diff --git a/docs/docs-content/workspace/workspace-mgmt/backup-restore.md b/docs/docs-content/workspace/workspace-mgmt/backup-restore.md index 35bb9d7219..553298179f 100644 --- a/docs/docs-content/workspace/workspace-mgmt/backup-restore.md +++ b/docs/docs-content/workspace/workspace-mgmt/backup-restore.md @@ -12,7 +12,8 @@ included in the workspace, across every cluster in the workspace. The backup fea Velero-based approach as regular cluster backups and are subject to the same limitations. For more information, refer to [Cluster Backup and Restore](../../clusters/cluster-management/backup-restore/backup-restore.md). -The backup files will be stored in a backup location you configure. Each cluster will have its own backup files. +The backup files will be stored in a backup location you configure. Each cluster will have its own backup files. When +you delete a workspace, the backup files will not be deleted. ## Create a workspace backup @@ -24,7 +25,7 @@ all Kubernetes objects as well as volumes in the namespaces selected. - You have configured at least one backup location for cluster backups. Refer to [Add Backup Location using Static Credentials](../../clusters/cluster-management/backup-restore/add-backup-location-static.md). -- You are logged in as a Palette user that has the permission to modify workspaces. For more information, refer to +- You are logged in as a Palette user that has the permission to back up workspaces. For more information, refer to [Permissions](../../user-management/palette-rbac/permissions.md). - The clusters in the workspace you want to backup are healthy and available. Unhealthy clusters will not be backed up. @@ -87,7 +88,7 @@ all Kubernetes objects as well as volumes in the namespaces selected. 10. Click **Save Changes**. -The backup process will take some time ranging from 15 mins to hours depending on the scope of the backup. +The backup process will take some time ranging from 15 minutes to hours depending on the scope of the backup. ### Validate @@ -114,7 +115,7 @@ be restored. - You have created a backup file for the workspace. -- You are logged in as a Palette user that has the permission to modify workspaces. For more information, refer to +- You are logged in as a Palette user that has the permission to restore workspaces. For more information, refer to [Permissions](../../user-management/palette-rbac/permissions.md). - The clusters you want to restore are healthy and available. diff --git a/docs/docs-content/workspace/workspace-mgmt/configure-rbac.md b/docs/docs-content/workspace/workspace-mgmt/configure-rbac.md index c9dc66daf9..05f5c98a4a 100644 --- a/docs/docs-content/workspace/workspace-mgmt/configure-rbac.md +++ b/docs/docs-content/workspace/workspace-mgmt/configure-rbac.md @@ -22,6 +22,10 @@ Kubernetes users, groups and service accounts. | Subjects | Kubernetes users, groups, and service accounts. | Palette users and teams | | Example resources | ConfigMaps, Secrets, Pods, StatefulSets, etc. | Cluster profiles, clusters, workspaces, Edge hosts, etc. | +Because workspace RBAC is built on top of Kubernetes RBAC, we recommend you becoming familiar with Kubernetes' RBAC +model before using workspace RBAC. For more information about RBAC in Kubernetes, refer to +[Kubernetes Documentation](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) + ## Create Workspace-Level Role Bindings By creating a workspace-level role binding, you create role bindings in the all clusters in the workspace in the @@ -54,7 +58,7 @@ cluster role `podReader` to the service account `podReaderAccount` in that clust 6. If the namespace where you want to include are already in the workspace, skip this step. At the top of the page, enter the namespace you want to create the role bindings in. Note that doing so will include - the namespace in the workspace and Palette users who have access to this workspace will be able to see its workloads + the namespace in the workspace and Palette users who have access to this workspace will be able to view its workloads and resource consumption. Alternatively, enter a regex that match the namespaces where you want to create the role binding. Each regex needs to @@ -64,8 +68,9 @@ cluster role `podReader` to the service account `podReaderAccount` in that clust :::info - Using regex will _not_ include all the namespaces that match the regex in the workspace. It will still allow you to - create the role bindings, but the workloads in those namespaces will not be visible. + Using regex will _not_ include the namespaces that match the regex in the workspace. It will still allow you to + create the role bindings, but the workloads in those namespaces will not be visible, and you cannot backup those + namespaces. ::: @@ -108,7 +113,7 @@ By creating a workspace-level cluster role binding, you create the same cluster workspace. For example, if you create a cluster role binding that binds the cluster role `podReader` to the service account -`podReaderAccount`, every cluster will get the role binding that binds the the cluster role `podReader` to the service +`podReaderAccount`, every cluster will get the role binding that binds the cluster role `podReader` to the service account `podReaderAccount`. ### Prerequisites diff --git a/docs/docs-content/workspace/workspace-mgmt/delete-workspace.md b/docs/docs-content/workspace/workspace-mgmt/delete-workspace.md index 1a7cffbd30..729f866844 100644 --- a/docs/docs-content/workspace/workspace-mgmt/delete-workspace.md +++ b/docs/docs-content/workspace/workspace-mgmt/delete-workspace.md @@ -11,6 +11,8 @@ This page teaches you how to delete a workspace. Deleting a workspace removes re using the workspace, such as role bindings, cluster role bindings, and resource quotas. Deleting a workspace does not delete any of the clusters inside the workspace. +Deleting the workspace will not automatically delete any backup files you created for the workspace. + ## Prerequisites - An existing workspace. Refer to [Create a Workspace](../adding-a-new-workspace.md) to learn how to create a workspace. diff --git a/docs/docs-content/workspace/workspace-mgmt/resource-mgmt.md b/docs/docs-content/workspace/workspace-mgmt/resource-mgmt.md index 21014490dc..46e0a8b7e3 100644 --- a/docs/docs-content/workspace/workspace-mgmt/resource-mgmt.md +++ b/docs/docs-content/workspace/workspace-mgmt/resource-mgmt.md @@ -26,21 +26,23 @@ You can view more workloads by selecting the corresponding tab. For example, sel monitor pod workloads. Each tab will show you the CPU and memory consumption of the corresponding workload in the entire workspace. -| **Resource** | **Description availed from Workspace** | -| ---------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| **Namespaces** | Cluster Specific namespaces with CPU and Memory utilization. | -| **Pods** | Lists all the pods running on a particular namespace with cluster names with the detailed health status, age, and resource utilization of each of them. | -| **Deployments** | All the running deployments specific to clusters belonging to the Workspace with namespace to which these deployments belong, pods details, replicas, and age are enumerated | -| **DaemonSets** | DaemonSet resource utilization is described, with details on namespaces, pods, and age of individual Daemon sets | -| **StatefulSets** | All the active StatefulSets specific to clusters belonging to the Workspace with corresponding namespace, pods details, replicas, and age are enumerated | -| **Jobs** | A Job creates one or more Pods and will continue to retry execution of the Pods until a specified number of them successfully terminate. | -| **CronJobs** | Cron Jobs are regularly scheduled actions or jobs such as backups, report generation, etc. Each of these jobs will recur as scheduled. | -| **RoleBinding** | A role binding grants the permissions defined in a role to a user or set of users. | -| **ClusterRoleBinding** | A Cluster Role binding defines the permissions defined across a cluster. | +| **Resource** | **Available information** | +| ---------------------- | ---------------------------------------------------------------------------------------------------------------------------------------- | +| **Namespaces** | CPU and memory utilization of the namespace s in each cluster. | +| **Pods** | Lists all the pods running on a particular namespace with cluster names with the detailed health status, age, and resource utilization.. | +| **Deployments** | All deployments in the namespaces included in the workspace and their age, pods, and resource utilization. | +| **DaemonSets** | All daemon set in the namespaces included in the workspace and their age, pods, and resource utilization. | +| **StatefulSets** | All the active StatefulSets in the namespaces included in the workspace and their age, pods, replicas, and resource utilization. | +| **Jobs** | All jobs in the namespaces included in the workspace and their status. | +| **CronJobs** | All cron jobs in the namespaces included in the workspace and their status. | +| **RoleBinding** | All role bindings in the namespaces included in the workspace, including the role name and the subject name. | +| **ClusterRoleBinding** | All cluster role bindings in the clusters included in the workspace. | ## Implement Resource Quotas -You can implement resource quotas on an entire workspace, as well as implement them on individual namespaces. +You can implement resource quotas on an entire workspace or implement them on individual namespaces. Resource quotas are +implemented through Kubernetes' native ResourceQuota object. For more information about resource quotas in Kubernetes, +refer to [Kubernetes documentation](https://kubernetes.io/docs/concepts/policy/resource-quotas/). ### Prerequisites @@ -70,9 +72,28 @@ You can implement resource quotas on an entire workspace, as well as implement t and **Allocate memory** columns next to the namespace entry. By default, the namespace in each cluster has the same resource limit. You can change this and enter the limit on the - namespace in one particular cluster. You must ensure that resources alloted to individual namespaces do not exceed + namespace in one particular cluster. You must ensure that resources configured to individual namespaces do not exceed the workspace quota when added together. + For example, if you have three clusters in the workspace and impose a workspace-level quota of 8 Gi of memory and 8 + CPUs. When each instance of the namespace in each cluster are added together, the total memory and CPU quota cannot + exceed 8 Gi of memory and 8 CPUs. + + The following resource quota configuration is not allowed for a workspace with 8 Gi of memory and 8 CPUs because the + resource quotas add up to 11 Gi and 11 CPUs. + + | | Cluster 1 | Cluster 2 | + | ----------- | ------------ | ------------ | + | Namespace 1 | 4 Gi, 4 CPUs | 4 Gi, 4 CPUs | + | Namespace 2 | 2 Gi, 2 CPU | 1 Gi, 1 CPU | + + The following resource quota configuration is allowed because the total quota is 8 Gi and 8 CPUs. + + | | Cluster 1 | Cluster 2 | + | ----------- | ------------ | ------------ | + | Namespace 1 | 2 Gi, 2 CPUs | 2 Gi, 2 CPUs | + | Namespace 2 | 3 Gi, 3 CPU | 1 Gi, 1 CPU | + ### Validate 1. Connect to a cluster in your workspace using kubectl. For more information, refer to diff --git a/docs/docs-content/workspace/workspace-mgmt/restrict-images.md b/docs/docs-content/workspace/workspace-mgmt/restrict-images.md index ab271b9d32..5df9b171cb 100644 --- a/docs/docs-content/workspace/workspace-mgmt/restrict-images.md +++ b/docs/docs-content/workspace/workspace-mgmt/restrict-images.md @@ -7,8 +7,8 @@ sidebar_position: 60 tags: ["workspace"] --- -You can specify image URLs in a workspace to restrict access to images in your workspace for specific namespaces. -Restricted images cannot be loaded into any cluster in the namespaces you specify. +You can specify image URLs in a workspace to restrict access to those images for specific namespaces. Restricted images +cannot be loaded into any cluster in the namespaces you specify. Access control to images is achieved using Kyverno policies. For more information about Kyverno, refer to [Kyverno documentation](https://kyverno.io/).