workspace." +hide_table_of_contents: false +sidebar_position: 20 +tags: ["workspace", "resource-management"] +--- + +Workspaces give you a unified view of resource consumption in specified namespaces across all clusters in the workspace. +Additionally, you can implement resource quotas for the workspace as a whole, or for individual namespaces. The resource +quotas are implemented using the native Kubernetes ResourceQuota object. Refer to the +[Kubernetes documentation](https://kubernetes.io/docs/concepts/policy/resource-quotas) to learn more about resource +quotas. + +## Monitor Resource Consumption + +Workspaces allow you to view the workloads such as pods, deployments, daemon sets, and stateful sets in the namespaces +that comprise the workspace. + +In the workspace details page, the landing **Namespaces** tab give you an overview of how much resources are consumed by +each namespace. The **CPU** and **Memory** column display the total CPU and memory consumed by the namespaces with the +same name in the entire workspace. + +You can view more workloads by selecting the corresponding tab. For example, select the **Pods** tab if you want to +monitor pod workloads. Each tab will show you the CPU and memory consumption of the corresponding workload in the entire +workspace. + +| **Resource** | **Available Information** | +| ---------------------- | -------------------------------------------------------------------------------------------------------------------------------- | +| **Namespaces** | CPU and memory utilization of the namespace in each cluster. | +| **Pods** | Lists all the pods in a particular namespace with cluster names with detailed health status, age, and resource utilization. | +| **Deployments** | All deployments in the namespaces included in the workspace and their age, pods, and resource utilization. | +| **DaemonSets** | All daemon set in the namespaces included in the workspace and their age, pods, and resource utilization. | +| **StatefulSets** | All the active StatefulSets in the namespaces included in the workspace and their age, pods, replicas, and resource utilization. | +| **Jobs** | All jobs in the namespaces included in the workspace and their status. | +| **CronJobs** | All cron jobs in the namespaces included in the workspace and their status. | +| **RoleBinding** | All role bindings in the namespaces included in the workspace, including the role name and the subject name. | +| **ClusterRoleBinding** | All cluster role bindings in the clusters included in the workspace. | + +## Implement Resource Quotas + +You can implement resource quotas on an entire workspace or implement them on individual namespaces. Resource quotas are +implemented through Kubernetes' native ResourceQuota object. For more information about resource quotas in Kubernetes, +refer to [Kubernetes documentation](https://kubernetes.io/docs/concepts/policy/resource-quotas/). + +### Prerequisites + +- An active Palette workspace. Refer to [Create a Workspace](../adding-a-new-workspace.md) to learn how to create one. + +- You are logged in as a Palette user that has the permission to modify workspaces. For more information, refer to + [Permissions](../../user-management/palette-rbac/permissions.md). + +### Procedure + +1. Log in to [Palette](https://console.spectrocloud.com). + +2. In the **drop-down Menu** at the top of the page, choose the project that has your workspace. + +3. On the left **Main Menu**, click **Workspaces**. + +4. Click on the workspace you want to update. + +5. Click **Settings** in the upper-right corner. + +6. Click **Namespaces**. + +7. Under **Workspace Quota**, you can specify the amount of CPU and memory that the entire workspace is allowed to + consume. The default value is 0, which imposes no limit. + +8. If you want to limit resource use based on namespaces, enter the desired CPU and memory limit in the **Allocate CPU** + and **Allocate memory** columns next to the namespace entry. + + By default, the namespace in each cluster has the same resource limit. You can change this and enter the limit on the + namespace in one particular cluster. You must ensure that resources configured to individual namespaces do not exceed + the workspace quota when added together. + + For example, if you have two clusters in the workspace and impose a workspace-level quota of 8 Gi of memory and 8 + CPUs, when each instance of the namespace in each cluster is added together, the total memory and CPU quota cannot + exceed 8 Gi of memory and 8 CPUs. + + The following resource quota configuration is not allowed for a workspace with 8 Gi of memory and 8 CPUs because the + resource quotas add up to 11 Gi and 11 CPUs. + + | | Cluster 1 | Cluster 2 | + | ----------- | ------------ | ------------ | + | Namespace 1 | 4 Gi, 4 CPUs | 4 Gi, 4 CPUs | + | Namespace 2 | 2 Gi, 2 CPU | 1 Gi, 1 CPU | + + The following resource quota configuration is allowed because the total quota is 8 Gi and 8 CPUs. + + | | Cluster 1 | Cluster 2 | + | ----------- | ------------ | ------------ | + | Namespace 1 | 2 Gi, 2 CPUs | 2 Gi, 2 CPUs | + | Namespace 2 | 3 Gi, 3 CPU | 1 Gi, 1 CPU | + +### Validate + +1. Connect to a cluster in your workspace using kubectl. For more information, refer to + [Access Cluster with kubectl](../../clusters/cluster-management/palette-webctl.md). + +2. Issue the following command to view the resource quotas created for your cluster. Confirm that the corresponding + resource quotas have been created. You may also use the `--namespace` flag to choose a specific namespace to examine. + + ```shell + kubectl get resourcequota --all-namespaces + ``` diff --git a/docs/docs-content/workspace/workspace-mgmt/restrict-images.md b/docs/docs-content/workspace/workspace-mgmt/restrict-images.md new file mode 100644 index 0000000000..e41a4c0726 --- /dev/null +++ b/docs/docs-content/workspace/workspace-mgmt/restrict-images.md @@ -0,0 +1,53 @@ +--- +sidebar_label: Restrict Container Images +title: Restrict Container Images +description: "Learn how to restrict certain images from being used by your workspace" +hide_table_of_contents: false +sidebar_position: 60 +tags: ["workspace"] +--- + +You can specify image URLs in a workspace to restrict access to those images for specific namespaces. Restricted images +cannot be loaded into any cluster in the namespaces you specify. + +Access control to images is achieved using Kyverno policies. For more information about Kyverno, refer to +[Kyverno documentation](https://kyverno.io/). + +## Prerequisites + +- An active Palette workspace. Refer to [Create a Workspace](../adding-a-new-workspace.md) to learn how to create one. + +- You are logged in as a Palette user that has the permission to modify workspaces. For more information, refer to + [Permissions](../../user-management/palette-rbac/permissions.md). + +## Restrict Container Image + +1. Log in to [Palette](https://console.spectrocloud.com). + +2. In the **drop-down Menu** at the top of the page, choose the project that has your workspace. + +3. On the left **Main Menu**, click **Workspaces**. + +4. Click on the workspace you want to delete. + +5. In the upper-right corner, click **Settings**. + +6. Click **Container Images**. + +7. Enter the namespace you want to restrict image access for. Then enter the images by tag, separated by commas. + +8. Click **Save Changes**. + +## Validate + +1. Connect to a cluster in your workspace using kubectl. For more information, refer to + [Access Cluster with kubectl](../../clusters/cluster-management/palette-webctl.md). + +2. Issue the following command to view the Kyverno policy used to control image access. + + ```shell + kubectl describe cpol cluster-policy-palette-system + ``` + +3. Check under `spec.rules.preconditions` and `spec.rules.validate`. Confirm that the matching namespaces have + restricted the container images from loading. diff --git a/docs/docs-content/workspace/workspace-mgmt/workspace-mgmt.md b/docs/docs-content/workspace/workspace-mgmt/workspace-mgmt.md new file mode 100644 index 0000000000..d125b4105d --- /dev/null +++ b/docs/docs-content/workspace/workspace-mgmt/workspace-mgmt.md @@ -0,0 +1,25 @@ +--- +sidebar_label: "Workspace Management" +title: "Workspace Management" +description: "Resources for workspace management." +icon: "" +hide_table_of_contents: false +sidebar_position: 0 +tags: ["workspace"] +--- + +After creating a workspace, you can monitor the workloads and their resource usage in your workspace in Palette. In +addition, you can make changes to the workspace, including adding and removing namespaces role bindings, and resource +quotas. + +## Resources + +- [Configure RBAC in Workspaces](configure-rbac.md) + +- [Resource Management](resource-mgmt.md) + +- [Backup and Restore](./backup-restore.md) + +- [Restrict Container Images](restrict-images.md) + +- [Delete Workspace](./delete-workspace.md) diff --git a/docs/docs-content/workspace/workspace.md b/docs/docs-content/workspace/workspace.md index 9ec346057c..19ca5edee8 100644 --- a/docs/docs-content/workspace/workspace.md +++ b/docs/docs-content/workspace/workspace.md @@ -8,56 +8,51 @@ sidebar_custom_props: tags: ["workspace"] --- -Palette extends its multi-cluster management and governance capabilities by introducing **Workspaces**. Workspaces -enable the logical grouping of clusters and namespaces to provide application or team-specific governance and visibility -into workloads, cost, and usage metrics. For example, the application or team workload may be deployed into namespaces -across clusters to achieve High Availability (HA), Disaster Recovery (DR), organization-specific placement policies, -etc. Grouping such namespaces and clusters into a workspace provide central management and governance in a multi-cluster -distributed environment. The following sections describe various aspects of multi-cluster management via workspaces. +A workspace in Palette consists of a group of clusters and namespaces and the resources scoped in those clusters and +namespaces. Using workspaces enables you to provide application or team-specific governance and visibility into +workloads, cost, and usage metrics. -## Namespace Management +For example, the application or team workload may be deployed into namespaces across clusters to achieve High +Availability (HA), Disaster Recovery (DR), or other organization-specific placement policies. Grouping such namespaces +and clusters into a workspace allows centralized management and governance in a multi-cluster distributed environment. -Workspaces automate the creation and deletion of namespaces common to all clusters within the workspace. A workspace can -hold a set of namespaces. Spectro Cloud Palette will periodically reconcile the workspace definition and add/remove -namespaces if required from all clusters part of the workspace. +The following sections describe what Palette workspaces can help you achieve. -## Quota Control +## Namespace and Resource Management -Usage quota in terms of CPU and memory usage limits is specified within the namespaces. Spectro Cloud Palette sets the -specified limits across all the clusters in the namespaces. +Workspaces in Palette automate the creation and management of namespaces across all clusters in the workspace. This +includes: -## Role Based Access Control(RBAC) +- **Namespace Creation**: Creating namespaces across all clusters in your workspace if a cluster does not have a + specified namespace. +- **Resource Quotas**: Defining and enforcing CPU and memory usage limits within namespaces, applied uniformly across + all clusters in the workspace. -Role bindings and cluster role bindings are specified within workspaces. Furthermore, these role bindings and cluster -role bindings are created in every cluster within the workspaces, thus enabling centralized RBAC. +## Centralized Access Control -## Utilization +Workspaces simplify Role-Based Access Control (RBAC) by centralizing management of role bindings and cluster role +bindings. You can specify role bindings and cluster role bindings within the workspace to automatically apply them to +all clusters, ensuring consistent and secure access policies across all clusters in a workspace. -Spectro Cloud Palette reports detailed resource utilization of workloads deployed in all the namespaces in the workspace -across clusters. In addition, the CPU and memory usage trends within the workspace provide valuable insights into the -consumption patterns of an application distributed across clusters. +## Visibility and Insights -## Cost Attribution +Workspaces enhance operational visibility and provide actionable insights -Spectro Cloud Palette computes utilization costs for workloads deployed in all the namespaces that are part of the -workspace across all the clusters based on the detailed resource utilization data. This can be used for internal -charge-back or show-back purposes to determine the cost incurred by an application or team. +- **Workload Visibility**: A centralized workload browser aggregates and displays workloads (pods, deployments, jobs, + stateful sets, etc.) across all namespaces and clusters in the workspace. +- **Resource Utilization**: Detailed reporting on CPU and memory usage trends across clusters to understand consumption + patterns. +- **Cost Attribution**: Calculating costs for workloads based on resource utilization, enabling internal charge-back or + show-back for teams or applications. -## Workload Visibility +## Backup and Disaster Recovery -Workspaces provide a workload browser to view all the workloads such as pods, deployment, jobs, stateful sets, etc., -deployed in all the namespaces that are part of the workspace across all the clusters. The workload browser aggregates -resources across clusters from relevant namespaces and presents them with centralized visibility. +**Workspace-Based Backup**: Extends cluster-level backups to include namespaces in all clusters within a workspace. For +detailed prerequisites and instructions, refer to the +[Backup and Restore](../clusters/cluster-management/backup-restore/backup-restore.md) page. -## Backup and Restore +## Resources -A workspace-based backup is similar to a cluster backup, with the additional coverage of multiple clusters, should the -workspace include more than one. The prerequisites and detailed instructions to backup and restore clusters are -specified on the [Backup and Restore](../clusters/cluster-management/backup-restore/backup-restore.md) page. +- [Create a Workspace](./adding-a-new-workspace.md) -## Regex for Namespaces - -Palette leverages [Regex Pattern matching](workload-features.md#regex-for-namespaces) to select multiple namespaces to -apply Role binding concurrently. When we have many namespaces to be configured for role binding, the user can provide a -Regex pattern matching multiple namespaces instead of giving a single namespace. This will help select all the -namespaces matching the given Regex pattern to be selected together for role binding. > +- [Workspace Management](./workspace-mgmt/workspace-mgmt.md)