Skip to content

Commit

Permalink
docs: progress on workspace refactor
Browse files Browse the repository at this point in the history
  • Loading branch information
lennessyy committed Dec 15, 2024
1 parent 3c88d50 commit eb13bbb
Show file tree
Hide file tree
Showing 4 changed files with 145 additions and 10 deletions.
78 changes: 68 additions & 10 deletions docs/docs-content/workspace/workspace-mgmt/configure-rbac.md
Original file line number Diff line number Diff line change
Expand Up @@ -17,16 +17,21 @@ workspaces, and Edge hosts and its subjects are Palette users. Workspace RBAC is
model. It regulates access to Kubernetes objects in the clusters encompassed by the workspace, and its subjects are
Kubernetes users, groups and service accounts.

| | Workspace RBAC | Palette RBAC |
| --------------------- | ----------------------------------------------- | -------------------------------------------------------- |
| Access control domain | Kubernetes clusters in the workspace. | Palette resources. |
| Subjects | Kubernetes users, groups, and service accounts. | Palette users and teams |
| Example resources | ConfigMaps, Secrets, Pods, StatefulSets, etc. | Cluster profiles, clusters, workspaces, Edge hosts, etc. |
| | Workspace RBAC | Palette RBAC |
| --------------------- | -------------------------------------------------------- | -------------------------------------------------------- |
| Access control domain | Kubernetes API objects in the clusters in the workspace. | Palette resources. |
| Subjects | Kubernetes users, groups, and service accounts. | Palette users and teams |
| Example resources | ConfigMaps, Secrets, Pods, StatefulSets, etc. | Cluster profiles, clusters, workspaces, Edge hosts, etc. |

## Create Role Bindings in Namespaces in All Clusters
## Create Workspace-Level Role Bindings

You can create role bindings in the namespaces that are included in your workspace across all the clusters in your
namespace or use Regular Expressions (regex) to create role bindings in all namespaces that match the regex.
By creating a workspace-level role binding, you create role bindings in the all clusters in the workspace in the
namespaces you choose. You can also use Regular Expressions (regex) to create role bindings in all namespaces that match
the regex.

For example, if you create a role binding that binds the cluster role `podReader` to the service account
`podReaderAccount` in the `default` namespace. Every cluster in your workspace will get a role binding that binds the
cluster role `podReader` to the service account `podReaderAccount` in that cluster's `default` namespace.

### Prerequisites

Expand Down Expand Up @@ -85,6 +90,59 @@ namespace or use Regular Expressions (regex) to create role bindings in all name

3. On the left **Main Menu**, click **Workspaces**. Select your workspace.

4. Switch to the **Role Bindings** or **Cluster Role Bindings** tab.
4. Switch to the **Role Bindings** tab.

5. Search for entries that starts with **spectro-on-demand-**. Open the these entries to confirm that the role bindings
bind the expected role to the expected subject.

## Configure Cluster Role Binding in All Clusters

By creating a workspace-level cluster role binding, you create the same cluster role binding in every cluster in your
workspace.

For example, if you create a cluster role binding that binds the cluster role `podReader` to the service account
`podReaderAccount`, every cluster will get the role binding that binds the the cluster role `podReader` to the service
account `podReaderAccount`.

### Prerequisites

- An existing workspace. Refer to [Create a Workspace](../adding-a-new-workspace.md) to learn how to create a workspace.

- You are logged in as a Palette user that has the permission to modify workspaces. For more information, refer to
[Permissions](../../user-management/palette-rbac/permissions.md).

### Procedure

1. Log in to [Palette](https://console.spectrocloud.com).

2. In the **Drop-Down Menu** at the top of the page, choose the project that has your workspace.

3. On the left **Main Menu**, click **Workspaces**.

4. Click on the workspace you want to update.

5. In the upper-right corner, click **Settings**. Then click **Clusters**.

6. Click **Add New Binding**.

7. In the **Cluster Role name** field, enter the name of the cluster role. In the **Subjects** field, enter the type and
name of the subject. You can enter as many subjects as you need.

As is with role bindings, neither the cluster role nor the subjects referenced need to exist when you create the
cluster role binding. However, you must make create them in each cluster. Otherwise, the cluster role binding will
have no effect.

8. Click **Confirm**.

### Validate

1. Log in to [Palette](https://console.spectrocloud.com).

2. In the **Drop-Down Menu** at the top of the page, choose the project that has your workspace.

3. On the left **Main Menu**, click **Workspaces**. Select your workspace.

4. Switch to the **Cluster Role Bindings** tab.

5. Search for an entry that starts with **spectro-on-demand-**.
5. Search for entries that starts with **spectro-on-demand-**. Open the these entries to confirm that the role bindings
bind the expected role to the expected subject.
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
---
sidebar_label: Delete Workspace"
title: Delete Workspace"
description: "Learn how to restrict certain images from being used by your workspace"
hide_table_of_contents: false
sidebar_custom_props:
icon: "workspaces"
tags: ["workspace"]
---
59 changes: 59 additions & 0 deletions docs/docs-content/workspace/workspace-mgmt/resource-mgmt.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
---
sidebar_label: "Resource Management"
title: "Resource Management"
description: "Learn how to monitor workload resource consumption and implement resource quotas for your workspace."
hide_table_of_contents: false
sidebar_custom_props:
icon: "workspaces"
tags: ["workspace", "resource-management"]
---

Workspaces give you a unified view of resource consumption in specified namespaces across all clusters in the workspace.
Additionally, you can implement resource quotas for the workspace as a whole, or for individual namespaces.

## Monitor Resource Consumption

Workspaces allow you to view the workloads such as pods, deployments, daemon sets, and stateful sets in the namespaces
that comprise the workspace.

In the workspace details page, the landing **Namespaces** tab give you an overview of how much resources are consumed by
each namespace. The **CPU** and **Memory** column display the total CPU and memory consumed by the namespaces with the
same name in the entire workspace.

You can view more workloads by selecting the corresponding tab. For example, select the **Pods** tab if you want to
monitor pod workloads. Each tab will show you the CPU and memory consumption of the corresponding workload in the entire
workspace.

## Implement Resource Quotas

You can implement resource quotas on an entire workspace, as well as implement them on individual namespaces.

### Prerequisites

-

### Procedure

1. Log in to [Palette](https://console.spectrocloud.com).

2. In the **Drop-Down Menu** at the top of the page, choose the project that has your workspace.

3. On the left **Main Menu**, click **Workspaces**.

4. Click on the workspace you want to update.

5. Click **Settings** in the upper-right corner.

6. Click **Namespaces**.

7. Under **Workspace Quota**, you can specify the amount of CPU and memory that the entire workspace is allowed to
consume. The default value is 0, which imposes no limit.

8. If you want to limit resource use based on namespaces, enter the desired CPU and memory limit in the next to the
namespace entry.

You can impose the limit more granularly by expanding the namespace row and enter the limit on the namespace in one
particular cluster. You must ensure that resources alloted to individual namespaces do not exceed the workspace
quota.

### Validate
9 changes: 9 additions & 0 deletions docs/docs-content/workspace/workspace-mgmt/restrict-images.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
---
sidebar_label: Restrict Container Images"
title: Restrict Container Images"
description: "Learn how to restrict certain images from being used by your workspace"
hide_table_of_contents: false
sidebar_custom_props:
icon: "workspaces"
tags: ["workspace"]
---

0 comments on commit eb13bbb

Please sign in to comment.