Skip to content

Commit

Permalink
docs: add more examples
Browse files Browse the repository at this point in the history
  • Loading branch information
@lennessyy
lennessyy committed Dec 20, 2024
1 parent 30c6529 commit 7571e6b
Show file tree
Hide file tree
Showing 5 changed files with 52 additions and 23 deletions.
9 changes: 5 additions & 4 deletions docs/docs-content/workspace/workspace-mgmt/backup-restore.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,8 @@ included in the workspace, across every cluster in the workspace. The backup fea
Velero-based approach as regular cluster backups and are subject to the same limitations. For more information, refer to
[Cluster Backup and Restore](../../clusters/cluster-management/backup-restore/backup-restore.md).

The backup files will be stored in a backup location you configure. Each cluster will have its own backup files.
The backup files will be stored in a backup location you configure. Each cluster will have its own backup files. When
you delete a workspace, the backup files will not be deleted.

## Create a workspace backup

Expand All @@ -24,7 +25,7 @@ all Kubernetes objects as well as volumes in the namespaces selected.
- You have configured at least one backup location for cluster backups. Refer to
[Add Backup Location using Static Credentials](../../clusters/cluster-management/backup-restore/add-backup-location-static.md).

- You are logged in as a Palette user that has the permission to modify workspaces. For more information, refer to
- You are logged in as a Palette user that has the permission to back up workspaces. For more information, refer to
[Permissions](../../user-management/palette-rbac/permissions.md).

- The clusters in the workspace you want to backup are healthy and available. Unhealthy clusters will not be backed up.
Expand Down Expand Up @@ -87,7 +88,7 @@ all Kubernetes objects as well as volumes in the namespaces selected.

10. Click **Save Changes**.

The backup process will take some time ranging from 15 mins to hours depending on the scope of the backup.
The backup process will take some time ranging from 15 minutes to hours depending on the scope of the backup.

### Validate

Expand All @@ -114,7 +115,7 @@ be restored.

- You have created a backup file for the workspace.

- You are logged in as a Palette user that has the permission to modify workspaces. For more information, refer to
- You are logged in as a Palette user that has the permission to restore workspaces. For more information, refer to
[Permissions](../../user-management/palette-rbac/permissions.md).

- The clusters you want to restore are healthy and available.
Expand Down
13 changes: 9 additions & 4 deletions docs/docs-content/workspace/workspace-mgmt/configure-rbac.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,10 @@ Kubernetes users, groups and service accounts.
| Subjects | Kubernetes users, groups, and service accounts. | Palette users and teams |
| Example resources | ConfigMaps, Secrets, Pods, StatefulSets, etc. | Cluster profiles, clusters, workspaces, Edge hosts, etc. |

Because workspace RBAC is built on top of Kubernetes RBAC, we recommend you becoming familiar with Kubernetes' RBAC
model before using workspace RBAC. For more information about RBAC in Kubernetes, refer to
[Kubernetes Documentation](https://kubernetes.io/docs/reference/access-authn-authz/rbac/)

## Create Workspace-Level Role Bindings

By creating a workspace-level role binding, you create role bindings in the all clusters in the workspace in the
Expand Down Expand Up @@ -54,7 +58,7 @@ cluster role `podReader` to the service account `podReaderAccount` in that clust
6. If the namespace where you want to include are already in the workspace, skip this step.

At the top of the page, enter the namespace you want to create the role bindings in. Note that doing so will include
the namespace in the workspace and Palette users who have access to this workspace will be able to see its workloads
the namespace in the workspace and Palette users who have access to this workspace will be able to view its workloads
and resource consumption.

Alternatively, enter a regex that match the namespaces where you want to create the role binding. Each regex needs to
Expand All @@ -64,8 +68,9 @@ cluster role `podReader` to the service account `podReaderAccount` in that clust

:::info

Using regex will _not_ include all the namespaces that match the regex in the workspace. It will still allow you to
create the role bindings, but the workloads in those namespaces will not be visible.
Using regex will _not_ include the namespaces that match the regex in the workspace. It will still allow you to
create the role bindings, but the workloads in those namespaces will not be visible, and you cannot backup those
namespaces.

:::

Expand Down Expand Up @@ -108,7 +113,7 @@ By creating a workspace-level cluster role binding, you create the same cluster
workspace.

For example, if you create a cluster role binding that binds the cluster role `podReader` to the service account
`podReaderAccount`, every cluster will get the role binding that binds the the cluster role `podReader` to the service
`podReaderAccount`, every cluster will get the role binding that binds the cluster role `podReader` to the service
account `podReaderAccount`.

### Prerequisites
Expand Down
2 changes: 2 additions & 0 deletions docs/docs-content/workspace/workspace-mgmt/delete-workspace.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,8 @@ This page teaches you how to delete a workspace. Deleting a workspace removes re
using the workspace, such as role bindings, cluster role bindings, and resource quotas. Deleting a workspace does not
delete any of the clusters inside the workspace.

Deleting the workspace will not automatically delete any backup files you created for the workspace.

## Prerequisites

- An existing workspace. Refer to [Create a Workspace](../adding-a-new-workspace.md) to learn how to create a workspace.
Expand Down
47 changes: 34 additions & 13 deletions docs/docs-content/workspace/workspace-mgmt/resource-mgmt.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,21 +26,23 @@ You can view more workloads by selecting the corresponding tab. For example, sel
monitor pod workloads. Each tab will show you the CPU and memory consumption of the corresponding workload in the entire
workspace.

| **Resource** | **Description availed from Workspace** |
| ---------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Namespaces** | Cluster Specific namespaces with CPU and Memory utilization. |
| **Pods** | Lists all the pods running on a particular namespace with cluster names with the detailed health status, age, and resource utilization of each of them. |
| **Deployments** | All the running deployments specific to clusters belonging to the Workspace with namespace to which these deployments belong, pods details, replicas, and age are enumerated |
| **DaemonSets** | DaemonSet resource utilization is described, with details on namespaces, pods, and age of individual Daemon sets |
| **StatefulSets** | All the active StatefulSets specific to clusters belonging to the Workspace with corresponding namespace, pods details, replicas, and age are enumerated |
| **Jobs** | A Job creates one or more Pods and will continue to retry execution of the Pods until a specified number of them successfully terminate. |
| **CronJobs** | Cron Jobs are regularly scheduled actions or jobs such as backups, report generation, etc. Each of these jobs will recur as scheduled. |
| **RoleBinding** | A role binding grants the permissions defined in a role to a user or set of users. |
| **ClusterRoleBinding** | A Cluster Role binding defines the permissions defined across a cluster. |
| **Resource** | **Available information** |
| ---------------------- | ---------------------------------------------------------------------------------------------------------------------------------------- |
| **Namespaces** | CPU and memory utilization of the namespace s in each cluster. |
| **Pods** | Lists all the pods running on a particular namespace with cluster names with the detailed health status, age, and resource utilization.. |
| **Deployments** | All deployments in the namespaces included in the workspace and their age, pods, and resource utilization. |
| **DaemonSets** | All daemon set in the namespaces included in the workspace and their age, pods, and resource utilization. |
| **StatefulSets** | All the active StatefulSets in the namespaces included in the workspace and their age, pods, replicas, and resource utilization. |
| **Jobs** | All jobs in the namespaces included in the workspace and their status. |
| **CronJobs** | All cron jobs in the namespaces included in the workspace and their status. |
| **RoleBinding** | All role bindings in the namespaces included in the workspace, including the role name and the subject name. |
| **ClusterRoleBinding** | All cluster role bindings in the clusters included in the workspace. |

## Implement Resource Quotas

You can implement resource quotas on an entire workspace, as well as implement them on individual namespaces.
You can implement resource quotas on an entire workspace or implement them on individual namespaces. Resource quotas are
implemented through Kubernetes' native ResourceQuota object. For more information about resource quotas in Kubernetes,
refer to [Kubernetes documentation](https://kubernetes.io/docs/concepts/policy/resource-quotas/).

### Prerequisites

Expand Down Expand Up @@ -70,9 +72,28 @@ You can implement resource quotas on an entire workspace, as well as implement t
and **Allocate memory** columns next to the namespace entry.

By default, the namespace in each cluster has the same resource limit. You can change this and enter the limit on the
namespace in one particular cluster. You must ensure that resources alloted to individual namespaces do not exceed
namespace in one particular cluster. You must ensure that resources configured to individual namespaces do not exceed
the workspace quota when added together.

For example, if you have three clusters in the workspace and impose a workspace-level quota of 8 Gi of memory and 8
CPUs. When each instance of the namespace in each cluster are added together, the total memory and CPU quota cannot
exceed 8 Gi of memory and 8 CPUs.

The following resource quota configuration is not allowed for a workspace with 8 Gi of memory and 8 CPUs because the
resource quotas add up to 11 Gi and 11 CPUs.

| | Cluster 1 | Cluster 2 |
| ----------- | ------------ | ------------ |
| Namespace 1 | 4 Gi, 4 CPUs | 4 Gi, 4 CPUs |
| Namespace 2 | 2 Gi, 2 CPU | 1 Gi, 1 CPU |

The following resource quota configuration is allowed because the total quota is 8 Gi and 8 CPUs.

| | Cluster 1 | Cluster 2 |
| ----------- | ------------ | ------------ |
| Namespace 1 | 2 Gi, 2 CPUs | 2 Gi, 2 CPUs |
| Namespace 2 | 3 Gi, 3 CPU | 1 Gi, 1 CPU |

### Validate

1. Connect to a cluster in your workspace using kubectl. For more information, refer to
Expand Down
4 changes: 2 additions & 2 deletions docs/docs-content/workspace/workspace-mgmt/restrict-images.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,8 @@ sidebar_position: 60
tags: ["workspace"]
---

You can specify image URLs in a workspace to restrict access to images in your workspace for specific namespaces.
Restricted images cannot be loaded into any cluster in the namespaces you specify.
You can specify image URLs in a workspace to restrict access to those images for specific namespaces. Restricted images
cannot be loaded into any cluster in the namespaces you specify.

Access control to images is achieved using Kyverno policies. For more information about Kyverno, refer to
[Kyverno documentation](https://kyverno.io/).
Expand Down

0 comments on commit 7571e6b

Please sign in to comment.