A, description,
The operation practice of documents on the official website is actually a process of learning and understanding. The following operations are mainly for individuals to take notes according to the steps on the official website and their own conditions. For reference only!
PS: Most of them are from !!!! If you are interested, I suggest you go to the official website to check. Here I just do the relevant records for my own convenience!
Kubesphere Multi-tenant management System architecture Description
KubeSphere’s multi-tenant system comes at three levels: cluster, enterprise space and project.
- It controls access based on RBAC roles
- Projects in KubeSphere are equivalent to the Kubernetes namespace
- The cluster resource contains all the information about the entire resource (including the node and the resources within the node).
- Cluster resources need to be subdivided into different enterprise Spaces, and by default our K8S has one system resource
- Different enterprise Spaces have different role objects, and different enterprise Spaces are isolated from each other
- Multiple enterprise Spaces can be created in a cluster
- Each enterprise space can create projects and DevOps projects belonging to that space
- KubeSphere has multiple built-in roles by default for each level
- The KubeSphere hierarchy is suitable for enterprise users with different teams or organizations and different roles within each team.
Kubesphere’s default roles
| The built-in role | describe |
|---|---|
workspaces-manager |
Enterprise space administrator who manages all enterprise space on the platform. |
users-manager |
The user administrator manages all users on the platform. |
platform-regular |
Common platform users who do not have any resource operation rights before being invited to join the enterprise space or cluster. |
platform-admin |
A platform administrator who can manage all resources on the platform. |
note
Built-in roles are automatically created by KubeSphere and cannot be edited or deleted.
Iii. Tenant management practice
3.1 Creating User Administrator Accounts
The first account created will be assigned the Xiaozhong-Users-Manager role, which is the user administrator and can only manage users of the platform. Cannot manage other resource information.
- Step 1: After logging in to the console, click platform Management in the upper left corner, then select Access Control.
- Step 2: InAccount management, click oncreate. In the pop-up window, provide all the necessary information (marked with *), and then in theroleField selection
users-manager.
3.2 xiaozhong-users-manager The user administrator creates another account
Log out of admin and use xiaozhong-users-manager to log in to system! Log in again using xiaozhong-users-manager.
Create the following four new accounts:
-
Switch accounts Log in again using xiaozhong-user-manager and create the following four new accounts that will be used in other tutorials.
prompt
To log out of your account, click on the username in the upper right corner and select Logout.
account role describe ws-managerworkspaces-managerCreate and manage all enterprise Spaces. ws-adminplatform-regularManages all resources in the specified enterprise space (in this example, this account is used to invite new members to join the enterprise space). project-adminplatform-regularCreate and manage projects and DevOps projects, and invite new members to join the project. project-regularplatform-regularproject-regularWill be made byproject-adminInvite to a project or DevOps project. This account is used to create workloads, pipelines, and other resources in a given project.
View the four accounts created:
3.3 Creating an enterprise Space using the WS-Manager Account
Corporate space is:
- Serves as the basic logical unit for managing projects, DevOps projects, and organization members
- It is the basis of the KubeSphere multi-tenant system
- We can understand the reality of different teams in the same company, or different subsidiaries.
Log in to KubeSphere as WS-Manager, which has the authority to manage all enterprise space on the platform!
Click platform Management in the upper left corner and select Access Control. In the enterprise space, you can see that only one default enterprise space, system-workspace, is listed, which runs system-related components and services,
- You cannot delete the enterprise space.
- Account management cannot be added, deleted or changed.
Click Create on the right, name the new enterprise space as Demo-workspace, and set user WS-admin as the enterprise space administrator, as shown below:
3.4 WS-admin Log in to the enterprise space and create a project
1: Re-log in as ws-admin. In enterprise Space Settings, select enterprise members, and then click Invite Members
2: Invite project-admin and project-regular into the enterprise space and grant them the workshop-self-provisioner and workshop-viewer roles respectively.
3: Add project-admin and project-regular to the enterprise space and click OK. In the enterprise members, you can see the three members listed.
Account and Role relationship:
| account | role | describe |
|---|---|---|
ws-admin |
workspace-admin |
Manages all resources in the specified enterprise space (in this example, this account is used to invite new members to join the enterprise space). |
project-admin |
workspace-self-provisioner |
Create and manage projects and DevOps projects, and invite new members to join the project. |
project-regular |
workspace-viewer |
project-regularWill be made byproject-adminInvite to a project or DevOps project. This account is used to create workloads, pipelines, and other resources in a given project. |
3.5 project-adminTo create the project
Use the account project-admin created in the previous step to create the project. Projects in KubeSphere are identical to namespaces in Kubernetes, providing virtual isolation for resources.
1: Log in to KubeSphere as project-admin and click Create in Project Management.
2: Enter a project name (for example, Demo-Project) and click OK to finish. You can also add aliases and descriptions for the project
3: In project Management, click the newly created project to view its details.
4: Project quota is not set by default on the project overview page. You can click On Settings and specify resource requests and limits as needed (for example, CPU and memory limits are set to 1 Core and 1000 Gi, respectively).
5: Invites project-regular to the project and assigns the operator role to the user. Please refer to the following figure for details.
A user with the operator role is a project maintainer and can manage resources other than users and roles in the project.
6: Before creating the application route (the Ingress in Kubernetes), you need to enable the gateway for the project. The gateway is the NGINX Ingress controller running in the project. To set the gateway, go to Advanced Settings in Project Settings, and then click Set Gateway. The project-admin account is still used in this step.
PS: From here, we can understand some practical knowledge points about service corresponding to our K8S.
7: Select NodePort and click Save.
8: If you access the Internet, you can view the gateway address and HTTP/HTTPS port on the page.
note
If you want to expose the service using LoadBalancer, you need to use the cloud vendor’s LoadBalancer plug-in. If your Kubernetes cluster is running in a bare-metal environment, it is recommended to use PorterLB as a LoadBalancer plug-in.
3.6 Customizing Role Rights
1: Log in as admin (the default super administrator account)
2: Assign role rights
3: Assign permissions
conclusion
In fact, the tenant management system subdivision so much account information out, mainly in order to divide the boundaries of user authority, to avoid user overreach operation!
The above is just a personal combination of their own actual needs, do study practice notes! If there are clerical errors! Welcome criticism and correction! Thank you!
At the end
END
Jane: www.jianshu.com/u/d6960089b…
The Denver nuggets: juejin. Cn/user / 296393…
Public account: wechat search [children to a pot of wolfberry wine tea]
Let students | article | QQ: welcome to learn communication 】 【 308711822