From b13643735b090cff5a51f41603d0d291c0908b46 Mon Sep 17 00:00:00 2001 From: Lenny Chen Date: Wed, 11 Dec 2024 15:01:18 -0800 Subject: [PATCH 01/21] docs: start working on the create page --- .../workspace/adding-a-new-workspace.md | 108 ++++++++++++------ docs/docs-content/workspace/workspace.md | 14 ++- 2 files changed, 82 insertions(+), 40 deletions(-) diff --git a/docs/docs-content/workspace/adding-a-new-workspace.md b/docs/docs-content/workspace/adding-a-new-workspace.md index bc52c7a142..2ee22e7ca7 100644 --- a/docs/docs-content/workspace/adding-a-new-workspace.md +++ b/docs/docs-content/workspace/adding-a-new-workspace.md @@ -8,30 +8,70 @@ sidebar_position: 0 tags: ["workspace"] --- -Palette enables multi-cluster management and governance capabilities by introducing Workspaces. This section explains -how a workspace can be created in the Palette console. +Palette enables multi-cluster management and governance capabilities by introducing Workspaces. This page teaches you +how to create a workspace in Palette. ## Prerequisites -- One or more running workload clusters within the project. -- Cluster must not be imported with read-only mode. -- RBAC should not be set at cluster level but to be included at workspace level. -- Palette Virtual Clusters cannot be part of the workspace. +- One or more active workload clusters within the project where the workspace is to be created. The clusters cannot be + imported in read-only mode. Palette virtual clusters also cannot be part of a workspace. +- You have the permission to create workspaces. For more information, refer to + [Permissions](../user-management/palette-rbac/permissions.md). ## Create Your Workspace -1. Add the Basic Information Provide the basic information for the workspace such as: +1. Log in to [Palette](https://console.spectrocloud.com). - - Unique Name - - Optional Description - - Optional Tag +2. In the **Drop-Down Menu** at the top of the page, choose the project you want to create the workspace in. Workspaces + are always scoped to a project. -2. Associate Clusters +3. On the left **Main Menu**, click **Workspaces**. Then click **New Workspace**. - - Select the clusters to be added to the workspace. (See [New Clusters](../clusters/clusters.md) to learn how to add - a new Cluster.) Palette clusters, as well as brownfield clusters, can be added to your workspace. +4. Add the Basic Information Provide the basic information for the workspace such as: - - Configure the Cluster Role Binding (optional). Role bindings can be created on all workspace clusters. + - **Name**. The workspace name must be unique in the project. + - **Description**. An optional description for the workspace. + - **Tag**. Optional tags for the workspace. + + When you are finished, click **Next**. + +5. Choose clusters you want to include in the workspace. A cluster may be included in multiple workspaces. Refer to + [Create a Cluster](../clusters/clusters.md) to learn how to add a new cluster. + +6. On the **Clusters** page, you can optionally create cluster role bindings. To create a new cluster role binding, + click **Add New Binding**. Enter the name of the cluster role you want to reference in the cluster role binding. + + After specifying the role, you need to specify the subject to which the cluster role binding is applied to. Select + the subject type and then enter the name of the subject. The name of the subject must be the same as it is defined in + the cluster. + + :::info + + Unlike Palette RBAC, the users you reference here are Kubernetes user objects in the cluster, not users in your + Palette environment. + + ::: + + While this action will create the same role binding across all the clusters that are part of the workspace, it does + not define the cluster role nor the subject the role is bound to. You need to define the role yourself in each + cluster as well as define the subject the role is bound to exists. Otherwise, the cluster role binding will not have + any effect. + + :::info + + If the cluster role in each cluster has different permissions, then the subjects that the role is bound to will also + have different permissions across clusters, even though they have the same cluster role binding. The same applies to + namespace-scoped role bindings defined in the next step. + + ::: + +7. Select the namespaces you want to include in the workspace. If the a cluster that is part of your workspace has that + namespace, the namespace and all resources that are scoped within it will be included in the workspace. You may use + regular expressions to match the names of namespaces. + +8. After selecting the namespaces, you can specify resource limits that each + +9. - Configure the Cluster Role Binding (optional). Role bindings can be created on all workspace clusters. - As step 2 of the new Workspace creation, select **Add Cluster Role Binding**. - Provide the name of the role for which the cluster role binding needs to be created. The role should be @@ -44,25 +84,25 @@ how a workspace can be created in the Palette console. | **Group** | a valid path segment name | NA | | **Service Account** | a valid path segment name | Granting super-user access to all service accounts
cluster-wide is strongly discouraged. Hence, grant a
role to all service accounts in a namespace. | -3. Associate Namespaces - - - Enter one or more namespaces that need to be part of the workspace. The combination of workspace and cluster is - unique across workspaces in a project. Palette ensures that all the namespaces are created for all the clusters in - the workspaces, in case they are not pre-existing. - - Add the resource quota for the namespaces by specifying CPU and Memory limits (optional). - - Configure the Role Binding (optional). The following information is required for each role binding: - - Select a namespace name or the Regex for namespaces for selecting multiple namespaces. - - Specific name for the role which is pre-existing - - Make the selection of Subjects from the dropdown list (User, Group, or ServiceAccount). For the subject selected, - provide a valid path segment name. For the subject, ServiceAccount select namespace name as granting super-user - access to all service accounts cluster-wide is strongly discouraged due to security concerns. - - Confirm the information provided to complete the configuration of role binding. - -4. Settings - - - [Schedule Backups](../clusters/cluster-management/backup-restore/backup-restore.md) - set the backup and restore - policies. - - [Container Image](workload-features.md#restrict-container-images-to-a-workspace) - list out the container images to - be restricted within a Workspace namespace. +10. Associate Namespaces + + - Enter one or more namespaces that need to be part of the workspace. The combination of workspace and cluster is + unique across workspaces in a project. Palette ensures that all the namespaces are created for all the clusters in + the workspaces, in case they are not pre-existing. + - Add the resource quota for the namespaces by specifying CPU and Memory limits (optional). + - Configure the Role Binding (optional). The following information is required for each role binding: + - Select a namespace name or the Regex for namespaces for selecting multiple namespaces. + - Specific name for the role which is pre-existing + - Make the selection of Subjects from the dropdown list (User, Group, or ServiceAccount). For the subject + selected, provide a valid path segment name. For the subject, ServiceAccount select namespace name as granting + super-user access to all service accounts cluster-wide is strongly discouraged due to security concerns. + - Confirm the information provided to complete the configuration of role binding. + +11. Settings + + - [Schedule Backups](../clusters/cluster-management/backup-restore/backup-restore.md) - set the backup and restore + policies. + - [Container Image](workload-features.md#restrict-container-images-to-a-workspace) - list out the container images + to be restricted within a Workspace namespace. Review and finish the configuration and complete the deployment. diff --git a/docs/docs-content/workspace/workspace.md b/docs/docs-content/workspace/workspace.md index 9ec346057c..5a980cc4c8 100644 --- a/docs/docs-content/workspace/workspace.md +++ b/docs/docs-content/workspace/workspace.md @@ -8,12 +8,14 @@ sidebar_custom_props: tags: ["workspace"] --- -Palette extends its multi-cluster management and governance capabilities by introducing **Workspaces**. Workspaces -enable the logical grouping of clusters and namespaces to provide application or team-specific governance and visibility -into workloads, cost, and usage metrics. For example, the application or team workload may be deployed into namespaces -across clusters to achieve High Availability (HA), Disaster Recovery (DR), organization-specific placement policies, -etc. Grouping such namespaces and clusters into a workspace provide central management and governance in a multi-cluster -distributed environment. The following sections describe various aspects of multi-cluster management via workspaces. +A workspaces in Palette consists of a group of clusters and namespaces and the resources scoped in those clusters and +namespaces. Using workspaces enables you to provide application or team-specific governance and visibility into +workloads, cost, and usage metrics. For example, the application or team workload may be deployed into namespaces across +clusters to achieve High Availability (HA), Disaster Recovery (DR), or other organization-specific placement policies. +Grouping such namespaces and clusters into a workspace provide central management and governance in a multi-cluster +distributed environment. + +The following sections describe various aspects of multi-cluster management via workspaces. ## Namespace Management From 780579bc84455e8dfac2bf1b8300b70418e65a15 Mon Sep 17 00:00:00 2001 From: Lenny Chen Date: Fri, 13 Dec 2024 12:44:42 -0800 Subject: [PATCH 02/21] docs: more workspace refactor work --- .../workspace/adding-a-new-workspace.md | 91 ++++++++++++------- .../workspace-mgmt/configure-rbac.md | 90 ++++++++++++++++++ .../workspace-mgmt/delete-workspace.md | 0 .../workspace/workspace-mgmt/resource-mgmt.md | 0 .../workspace-mgmt/restrict-images.md | 0 docs/docs-content/workspace/workspace.md | 60 +++++------- 6 files changed, 171 insertions(+), 70 deletions(-) create mode 100644 docs/docs-content/workspace/workspace-mgmt/configure-rbac.md create mode 100644 docs/docs-content/workspace/workspace-mgmt/delete-workspace.md create mode 100644 docs/docs-content/workspace/workspace-mgmt/resource-mgmt.md create mode 100644 docs/docs-content/workspace/workspace-mgmt/restrict-images.md diff --git a/docs/docs-content/workspace/adding-a-new-workspace.md b/docs/docs-content/workspace/adding-a-new-workspace.md index 2ee22e7ca7..bc9c370349 100644 --- a/docs/docs-content/workspace/adding-a-new-workspace.md +++ b/docs/docs-content/workspace/adding-a-new-workspace.md @@ -9,7 +9,7 @@ tags: ["workspace"] --- Palette enables multi-cluster management and governance capabilities by introducing Workspaces. This page teaches you -how to create a workspace in Palette. +how to create a workspace in Palette. All workspace settings can be updated after creation. ## Prerequisites @@ -65,44 +65,69 @@ how to create a workspace in Palette. ::: -7. Select the namespaces you want to include in the workspace. If the a cluster that is part of your workspace has that - namespace, the namespace and all resources that are scoped within it will be included in the workspace. You may use - regular expressions to match the names of namespaces. +7. Enter the namespaces you want to include in the workspace. If the a cluster that is part of your workspace has that + namespace, the namespace and all resources that are scoped within it will be included in the workspace. If any + cluster in the workspace is missing the namespace you entered, the namespace will be created on that cluster. You + must use the names of the namespaces exactly, not regular expressions. The regular expression entries are only used + for creating role bindings in a later step. -8. After selecting the namespaces, you can specify resource limits that each +8. After selecting the namespaces, you can specify resource limits that the workspace is allowed to consume in the + **Workspace Quota** section. The **Maximum CPU** and **Maximum Memory** allow you to specif the maximum amount of CPU + cores and memory that all resources in the entire workspace are allowed to consume. -9. - Configure the Cluster Role Binding (optional). Role bindings can be created on all workspace clusters. + You may also specify resource limits on specific namespaces. When you specify a namespace-based limit, it means that + namespace can get the resources you configured in each cluster. - - As step 2 of the new Workspace creation, select **Add Cluster Role Binding**. - - Provide the name of the role for which the cluster role binding needs to be created. The role should be - pre-existing or an in-built system role. Palette does not create cluster roles. - - Subjects for the cluster role binding can be groups, users, or service accounts. + For example, if you have two clusters `cluster1` and `cluster2`, and they each have a namespace called `default`. If + you impose a 2Gi memory limit on the namespace default, then the `default` namespace in both clusters will be able to + consume 2 Gi memory each. You must ensure that the namespaced-limits, when added together, do not exceed the total + workspace limit you configured. If we continue with the previous example, you imposed a workspace quota of 4 Gi + memory, then the `default` namespace cannot have more than 2 Gi of memory, since they are two such namespaces in the + workspace and both of them added together are allowed 4 Gi of memory. - | **Subject Type** | **Subject Name** | **Subject Namespace** | - | ------------------- | ------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ | - | **User** | a valid path segment name | NA | - | **Group** | a valid path segment name | NA | - | **Service Account** | a valid path segment name | Granting super-user access to all service accounts
cluster-wide is strongly discouraged. Hence, grant a
role to all service accounts in a namespace. | +9. On the same **Namsespaces** page, you can optionally configure role bindings. When you configure a role binding for a + namespace, you are configuring the same role binding in that namespace in every cluster. Like in Kubernetes, you can + use either a role or a cluster role in a role binding. Similar to cluster role bindings, this action does not create + the roles or the subject for you. You must ensure that the corresponding role and subject referenced in the role + binding exists in the namespaces you configured. -10. Associate Namespaces + You can use Regular Expressions (regex) to create role bindings in multiple namespaces that match a certain pattern. + To do so, enter the regex in the namespace field. For example, `/palette-.*/` will match all namespaces that start + with `palette-`. When creating the role binding, you can select the regex as the namespace. - - Enter one or more namespaces that need to be part of the workspace. The combination of workspace and cluster is - unique across workspaces in a project. Palette ensures that all the namespaces are created for all the clusters in - the workspaces, in case they are not pre-existing. - - Add the resource quota for the namespaces by specifying CPU and Memory limits (optional). - - Configure the Role Binding (optional). The following information is required for each role binding: - - Select a namespace name or the Regex for namespaces for selecting multiple namespaces. - - Specific name for the role which is pre-existing - - Make the selection of Subjects from the dropdown list (User, Group, or ServiceAccount). For the subject - selected, provide a valid path segment name. For the subject, ServiceAccount select namespace name as granting - super-user access to all service accounts cluster-wide is strongly discouraged due to security concerns. - - Confirm the information provided to complete the configuration of role binding. + :::info + + Regex entries in the **Namespaces** field do not add the namespaces that match the regex to the workspace. You will + not be able to monitor resource usage, impose resource limits, or create backups unless you specifically add a + namespace by its name. + + ::: + + When you are finished, click **Next**. + +10. In the **Setting** page, you can schedule backups for select namespaces. These backups are created for each cluster + in the workspace. + + Like cluster backups in Palette, restoring a backup requires the source cluster to be available. When you restore a + back up, the namespaces that are backed up are restored to each cluster in the workspace. If you delete a cluster + from the workspace, that cluster's backup will not be restored. + + For more information about backups, refer to + [Backup and Restore](../clusters/cluster-management/backup-restore/backup-restore.md) + +11. Lastly, you can restrict certain container images from being loaded in the namespaces that are managed by the + workspace. To restrict images from being loaded by resources in a namespace, click **Add New Container Image**. + Select a namespace you want to restrict the image in, and enter the image URLs in a comma-separated list. When you + are done, click **Next**. + +12. Review your configurations and click **Finish Configuration** to create the workspace. + +## Validate + +1. Log in to [Palette](https://console.spectrocloud.com). -11. Settings +2. In the **Drop-Down Menu** at the top of the page, choose the project you created the workspace in. - - [Schedule Backups](../clusters/cluster-management/backup-restore/backup-restore.md) - set the backup and restore - policies. - - [Container Image](workload-features.md#restrict-container-images-to-a-workspace) - list out the container images - to be restricted within a Workspace namespace. +3. On the left **Main Menu**, click **Workspaces**. -Review and finish the configuration and complete the deployment. +4. Confirm the workspace has been created with the right configurations. diff --git a/docs/docs-content/workspace/workspace-mgmt/configure-rbac.md b/docs/docs-content/workspace/workspace-mgmt/configure-rbac.md new file mode 100644 index 0000000000..57f8f35ce0 --- /dev/null +++ b/docs/docs-content/workspace/workspace-mgmt/configure-rbac.md @@ -0,0 +1,90 @@ +--- +sidebar_label: "Configure RBAC in Workspaces" +title: "Configure RBAC in Workspaces" +description: "Learn how to configure RBAC in workspaces." +hide_table_of_contents: false +sidebar_custom_props: + icon: "workspaces" +tags: ["workspace", "rbac"] +--- + +Workspaces extends Kubernetes' native Role-Based Access Control (RBAC) model to allow you to create role bindings and +cluster role bindings at the workspace level, unifying authorization across different clusters. This page teaches you +how to create workspace-level role bindings and cluster role bindings. + +RBAC in workspaces is distinct from Palette RBAC. Palette RBAC regulates access to Palette resources such as clusters, +workspaces, and Edge hosts and its subjects are Palette users. Workspace RBAC is an extension of Kubernetes' native RBAC +model. It regulates access to Kubernetes objects in the clusters encompassed by the workspace, and its subjects are +Kubernetes users, groups and service accounts. + +| | Workspace RBAC | Palette RBAC | +| --------------------- | ----------------------------------------------- | -------------------------------------------------------- | +| Access control domain | Kubernetes clusters in the workspace. | Palette resources. | +| Subjects | Kubernetes users, groups, and service accounts. | Palette users and teams | +| Example resources | ConfigMaps, Secrets, Pods, StatefulSets, etc. | Cluster profiles, clusters, workspaces, Edge hosts, etc. | + +## Create Role Bindings in Namespaces in All Clusters + +You can create role bindings in the namespaces that are included in your workspace across all the clusters in your +namespace or use Regular Expressions (regex) to create role bindings in all namespaces that match the regex. + +### Prerequisites + +- An existing workspace. Refer to [Create a Workspace](../adding-a-new-workspace.md) to learn how to create a workspace. + +- You are logged in as a Palette user that has the permission to modify workspaces. For more information, refer to + [Permissions](../../user-management/palette-rbac/permissions.md). + +### Procedure + +1. Log in to [Palette](https://console.spectrocloud.com). + +2. In the **Drop-Down Menu** at the top of the page, choose the project that has your workspace. + +3. On the left **Main Menu**, click **Workspaces**. + +4. Click on the workspace you want to update. + +5. In the upper-right corner, click **Settings**. Then click **Namespaces**. + +6. If the namespace where you want to include are already in the workspace, skip this step. + + At the top of the page, enter the namespace you want to create the role bindings in. Note that doing so will include + the namespace in the workspace and Palette users who have access to this workspace will be able to see its workloads + and resource consumption. + + Alternatively, enter a regex that match the namespaces where you want to create the role binding. Using regex will + not include all the namespaces that match the regex in the namespace. It will still allow you to create the role + bindings, but the workloads in those namespaces will not be visible. + +7. Click **Add New Binding**. + +8. In the **Namespace** field, select a namespace or the regex. Then enter the **Role type** and **Role name**. As is in + Kubernetes, you can use either a role or a cluster role to create a role binding. If you use a cluster role, the + privilege of the cluster role will still be limited to the namespace where the role binding exists only. + + :::info + + This action only creates the role bindings, but does not create the role or the subject referenced in the role + binding. Kubernetes allows you to create role bindings without creating the role or the subject, but the role binding + will have no effect until it can match with a role and a subject. You must make sure to create the role and the + subject in the namespaces or clusters yourself. + + ::: + +9. Then in the **Subject** fields, choose the type of the subject and enter the subject name. You can enter as many + subjects as you need. + +10: Click **Confirm**. + +### Validate + +1. Log in to [Palette](https://console.spectrocloud.com). + +2. In the **Drop-Down Menu** at the top of the page, choose the project that has your workspace. + +3. On the left **Main Menu**, click **Workspaces**. Select your workspace. + +4. Switch to the **Role Bindings** or **Cluster Role Bindings** tab. + +5. Search for an entry that starts with **spectro-on-demand-**. diff --git a/docs/docs-content/workspace/workspace-mgmt/delete-workspace.md b/docs/docs-content/workspace/workspace-mgmt/delete-workspace.md new file mode 100644 index 0000000000..e69de29bb2 diff --git a/docs/docs-content/workspace/workspace-mgmt/resource-mgmt.md b/docs/docs-content/workspace/workspace-mgmt/resource-mgmt.md new file mode 100644 index 0000000000..e69de29bb2 diff --git a/docs/docs-content/workspace/workspace-mgmt/restrict-images.md b/docs/docs-content/workspace/workspace-mgmt/restrict-images.md new file mode 100644 index 0000000000..e69de29bb2 diff --git a/docs/docs-content/workspace/workspace.md b/docs/docs-content/workspace/workspace.md index 5a980cc4c8..0ac0a591b5 100644 --- a/docs/docs-content/workspace/workspace.md +++ b/docs/docs-content/workspace/workspace.md @@ -17,49 +17,35 @@ distributed environment. The following sections describe various aspects of multi-cluster management via workspaces. -## Namespace Management +## Namespace and Resource Management -Workspaces automate the creation and deletion of namespaces common to all clusters within the workspace. A workspace can -hold a set of namespaces. Spectro Cloud Palette will periodically reconcile the workspace definition and add/remove -namespaces if required from all clusters part of the workspace. +Workspaces in Spectro Cloud Palette automate the creation and management of namespaces across all clusters in the +workspace. This includes: -## Quota Control +- **Namespace Creation**: Creating namespaces across all clusters in your workspace if a cluster does not have a + specified namespace. +- **Resource Quotas**: Defining and enforcing CPU and memory usage limits within namespaces, applied uniformly across + all clusters in the workspace. -Usage quota in terms of CPU and memory usage limits is specified within the namespaces. Spectro Cloud Palette sets the -specified limits across all the clusters in the namespaces. +## Centralized Access Control -## Role Based Access Control(RBAC) +Workspaces simplify Role-Based Access Control (RBAC) by centralizing management of role bindings and cluster role +bindings. You can specifying role bindings and cluster role bindings within the workspace to automatically apply them to +all clusters, ensuring consistent and secure access policies across all clusters in a workspace. -Role bindings and cluster role bindings are specified within workspaces. Furthermore, these role bindings and cluster -role bindings are created in every cluster within the workspaces, thus enabling centralized RBAC. +## Visibility and Insights -## Utilization +Workspaces enhance operational visibility and provide actionable insights through: -Spectro Cloud Palette reports detailed resource utilization of workloads deployed in all the namespaces in the workspace -across clusters. In addition, the CPU and memory usage trends within the workspace provide valuable insights into the -consumption patterns of an application distributed across clusters. +- **Workload Visibility**: A centralized workload browser aggregates and displays workloads (pods, deployments, jobs, + stateful sets, etc.) across all namespaces and clusters in the workspace. +- **Resource Utilization**: Detailed reporting on CPU and memory usage trends across clusters to understand consumption + patterns. +- **Cost Attribution**: Calculating costs for workloads based on resource utilization, enabling internal charge-back or + show-back for teams or applications. -## Cost Attribution +## Backup and Disaster Recovery -Spectro Cloud Palette computes utilization costs for workloads deployed in all the namespaces that are part of the -workspace across all the clusters based on the detailed resource utilization data. This can be used for internal -charge-back or show-back purposes to determine the cost incurred by an application or team. - -## Workload Visibility - -Workspaces provide a workload browser to view all the workloads such as pods, deployment, jobs, stateful sets, etc., -deployed in all the namespaces that are part of the workspace across all the clusters. The workload browser aggregates -resources across clusters from relevant namespaces and presents them with centralized visibility. - -## Backup and Restore - -A workspace-based backup is similar to a cluster backup, with the additional coverage of multiple clusters, should the -workspace include more than one. The prerequisites and detailed instructions to backup and restore clusters are -specified on the [Backup and Restore](../clusters/cluster-management/backup-restore/backup-restore.md) page. - -## Regex for Namespaces - -Palette leverages [Regex Pattern matching](workload-features.md#regex-for-namespaces) to select multiple namespaces to -apply Role binding concurrently. When we have many namespaces to be configured for role binding, the user can provide a -Regex pattern matching multiple namespaces instead of giving a single namespace. This will help select all the -namespaces matching the given Regex pattern to be selected together for role binding. > +**Workspace-Based Backup**: extends cluster-level backups to include namespaces in all clusters within a workspace. For +detailed prerequisites and instructions, refer to the +[Backup and Restore](../clusters/cluster-management/backup-restore/backup-restore.md) page. From eb13bbb3c9af88bf2756ebca116acc2849d9d405 Mon Sep 17 00:00:00 2001 From: Lenny Chen Date: Sat, 14 Dec 2024 23:03:59 -0800 Subject: [PATCH 03/21] docs: progress on workspace refactor --- .../workspace-mgmt/configure-rbac.md | 78 ++++++++++++++++--- .../workspace-mgmt/delete-workspace.md | 9 +++ .../workspace/workspace-mgmt/resource-mgmt.md | 59 ++++++++++++++ .../workspace-mgmt/restrict-images.md | 9 +++ 4 files changed, 145 insertions(+), 10 deletions(-) diff --git a/docs/docs-content/workspace/workspace-mgmt/configure-rbac.md b/docs/docs-content/workspace/workspace-mgmt/configure-rbac.md index 57f8f35ce0..971e298c5b 100644 --- a/docs/docs-content/workspace/workspace-mgmt/configure-rbac.md +++ b/docs/docs-content/workspace/workspace-mgmt/configure-rbac.md @@ -17,16 +17,21 @@ workspaces, and Edge hosts and its subjects are Palette users. Workspace RBAC is model. It regulates access to Kubernetes objects in the clusters encompassed by the workspace, and its subjects are Kubernetes users, groups and service accounts. -| | Workspace RBAC | Palette RBAC | -| --------------------- | ----------------------------------------------- | -------------------------------------------------------- | -| Access control domain | Kubernetes clusters in the workspace. | Palette resources. | -| Subjects | Kubernetes users, groups, and service accounts. | Palette users and teams | -| Example resources | ConfigMaps, Secrets, Pods, StatefulSets, etc. | Cluster profiles, clusters, workspaces, Edge hosts, etc. | +| | Workspace RBAC | Palette RBAC | +| --------------------- | -------------------------------------------------------- | -------------------------------------------------------- | +| Access control domain | Kubernetes API objects in the clusters in the workspace. | Palette resources. | +| Subjects | Kubernetes users, groups, and service accounts. | Palette users and teams | +| Example resources | ConfigMaps, Secrets, Pods, StatefulSets, etc. | Cluster profiles, clusters, workspaces, Edge hosts, etc. | -## Create Role Bindings in Namespaces in All Clusters +## Create Workspace-Level Role Bindings -You can create role bindings in the namespaces that are included in your workspace across all the clusters in your -namespace or use Regular Expressions (regex) to create role bindings in all namespaces that match the regex. +By creating a workspace-level role binding, you create role bindings in the all clusters in the workspace in the +namespaces you choose. You can also use Regular Expressions (regex) to create role bindings in all namespaces that match +the regex. + +For example, if you create a role binding that binds the cluster role `podReader` to the service account +`podReaderAccount` in the `default` namespace. Every cluster in your workspace will get a role binding that binds the +cluster role `podReader` to the service account `podReaderAccount` in that cluster's `default` namespace. ### Prerequisites @@ -85,6 +90,59 @@ namespace or use Regular Expressions (regex) to create role bindings in all name 3. On the left **Main Menu**, click **Workspaces**. Select your workspace. -4. Switch to the **Role Bindings** or **Cluster Role Bindings** tab. +4. Switch to the **Role Bindings** tab. + +5. Search for entries that starts with **spectro-on-demand-**. Open the these entries to confirm that the role bindings + bind the expected role to the expected subject. + +## Configure Cluster Role Binding in All Clusters + +By creating a workspace-level cluster role binding, you create the same cluster role binding in every cluster in your +workspace. + +For example, if you create a cluster role binding that binds the cluster role `podReader` to the service account +`podReaderAccount`, every cluster will get the role binding that binds the the cluster role `podReader` to the service +account `podReaderAccount`. + +### Prerequisites + +- An existing workspace. Refer to [Create a Workspace](../adding-a-new-workspace.md) to learn how to create a workspace. + +- You are logged in as a Palette user that has the permission to modify workspaces. For more information, refer to + [Permissions](../../user-management/palette-rbac/permissions.md). + +### Procedure + +1. Log in to [Palette](https://console.spectrocloud.com). + +2. In the **Drop-Down Menu** at the top of the page, choose the project that has your workspace. + +3. On the left **Main Menu**, click **Workspaces**. + +4. Click on the workspace you want to update. + +5. In the upper-right corner, click **Settings**. Then click **Clusters**. + +6. Click **Add New Binding**. + +7. In the **Cluster Role name** field, enter the name of the cluster role. In the **Subjects** field, enter the type and + name of the subject. You can enter as many subjects as you need. + + As is with role bindings, neither the cluster role nor the subjects referenced need to exist when you create the + cluster role binding. However, you must make create them in each cluster. Otherwise, the cluster role binding will + have no effect. + +8. Click **Confirm**. + +### Validate + +1. Log in to [Palette](https://console.spectrocloud.com). + +2. In the **Drop-Down Menu** at the top of the page, choose the project that has your workspace. + +3. On the left **Main Menu**, click **Workspaces**. Select your workspace. + +4. Switch to the **Cluster Role Bindings** tab. -5. Search for an entry that starts with **spectro-on-demand-**. +5. Search for entries that starts with **spectro-on-demand-**. Open the these entries to confirm that the role bindings + bind the expected role to the expected subject. diff --git a/docs/docs-content/workspace/workspace-mgmt/delete-workspace.md b/docs/docs-content/workspace/workspace-mgmt/delete-workspace.md index e69de29bb2..49d7c3ace3 100644 --- a/docs/docs-content/workspace/workspace-mgmt/delete-workspace.md +++ b/docs/docs-content/workspace/workspace-mgmt/delete-workspace.md @@ -0,0 +1,9 @@ +--- +sidebar_label: Delete Workspace" +title: Delete Workspace" +description: "Learn how to restrict certain images from being used by your workspace" +hide_table_of_contents: false +sidebar_custom_props: + icon: "workspaces" +tags: ["workspace"] +--- diff --git a/docs/docs-content/workspace/workspace-mgmt/resource-mgmt.md b/docs/docs-content/workspace/workspace-mgmt/resource-mgmt.md index e69de29bb2..958584e3ca 100644 --- a/docs/docs-content/workspace/workspace-mgmt/resource-mgmt.md +++ b/docs/docs-content/workspace/workspace-mgmt/resource-mgmt.md @@ -0,0 +1,59 @@ +--- +sidebar_label: "Resource Management" +title: "Resource Management" +description: "Learn how to monitor workload resource consumption and implement resource quotas for your workspace." +hide_table_of_contents: false +sidebar_custom_props: + icon: "workspaces" +tags: ["workspace", "resource-management"] +--- + +Workspaces give you a unified view of resource consumption in specified namespaces across all clusters in the workspace. +Additionally, you can implement resource quotas for the workspace as a whole, or for individual namespaces. + +## Monitor Resource Consumption + +Workspaces allow you to view the workloads such as pods, deployments, daemon sets, and stateful sets in the namespaces +that comprise the workspace. + +In the workspace details page, the landing **Namespaces** tab give you an overview of how much resources are consumed by +each namespace. The **CPU** and **Memory** column display the total CPU and memory consumed by the namespaces with the +same name in the entire workspace. + +You can view more workloads by selecting the corresponding tab. For example, select the **Pods** tab if you want to +monitor pod workloads. Each tab will show you the CPU and memory consumption of the corresponding workload in the entire +workspace. + +## Implement Resource Quotas + +You can implement resource quotas on an entire workspace, as well as implement them on individual namespaces. + +### Prerequisites + +- + +### Procedure + +1. Log in to [Palette](https://console.spectrocloud.com). + +2. In the **Drop-Down Menu** at the top of the page, choose the project that has your workspace. + +3. On the left **Main Menu**, click **Workspaces**. + +4. Click on the workspace you want to update. + +5. Click **Settings** in the upper-right corner. + +6. Click **Namespaces**. + +7. Under **Workspace Quota**, you can specify the amount of CPU and memory that the entire workspace is allowed to + consume. The default value is 0, which imposes no limit. + +8. If you want to limit resource use based on namespaces, enter the desired CPU and memory limit in the next to the + namespace entry. + + You can impose the limit more granularly by expanding the namespace row and enter the limit on the namespace in one + particular cluster. You must ensure that resources alloted to individual namespaces do not exceed the workspace + quota. + +### Validate diff --git a/docs/docs-content/workspace/workspace-mgmt/restrict-images.md b/docs/docs-content/workspace/workspace-mgmt/restrict-images.md index e69de29bb2..2304a7b467 100644 --- a/docs/docs-content/workspace/workspace-mgmt/restrict-images.md +++ b/docs/docs-content/workspace/workspace-mgmt/restrict-images.md @@ -0,0 +1,9 @@ +--- +sidebar_label: Restrict Container Images" +title: Restrict Container Images" +description: "Learn how to restrict certain images from being used by your workspace" +hide_table_of_contents: false +sidebar_custom_props: + icon: "workspaces" +tags: ["workspace"] +--- From c8bb90244f92e4e727af633e33f2f3987c0a253e Mon Sep 17 00:00:00 2001 From: Lenny Chen Date: Mon, 16 Dec 2024 17:31:03 -0800 Subject: [PATCH 04/21] docs: finish workspace pages --- .../workspace-mgmt/delete-workspace.md | 37 ++++++++++++++++++ .../workspace/workspace-mgmt/resource-mgmt.md | 20 +++++++++- .../workspace-mgmt/restrict-images.md | 39 +++++++++++++++++++ 3 files changed, 94 insertions(+), 2 deletions(-) diff --git a/docs/docs-content/workspace/workspace-mgmt/delete-workspace.md b/docs/docs-content/workspace/workspace-mgmt/delete-workspace.md index 49d7c3ace3..07fc269298 100644 --- a/docs/docs-content/workspace/workspace-mgmt/delete-workspace.md +++ b/docs/docs-content/workspace/workspace-mgmt/delete-workspace.md @@ -7,3 +7,40 @@ sidebar_custom_props: icon: "workspaces" tags: ["workspace"] --- + +This page teaches you how to delete a workspace. Deleting a workspace removes resources in the cluster that you created +using the workspace, such as role bindings, cluster role bindings, and resource quotas. Deleting a workspace does not +delete any of the clusters inside the workspace. + +## Prerequisites + +- An existing workspace. Refer to [Create a Workspace](../adding-a-new-workspace.md) to learn how to create a workspace. + +- You are logged in as a Palette user that has the permission to delete workspaces. For more information, refer to + [Permissions](../../user-management/palette-rbac/permissions.md). + +## Delete a Workspace + +1. Log in to [Palette](https://console.spectrocloud.com). + +2. In the **Drop-Down Menu** at the top of the page, choose the project that has your workspace. + +3. On the left **Main Menu**, click **Workspaces**. + +4. Click on the workspace you want to delete. + +5. In the upper-right corner, click **Settings**. + +6. Click **Delete Workspace**. + +7. Enter the workspace name to confirm deletion. + +## Validate + +1. Log in to [Palette](https://console.spectrocloud.com). + +2. In the **Drop-Down Menu** at the top of the page, choose the project that has your workspace. + +3. On the left **Main Menu**, click **Workspaces**. + +4. Confirm that the workspace has been deleted. diff --git a/docs/docs-content/workspace/workspace-mgmt/resource-mgmt.md b/docs/docs-content/workspace/workspace-mgmt/resource-mgmt.md index 958584e3ca..df2a9f74c1 100644 --- a/docs/docs-content/workspace/workspace-mgmt/resource-mgmt.md +++ b/docs/docs-content/workspace/workspace-mgmt/resource-mgmt.md @@ -9,7 +9,10 @@ tags: ["workspace", "resource-management"] --- Workspaces give you a unified view of resource consumption in specified namespaces across all clusters in the workspace. -Additionally, you can implement resource quotas for the workspace as a whole, or for individual namespaces. +Additionally, you can implement resource quotas for the workspace as a whole, or for individual namespaces. The resource +quotas are implemented using the native Kubernetes ResourceQuota object. Refer to +[Kubernetes documentation](https://kubernetes.io/docs/concepts/policy/resource-quotas) to learn more about resource +quotas. ## Monitor Resource Consumption @@ -30,7 +33,10 @@ You can implement resource quotas on an entire workspace, as well as implement t ### Prerequisites -- +- An active Palette workspace. Refer to [Create a Workspace](../adding-a-new-workspace.md) to learn how to create one. + +- You are logged in as a Palette user that has the permission to modify workspaces. For more information, refer to + [Permissions](../../user-management/palette-rbac/permissions.md). ### Procedure @@ -57,3 +63,13 @@ You can implement resource quotas on an entire workspace, as well as implement t quota. ### Validate + +1. Connect to a cluster in your workspace using kubectl. For more information, refer to + [Access Cluster with kubectl](../../clusters/cluster-management/palette-webctl.md). + +2. Issue the following command to view the resource quotas created for your cluster. Confirm that the corresponding + resource quotas have been created. You may also use the `--namespace` flag to choose a specific namespace to examine. + + ```shell + kubectl get resourcequota --all-namespaces + ``` diff --git a/docs/docs-content/workspace/workspace-mgmt/restrict-images.md b/docs/docs-content/workspace/workspace-mgmt/restrict-images.md index 2304a7b467..ce14245b10 100644 --- a/docs/docs-content/workspace/workspace-mgmt/restrict-images.md +++ b/docs/docs-content/workspace/workspace-mgmt/restrict-images.md @@ -7,3 +7,42 @@ sidebar_custom_props: icon: "workspaces" tags: ["workspace"] --- + +You can specify image URLs in a workspace to restrict access to images in your workspace for specific namespaces. +Restricted images cannot be loaded into any cluster in the namespaces you specify. Under the hood, access control to +images is achieved using Kyverno policies. For more information about Kyverno, refer to +[Kyverno documentation](https://kyverno.io/). + +## Prerequisites + +## Restrict Container Image + +1. Log in to [Palette](https://console.spectrocloud.com). + +2. In the **Drop-Down Menu** at the top of the page, choose the project that has your workspace. + +3. On the left **Main Menu**, click **Workspaces**. + +4. Click on the workspace you want to delete. + +5. In the upper-right corner, click **Settings**. + +6. Click **Container Images**. + +7. Enter the namespace you want to restrict image access for. Then enter the images by tag, separated by commas. + +8. Click **Save Changes**. + +## Validate + +1. Connect to a cluster in your workspace using kubectl. For more information, refer to + [Access Cluster with kubectl](../../clusters/cluster-management/palette-webctl.md). + +2. Issue the following command to view the Kyverno policy used to control image access. + + ```shell + kubectl describe cpol cluster-policy-palette-system + ``` + +3. Check under `spec.rules.preconditions` and `spec.rules.validate`. Confirm that the matching namespaces have + restricted the container images from loading. From 5ebbe9875bed9c20a93ffc3e136713ba7d6186ff Mon Sep 17 00:00:00 2001 From: Lenny Chen Date: Mon, 16 Dec 2024 17:32:14 -0800 Subject: [PATCH 05/21] docs: fix broken lilnk --- docs/docs-content/vm-management/rbac/vm-roles-permissions.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/docs-content/vm-management/rbac/vm-roles-permissions.md b/docs/docs-content/vm-management/rbac/vm-roles-permissions.md index f42aac7b13..9d0f45ba68 100644 --- a/docs/docs-content/vm-management/rbac/vm-roles-permissions.md +++ b/docs/docs-content/vm-management/rbac/vm-roles-permissions.md @@ -37,7 +37,7 @@ to specify bindings to configure granular Role-Based Access Control (RBAC) rules You can configure namespaces and RBAC from within a cluster or from a Palette workspace that contains a cluster group. In a cluster group, all RoleBindings must occur at the namespace level. For details, review the [Cluster RBAC](../../clusters/cluster-management/cluster-rbac.md) and -[workspace RBAC](../../workspace/workspace.md#role-based-access-controlrbac) guides. +[workspace RBAC](../../workspace/workspace-mgmt/configure-rbac.md) guides. Palette leverages Regex Pattern matching so you can select multiple namespaces to apply role bindings. Check out [Regex for Namespaces](../../workspace/workload-features.md#regex-for-namespaces) to learn more. From 89be8c90d5e0a0c4e5e37e70f8a141573d890d10 Mon Sep 17 00:00:00 2001 From: Lenny Chen Date: Tue, 17 Dec 2024 12:45:26 -0800 Subject: [PATCH 06/21] docs: remove feature page --- .../workspace/workload-features.md | 545 ------------------ .../workspace-mgmt/configure-rbac.md | 14 +- .../workspace-mgmt/delete-workspace.md | 4 +- .../workspace/workspace-mgmt/resource-mgmt.md | 12 + .../workspace-mgmt/restrict-images.md | 2 +- 5 files changed, 26 insertions(+), 551 deletions(-) delete mode 100644 docs/docs-content/workspace/workload-features.md diff --git a/docs/docs-content/workspace/workload-features.md b/docs/docs-content/workspace/workload-features.md deleted file mode 100644 index 8ee5dee666..0000000000 --- a/docs/docs-content/workspace/workload-features.md +++ /dev/null @@ -1,545 +0,0 @@ ---- -sidebar_label: "Workspace Management" -title: "The additional features to optimize workspace performance" -description: "How to get unified view of workloads in logically grouped namespaces and clusters" -icon: "" -hide_table_of_contents: false -sidebar_position: 10 -tags: ["workspace"] ---- - -# Manage Palette Workspace - -Palette supports several day 2 operations to manage the end-to-end lifecycle of the Kubernetes clusters through -Workspaces. It also provides several capabilities across new and imported clusters to keep your clusters secure, -compliant, up to date, and perform ongoing management operations like Backup and Restore. Additionally, you can have -visibility into the workloads running inside your cluster and cluster costs. - -The following sections describe these capabilities in detail: - - - - -## Workload Visibility - -Workspace provides visibility into workloads deployed across clusters. - -| **Resource** | **Description availed from Workspace** | -| ---------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| **Namespaces** | Cluster Specific namespaces with CPU and Memory utilization. | -| **Pods** | Lists all the pods running on a particular namespace with cluster names with the detailed health status, age, and resource utilization of each of them. | -| **Deployments** | All the running deployments specific to clusters belonging to the Workspace with namespace to which these deployments belong, pods details, replicas, and age are enumerated | -| **DaemonSets** | DaemonSet resource utilization is described, with details on namespaces, pods, and age of individual Daemon sets | -| **StatefulSets** | All the active StatefulSets specific to clusters belonging to the Workspace with corresponding namespace, pods details, replicas, and age are enumerated | -| **Jobs** | A Job creates one or more Pods and will continue to retry execution of the Pods until a specified number of them successfully terminate. | -| **CronJobs** | Cron Jobs are regularly scheduled actions or jobs such as backups, report generation, etc. Each of these jobs will recur as scheduled. | -| **RoleBinding** | A role binding grants the permissions defined in a role to a user or set of users. | -| **ClusterRoleBinding** | A Cluster Role binding defines the permissions defined across a cluster. | - - - - - -## Workspace Backup and Restore - -Palette users can create cluster backups from within a workspace (usually consisting of multiple clusters) and restore -them later time as desired. Palette allows granular controls within a workspace for users to perform specific tasks -within the workspace, without having the ability to update workspace details. To provide granular access within a -workspace for specific actions, Palette provides the following two Roles: - -## Workspace Operator - -Users assigned the **Workspace Operator** Role can only perform Backup and Restore actions within the Workspace. - -## Workspace Admin - -A Role that has all administrative permissions and privileges within the Workspace. - -## Create your Workspace Roles - -To create your **Workspace Role**, follow the steps below: - -1. Log in to the Palette Management Console as **Tenant Admin**. - -2. Go to the **Users and Teams** option. - -3. From the listed users, select the user to be assigned with Workspace Roles. Check out the - [Create a User](../user-management/users-and-teams/create-user.md) guide to learn how to create a user. - -4. Select the **Workspace Roles** tab and click **+ New Workspace Role** to create a new role. - -5. Fill the following information into the **Add Roles to User-Name** wizard: - - - Project - - Workspace - - Choose the role from the options: - - Workspace Admin - - Workspace Operator - -6. Confirm the information provided to complete the wizard. - -7. The user set with the Workspace Role can take Workspace-wide Backups and Restores in compliance with their - permissions and privileges. - -Palette leverages the BackUps to the following locations: - -- Amazon Web Services (AWS) S3 Buckets: [Prerequisites](#for-an-amazon-web-services-aws-bucket-as-backup-location), - [Configure your Backup](#configure-your-backup-in-aws-s3) - -- Google Cloud Platform (GCP) Buckets: [Prerequisites](#for-a-google-cloud-platform-gcp-backup-location), - [Configure your Backup](#configure-your-backup-in-gcp-bucket) - -- MinIO S3 Buckets: [Prerequisites](#for-minio-s3-backup), [Configure your Backup](#configure-your-backup-in-minio) - -- Azure Blob: [Prerequisites](#for-azure-blob-backup), - [Configure your Backup](#configure-your-backup-in-azure-azure-blob) - -## Prerequisites - -### For an Amazon Web Services (AWS) Bucket as Backup Location - -- The AWS S3 permissions listed in the next section need to be configured in the AWS account to provision Backup through - Palette. - -- Pre-create a bucket at the AWS or MinIO object-store. - -## For a Google Cloud Platform (GCP) Backup Location - -- GCP service account with a **Storage Admin** role. - -- Pre-create a bucket at the GCP object storage. - -### For MinIO S3 Backup - -- S3 bucket with Read/Write Access - -- A unique access key (username) and corresponding secret key (password) from MinIO Console. - -- Service provider certificate (Optional) - -### For Azure Blob Backup - -- An active Azure cloud account with the following pieces of information noted down: - - - Tenant Id - - Client Id - - Subscription Id - - Client Secret created - -- An - [Azure storage account](https://learn.microsoft.com/en-us/azure/storage/common/storage-account-create?tabs=azure-portal) - created with the following information to be noted down for Palette use: - - - Storage Name: Custom name given to the Azure storage created. - - Stock-keeping unit - -- A container to be created in the Azure Storage account - -## Backup Locations - -AWS Simple Cloud Storage (S3) and other S3 compliant object stores such as MinIO and GCP Buckets are currently supported -as backup locations. These locations can be configured and managed under the **Project** > **Settings** option and can -be selected as a backup location, while backing up any cluster in the project. - -### Configure your Backup in AWS S3 - -The following details are required to configure a backup location in AWS: - -1. **Location Name** - Name of your choice. - -2. **Location Provider** - AWS (This is currently the only choice on the UI. Choose this option when backing up to AWS - S3 or any S3 compliance object store). - -3. **Certificate** - Required for MinIO. - -4. **S3 Bucket** - S3 bucket name must be pre-created on the object-store. - -5. **Configuration** - region=\{region-name},s3ForcePathStyle=\{true/false},s3Url=\{S3 URL}. S3 URL need not be provided - for AWS S3. - -6. **Account Information** - Details of the account which hosts the S3 bucket to be specified as Credentials or STS. - - - Credentials - Provide access key and secret key. - - STS - Provide the ARN and External ID of the IAM role that has permission to perform all S3 operations. The STS - role provided in the backup location should have a trust set up with the account used to launch the cluster itself - and should have the permission to assume the role. - -7. Palette mandates the AWS S3 Permissions while users use the static role to provision worker nodes. - - #### AWS S3 Permissions - - ```json - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "ec2:DescribeVolumes", - "ec2:DescribeSnapshots", - "ec2:CreateTags", - "ec2:CreateVolume", - "ec2:CreateSnapshot", - "ec2:DeleteSnapshot" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "s3:GetObject", - "s3:DeleteObject", - "s3:PutObject", - "s3:AbortMultipartUpload", - "s3:ListMultipartUploadParts" - ], - "Resource": ["arn:aws:s3:::BUCKET-NAME/*"] - }, - { - "Effect": "Allow", - "Action": ["s3:ListBucket"], - "Resource": ["arn:aws:s3:::BUCKET-NAME"] - } - ] - } - ``` - - #### Trust Setup Example - - ```json - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "AWS": "arn:aws:iam::141912899XX99:root" - }, - "Action": "sts:AssumeRole", - "Condition": {} - } - ] - } - ``` - -### Configure your Backup in GCP Bucket - -These locations can be configured and managed from the **Settings** option under **Project** and can be selected as a -backup location while backing up any cluster in the project. - -The following details are required to configure a backup location in GCP: - -1. **Location Name** - Name of your choice. - -2. **Location Provider** - Google Cloud (Choose this option when backing up to the GCP bucket object store). - -3. **Bucket** - The name of the bucket name pre-created on the object store. - -4. **JSON Credentials** - For external authentication of the GCP storage. - -### Configure your Backup in MinIO - -The following details are required to configure a backup location in AWS: - -1. **Location Name**: Name of your choice. - -2. **Location Provider**: Minio - -3. **Certificate**: Optionally required for MinIO. - -4. **S3 Bucket**: S3 bucket name must be pre-created on the MinIO object-store. - -5. **Region**: Region in which the S3 bucket is created. Example: us-east-1 - -6. **S3 URL**: Url of the MinIO object storage console. Example: `http://12.123.234.567:0000` - -7. **Force S3 path style** : To force S3 pathstyle addressing or else the url will be converted to virtual-hosted style - addressing with bucket name appended to the url.This is an optional setting. - -8. **Authenticate** using MinIo access key and secret access key. - -9. Click **Create** to complete the location creation wizard. - -### Configure your Backup in Azure: Azure Blob - -The following details are required to configure a backup location in Azure: - -1. **Location Name**: A custom name for the storage location getting created. - -2. **Location Provider:** Select **Azure** from the drop-down. - -3. **Container Name:** The container created in Azure Storage. - -4. **Storage Name**: Name of the Azure storage created. - -5. **Stock-Keeping Unit**: Information from the Azure storage. - -6. **Resource Group:** Azure Resource Group name - -7. **Tenant ID:** Azure Account Credential. - -8. **Client ID:** Azure Account Credential. - -9. **Subscription ID**: Azure Account Credential. - -10. **Client Secret:** Secret created in the Azure console needs to be validated. - -11. Click **Create** to complete the location creation wizard. - -## Add a Backup Location - -Go to **Project Settings** > **Backup locations** > **Add a New Backup location**. - -## Create a Workspace Backup - -Backups can be scheduled or initiated in an on demand basis, during the workspace creation. The following information is -required for configuring a Workspace Backup, on demand- - -1. **Backup Prefix / Backup Name**: For scheduled backup, a name will be generated internally, add a prefix of our - choice to append with the generated name. For an on demand backup, a name of user choice can be used. - -2. Select the Backup location. - -3. **Backup Schedule** - Create a backup schedule of your choice from the dropdown list, applicable only to scheduled - backups. - -4. **Expiry Date** - Select an expiry date for the backups. The backup will be automatically removed on the expiry date. - -5. **Include all disks** - Optionally, backup persistent disks as part of the backup. - -6. **Include Cluster Resources** - Select or deselect on your choice. - - | On Demand Backup | - | ------------------------------------------------------------------------ | - | Select the **Workspace to Backup** > **Settings** > **Schedule Backups** | - - | Scheduled Backup | - | ----------------------------------------------------------- | - | **Workspace Creation** > **Policies** > **Backup Policies** | - -## Backup Scheduling Options - -Both the cluster and workspace backup support the following scheduling options: - -- Customize your backup for the exact month, day, hour, and minute of the user's choice. -- Every week on Sunday at midnight -- Every two weeks at midnight -- Every month on the 1st at midnight -- Every two months on the 1st at midnight - -## Restore a Backup - -Backups created manually or as part of the schedule are listed under the Backup/Restore page of the cluster. - -1. Restore operation can be initiated by selecting the restore option for a specific backup. - -2. Next, you will be prompted to select a target cluster where you would like the backup to be restored. The progress of - the restore operation can be tracked from the target cluster's Backup/Restore page. - -3. Finally, restore operations can be done to the cluster running on the same project. - -## Restore Your Backup - -To initiate a restore operation: - -1. Log in to the Palette console as the **Project Admin** and go to **Workspaces** page. - -2. Select the **Workspace Name** to be restored. - -3. From the selected Workspace overview, select **Backups** from the top menu. - -4. The Backup option lists all the backups scheduled for the selected Workspace. Towards the name of the backup, click - the meatball (three horizontal dots) button to open the restore wizard. - -5. Click on the **Restore Backup** option to complete the wizard: - - - Choose of the namespaces to be restored - - Three options are available to filter the resources to be restored: - - - **Include Cluster Resources** - To restore all the cluster scoped resources. - - **Preserve Node Ports** - To preserve ports for node port service running in the cluster. - - **Restore PVs** - To restore the persistent volumes. - -
- - :::tip - - Check **Include Cluster Resource** and **Restore PVs** options together. - - ::: - -6. Make the appropriate choice of resources as per user requirements to complete the wizard. - - - - - -## Workspace Quota - -Palette enables the users to limit resource usage within the workspace optionally. The Quota is specified in terms of -the maximum CPU and memory. Therefore, the resource utilization within the namespace should be below the Quota allocated -across all the clusters. - -## To set your Resource Quota: - -1. During [Step: 3 Associate Namespaces](./adding-a-new-workspace.md#create-your-workspace) of Namespace creation, - **Workspace Quota** can be set by giving the **Maximum CPU** and **Maximum Memory**. Then, all the clusters launched - within the Namespace can use the set Quota. - -2. Namespace Quota can be set for an already deployed workspace as: - `Workspace Settings -> Namespaces -> Workspace Quota` - -### Workspace Quota Notes: - -- The quota allocated to the workspace scope is split across all the namespaces under that workspace per their resource - requirements. - -- The palette allows quotas to be allocated to individual namespaces under a specific workspace. In that case, - individual clusters belonging to that namespace can utilize the quota per their resource requirements. When a - namespace is allocated with a quota, all the clusters belonging to that namespace get allocated with that resource - quota individually. - - **Example**: If Namespace palette-ns belongs to two (2) clusters, p1 and p2, and palette-ns is allocated a quota of 1 - CPU and 1 Gb memory, each of p1 and p2 gets allocated 1 CPU and 1 GB memory individually. - -- Palette allows quota to be allocated to individual clusters under a specific workspace. In that case, the allocated - quota should not exceed the namespace quota. - -- To set an unlimited quota, set the quota value as -1. - - If -1 is set as the quota for a cluster, then we cannot set a quota for the workspace to which the cluster belongs. - - If -1 is set as the quota for a Workspace, then we cannot set a quota for the clusters belonging that Workspace. - - - - -## Regex for Namespaces - -Palette leverages Regex Pattern matching to select multiple namespaces to apply Role binding concurrently. When we have -many namespaces to be configured for role binding, the user can provide a Regex pattern matching multiple namespaces -instead of giving a single namespace. This will help select all the namespaces matching the given Regex pattern to be -selected together for role binding. - -## Use Cases - -1. A Regex pattern that start and end with " / ", will select all the workspace names matching the given Regex pattern. - - **Example:** `/^palette-ns/` - -2. A Regex pattern that starts with `negation symbol(~)`, will select all the namespaces that _does not match_ with the - regex expression given. - - **Example:** `~/^(kube|cluster|capi|jet|cert)[-].+/` - - :::info - - No spaces to be added between the `~` operator and the `expression`. - - ::: - - - - - -## Workspace Role Binding - -Workspace Role Binding is a Project scope operation. There are two available options for setting up Roll Binding for a -Workspace: - -- **Cluster** to create a RoleBinding with cluster-wide scope (ClusterRoleBinding). - -- **Namespaces** to create a RoleBinding within namespaces scope (RoleBinding). - -Palette users can choose role creation based on their resource requirements. - -## Configure cluster role bindings - -- Login to Palette as Project admin and select the Workspace to which the Role Binding need to configured. - -- Select Settings -> Cluster - -- Select the clusters from the workspace to Role Bind. - -- Click on “Add new binding” to open the “Add Cluster Role Binding” wizard. Fill in the following details: - - - Role Name: Define a custom role name to identify the cluster role - - Subjects: Subjects are a group of users, services, or teams using the Kubernetes API. It defines the operations a - user, service, or a team can perform. There are three types of subjects: - - Subject Type: - - Users: These are global and meant for humans or processes living outside the cluster. - - Groups: Set of users. - - Service Accounts: Kubernetes uses service accounts to authenticate and authorize requests by pods to the - Kubernetes API server. These are namespaced and meant for intra-cluster processes running inside pods. - - Subject Name: Custom name to identify a subject. A single RoleBinding can have multiple subjects. - -- “Confirm” the information to complete the creation of the ClusterRoleBinding. - -## Configure role bindings: Namespace Scope - -Users can now allocate CPU and Memory [quotas](#workspace-quota) for each **namespace** at the cluster level. - -- Login to Palette as Project admin and select the Workspace to which the Role Binding need to be configured. - -- Select Cluster Settings -> Namespace. - -- Create a namespace with a custom name and add it to the list of the namespace by clicking on “add to the list”. - -- [Allocate resources](workload-features.md#workspace-quota) to the created namespace (CPU and Memory). - -- Click on “Add new binding” to open the “Add ClusterRoleBinding” wizard. Fill in the following details: - - - Namespace: Select the namespace from the drop-down Menu. The list will display the namespaces created during the - previous step. - - Role Type: Select the role type from the drop-down. Either Role or Cluster Role. - - :::info - - A RoleBinding may reference any Role in the same namespace. Alternatively, a RoleBinding can reference a ClusterRole - and bind that ClusterRole to the namespace of the RoleBinding. For example, if you want to bind a ClusterRole to all - the namespaces in your cluster, you use a ClusterRoleBinding. - - ::: - -- Role Name: Define a custom role name to identify the cluster role - -- Subjects: Subjects are a group of users, services, or teams using the Kubernetes API. It defines the operations a - user, service, or group can perform. There are three types of subjects: - - - Subject Type: - - Users: These are global, and meant for humans or processes living outside the cluster. - - Groups: Set of users. - - Service Accounts: Kubernetes uses service accounts to authenticate and authorize requests by pods to the - Kubernetes API server. These are name spaced and meant for intra-cluster processes running inside pods. - - Subject Name: Custom name to identify a subject. A single RoleBinding can have multiple subjects. - -- “Confirm” the information to complete the creation of the RoleBinding. - - - - - -## Restricted Container Images - -Palette users can restrict a few container images from getting deployed into a specific Namespace. This helps the -tenants from accidentally installing a delisted or unwanted container to that specific namespace. - -## Restrict container images to a workspace - -To restrict a container image for a particular namespace within the workspace: - -1. During [Step: 4 Settings](adding-a-new-workspace.md#create-your-workspace) of workspace creation, select the - **Container Images** tab from the left ribbon. - -2. Click on **+ Add New Container Image** and provide the **Namespace** and **Restricted Images**. Multiple images can - be restricted within a namespace by separating them with commas. - -## Restrict container images to a deployed workspace - -The user can add a list of restricted images to an already deployed workspace as: - -1. **Workspace Settings** > **Container Images** - -2. Click on **Add New Container Image** and provide the **Namespace** and **Restricted Images**. Multiple images can be - restricted within a Namespace by separating them with commas. - - - diff --git a/docs/docs-content/workspace/workspace-mgmt/configure-rbac.md b/docs/docs-content/workspace/workspace-mgmt/configure-rbac.md index 971e298c5b..de3bf8b776 100644 --- a/docs/docs-content/workspace/workspace-mgmt/configure-rbac.md +++ b/docs/docs-content/workspace/workspace-mgmt/configure-rbac.md @@ -58,9 +58,17 @@ cluster role `podReader` to the service account `podReaderAccount` in that clust the namespace in the workspace and Palette users who have access to this workspace will be able to see its workloads and resource consumption. - Alternatively, enter a regex that match the namespaces where you want to create the role binding. Using regex will - not include all the namespaces that match the regex in the namespace. It will still allow you to create the role - bindings, but the workloads in those namespaces will not be visible. + Alternatively, enter a regex that match the namespaces where you want to create the role binding. Each regex needs to + start and end with a forward slash`/`. For example `/palette-.*/` will match any namespace that starts with + `palette-`. You may also use the negation symbol `~` to select all namespaces that do not match the regex. For + example, `~/palette-.*/` matches everything that does not start with `palette-`. + + :::info + + Using regex will _not_ include all the namespaces that match the regex in the workspace. It will still allow you to + create the role bindings, but the workloads in those namespaces will not be visible. + + ::: 7. Click **Add New Binding**. diff --git a/docs/docs-content/workspace/workspace-mgmt/delete-workspace.md b/docs/docs-content/workspace/workspace-mgmt/delete-workspace.md index 07fc269298..65c7f15398 100644 --- a/docs/docs-content/workspace/workspace-mgmt/delete-workspace.md +++ b/docs/docs-content/workspace/workspace-mgmt/delete-workspace.md @@ -1,6 +1,6 @@ --- -sidebar_label: Delete Workspace" -title: Delete Workspace" +sidebar_label: Delete Workspace +title: Delete Workspace description: "Learn how to restrict certain images from being used by your workspace" hide_table_of_contents: false sidebar_custom_props: diff --git a/docs/docs-content/workspace/workspace-mgmt/resource-mgmt.md b/docs/docs-content/workspace/workspace-mgmt/resource-mgmt.md index df2a9f74c1..eb54ac1686 100644 --- a/docs/docs-content/workspace/workspace-mgmt/resource-mgmt.md +++ b/docs/docs-content/workspace/workspace-mgmt/resource-mgmt.md @@ -27,6 +27,18 @@ You can view more workloads by selecting the corresponding tab. For example, sel monitor pod workloads. Each tab will show you the CPU and memory consumption of the corresponding workload in the entire workspace. +| **Resource** | **Description availed from Workspace** | +| ---------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| **Namespaces** | Cluster Specific namespaces with CPU and Memory utilization. | +| **Pods** | Lists all the pods running on a particular namespace with cluster names with the detailed health status, age, and resource utilization of each of them. | +| **Deployments** | All the running deployments specific to clusters belonging to the Workspace with namespace to which these deployments belong, pods details, replicas, and age are enumerated | +| **DaemonSets** | DaemonSet resource utilization is described, with details on namespaces, pods, and age of individual Daemon sets | +| **StatefulSets** | All the active StatefulSets specific to clusters belonging to the Workspace with corresponding namespace, pods details, replicas, and age are enumerated | +| **Jobs** | A Job creates one or more Pods and will continue to retry execution of the Pods until a specified number of them successfully terminate. | +| **CronJobs** | Cron Jobs are regularly scheduled actions or jobs such as backups, report generation, etc. Each of these jobs will recur as scheduled. | +| **RoleBinding** | A role binding grants the permissions defined in a role to a user or set of users. | +| **ClusterRoleBinding** | A Cluster Role binding defines the permissions defined across a cluster. | + ## Implement Resource Quotas You can implement resource quotas on an entire workspace, as well as implement them on individual namespaces. diff --git a/docs/docs-content/workspace/workspace-mgmt/restrict-images.md b/docs/docs-content/workspace/workspace-mgmt/restrict-images.md index ce14245b10..f62b2b12e4 100644 --- a/docs/docs-content/workspace/workspace-mgmt/restrict-images.md +++ b/docs/docs-content/workspace/workspace-mgmt/restrict-images.md @@ -1,5 +1,5 @@ --- -sidebar_label: Restrict Container Images" +sidebar_label: Restrict Container Images title: Restrict Container Images" description: "Learn how to restrict certain images from being used by your workspace" hide_table_of_contents: false From d2c3c636a4702a417e3020dbd57dc4cf515c7240 Mon Sep 17 00:00:00 2001 From: Lenny Chen Date: Tue, 17 Dec 2024 14:40:47 -0800 Subject: [PATCH 07/21] docs: broken link fix --- .../backup-restore/backup-restore.md | 5 ++-- .../rbac/vm-roles-permissions.md | 3 --- .../workspace/adding-a-new-workspace.md | 6 ++--- .../workspace-mgmt/workspace-mgmt.md | 23 +++++++++++++++++++ 4 files changed, 29 insertions(+), 8 deletions(-) create mode 100644 docs/docs-content/workspace/workspace-mgmt/workspace-mgmt.md diff --git a/docs/docs-content/clusters/cluster-management/backup-restore/backup-restore.md b/docs/docs-content/clusters/cluster-management/backup-restore/backup-restore.md index ee8a318c0a..cdbd59ba67 100644 --- a/docs/docs-content/clusters/cluster-management/backup-restore/backup-restore.md +++ b/docs/docs-content/clusters/cluster-management/backup-restore/backup-restore.md @@ -42,8 +42,9 @@ To get started with creating a backup, check out the :::info -If you are using a workspace, refer to the [Manage Palette Workspace](../../../workspace/workload-features.md) guide to -learn more about backup and restore actions for a workspace. +If you are using a workspace, refer to the +[Manage Palette Workspace](../../../workspace/workspace-mgmt/workspace-mgmt.md) guide to learn more about backup and +restore actions for a workspace. ::: diff --git a/docs/docs-content/vm-management/rbac/vm-roles-permissions.md b/docs/docs-content/vm-management/rbac/vm-roles-permissions.md index 9d0f45ba68..e2180a1232 100644 --- a/docs/docs-content/vm-management/rbac/vm-roles-permissions.md +++ b/docs/docs-content/vm-management/rbac/vm-roles-permissions.md @@ -38,6 +38,3 @@ You can configure namespaces and RBAC from within a cluster or from a Palette wo In a cluster group, all RoleBindings must occur at the namespace level. For details, review the [Cluster RBAC](../../clusters/cluster-management/cluster-rbac.md) and [workspace RBAC](../../workspace/workspace-mgmt/configure-rbac.md) guides. - -Palette leverages Regex Pattern matching so you can select multiple namespaces to apply role bindings. Check out -[Regex for Namespaces](../../workspace/workload-features.md#regex-for-namespaces) to learn more. diff --git a/docs/docs-content/workspace/adding-a-new-workspace.md b/docs/docs-content/workspace/adding-a-new-workspace.md index bc9c370349..b01228052d 100644 --- a/docs/docs-content/workspace/adding-a-new-workspace.md +++ b/docs/docs-content/workspace/adding-a-new-workspace.md @@ -1,7 +1,7 @@ --- -sidebar_label: "Adding a Workspace" -title: "Adding a workspace" -description: "How to create multi-cluster workspace in Palette" +sidebar_label: "Create a Workspace" +title: "Create a workspace" +description: "How to create multi-cluster workspace in Palette." icon: "" hide_table_of_contents: false sidebar_position: 0 diff --git a/docs/docs-content/workspace/workspace-mgmt/workspace-mgmt.md b/docs/docs-content/workspace/workspace-mgmt/workspace-mgmt.md new file mode 100644 index 0000000000..00988ed36e --- /dev/null +++ b/docs/docs-content/workspace/workspace-mgmt/workspace-mgmt.md @@ -0,0 +1,23 @@ +--- +sidebar_label: "Workspace Management" +title: "Workspace Management" +description: "Resources for workspace management." +icon: "" +hide_table_of_contents: false +sidebar_position: 0 +tags: ["workspace"] +--- + +After creating a workspace, you can monitor the workloads and their resource usage in your workspace in Palette. In +addition, you can make changes to the workspace, including adding and removing namespaces role bindings, and resource +quotas. + +## Resources + +- [Configure RBAC in Workspaces](configure-rbac.md) + +- [Resource Management](resource-mgmt.md) + +- [Restrict Container Images](restrict-images.md) + +- [Delete Workspace](./delete-workspace.md) From f25269e3f94bc91a88da8fd0993cf7500838442e Mon Sep 17 00:00:00 2001 From: Lenny Chen Date: Wed, 18 Dec 2024 10:41:45 -0800 Subject: [PATCH 08/21] docs: edit workspaces --- .../workspace/workspace-mgmt/resource-mgmt.md | 10 +++++----- .../workspace/workspace-mgmt/restrict-images.md | 10 ++++++++-- docs/docs-content/workspace/workspace.md | 17 ++++++++++++----- 3 files changed, 25 insertions(+), 12 deletions(-) diff --git a/docs/docs-content/workspace/workspace-mgmt/resource-mgmt.md b/docs/docs-content/workspace/workspace-mgmt/resource-mgmt.md index eb54ac1686..1fe37dd60e 100644 --- a/docs/docs-content/workspace/workspace-mgmt/resource-mgmt.md +++ b/docs/docs-content/workspace/workspace-mgmt/resource-mgmt.md @@ -67,12 +67,12 @@ You can implement resource quotas on an entire workspace, as well as implement t 7. Under **Workspace Quota**, you can specify the amount of CPU and memory that the entire workspace is allowed to consume. The default value is 0, which imposes no limit. -8. If you want to limit resource use based on namespaces, enter the desired CPU and memory limit in the next to the - namespace entry. +8. If you want to limit resource use based on namespaces, enter the desired CPU and memory limit in the **Allocate CPU** + and **Allocate memory** columns next to the namespace entry. - You can impose the limit more granularly by expanding the namespace row and enter the limit on the namespace in one - particular cluster. You must ensure that resources alloted to individual namespaces do not exceed the workspace - quota. + By default, the namespace in each cluster has the same resource limit. You can change this and enter the limit on the + namespace in one particular cluster. You must ensure that resources alloted to individual namespaces do not exceed + the workspace quota when added together. ### Validate diff --git a/docs/docs-content/workspace/workspace-mgmt/restrict-images.md b/docs/docs-content/workspace/workspace-mgmt/restrict-images.md index f62b2b12e4..efaf8f9aa7 100644 --- a/docs/docs-content/workspace/workspace-mgmt/restrict-images.md +++ b/docs/docs-content/workspace/workspace-mgmt/restrict-images.md @@ -9,12 +9,18 @@ tags: ["workspace"] --- You can specify image URLs in a workspace to restrict access to images in your workspace for specific namespaces. -Restricted images cannot be loaded into any cluster in the namespaces you specify. Under the hood, access control to -images is achieved using Kyverno policies. For more information about Kyverno, refer to +Restricted images cannot be loaded into any cluster in the namespaces you specify. + +Access control to images is achieved using Kyverno policies. For more information about Kyverno, refer to [Kyverno documentation](https://kyverno.io/). ## Prerequisites +- An active Palette workspace. Refer to [Create a Workspace](../adding-a-new-workspace.md) to learn how to create one. + +- You are logged in as a Palette user that has the permission to modify workspaces. For more information, refer to + [Permissions](../../user-management/palette-rbac/permissions.md). + ## Restrict Container Image 1. Log in to [Palette](https://console.spectrocloud.com). diff --git a/docs/docs-content/workspace/workspace.md b/docs/docs-content/workspace/workspace.md index 0ac0a591b5..c786b4e6e2 100644 --- a/docs/docs-content/workspace/workspace.md +++ b/docs/docs-content/workspace/workspace.md @@ -10,12 +10,13 @@ tags: ["workspace"] A workspaces in Palette consists of a group of clusters and namespaces and the resources scoped in those clusters and namespaces. Using workspaces enables you to provide application or team-specific governance and visibility into -workloads, cost, and usage metrics. For example, the application or team workload may be deployed into namespaces across -clusters to achieve High Availability (HA), Disaster Recovery (DR), or other organization-specific placement policies. -Grouping such namespaces and clusters into a workspace provide central management and governance in a multi-cluster -distributed environment. +workloads, cost, and usage metrics. -The following sections describe various aspects of multi-cluster management via workspaces. +For example, the application or team workload may be deployed into namespaces across clusters to achieve High +Availability (HA), Disaster Recovery (DR), or other organization-specific placement policies. Grouping such namespaces +and clusters into a workspace allows centralized management and governance in a multi-cluster distributed environment. + +The following sections describe what Palette workspaces can help you achieve. ## Namespace and Resource Management @@ -49,3 +50,9 @@ Workspaces enhance operational visibility and provide actionable insights throug **Workspace-Based Backup**: extends cluster-level backups to include namespaces in all clusters within a workspace. For detailed prerequisites and instructions, refer to the [Backup and Restore](../clusters/cluster-management/backup-restore/backup-restore.md) page. + +## Resources + +- [Create a Workspace](./adding-a-new-workspace.md) + +- [Workspace Management](./workspace-mgmt/workspace-mgmt.md) From b9cc9877a5a04640518864e913a1770b54101d70 Mon Sep 17 00:00:00 2001 From: Lenny Chen Date: Wed, 18 Dec 2024 14:18:34 -0800 Subject: [PATCH 09/21] docs: copy edits --- .../workspace/adding-a-new-workspace.md | 61 ++++++++++--------- docs/docs-content/workspace/workspace.md | 6 +- 2 files changed, 35 insertions(+), 32 deletions(-) diff --git a/docs/docs-content/workspace/adding-a-new-workspace.md b/docs/docs-content/workspace/adding-a-new-workspace.md index b01228052d..246555f82a 100644 --- a/docs/docs-content/workspace/adding-a-new-workspace.md +++ b/docs/docs-content/workspace/adding-a-new-workspace.md @@ -27,7 +27,7 @@ how to create a workspace in Palette. All workspace settings can be updated afte 3. On the left **Main Menu**, click **Workspaces**. Then click **New Workspace**. -4. Add the Basic Information Provide the basic information for the workspace such as: +4. Add the Basic Information Provide the basic information for the workspace such as。 - **Name**. The workspace name must be unique in the project. - **Description**. An optional description for the workspace. @@ -54,8 +54,8 @@ how to create a workspace in Palette. All workspace settings can be updated afte While this action will create the same role binding across all the clusters that are part of the workspace, it does not define the cluster role nor the subject the role is bound to. You need to define the role yourself in each - cluster as well as define the subject the role is bound to exists. Otherwise, the cluster role binding will not have - any effect. + cluster as well as define the subject the role is bound to. Otherwise, the cluster role binding will not have any + effect. :::info @@ -67,45 +67,48 @@ how to create a workspace in Palette. All workspace settings can be updated afte 7. Enter the namespaces you want to include in the workspace. If the a cluster that is part of your workspace has that namespace, the namespace and all resources that are scoped within it will be included in the workspace. If any - cluster in the workspace is missing the namespace you entered, the namespace will be created on that cluster. You - must use the names of the namespaces exactly, not regular expressions. The regular expression entries are only used - for creating role bindings in a later step. + cluster in the workspace is missing the namespace you entered, the namespace will be created on that cluster. + + You must use the names of the namespaces exactly, not regular expressions. The regular expression entries are only + used for creating role bindings in a later step. 8. After selecting the namespaces, you can specify resource limits that the workspace is allowed to consume in the **Workspace Quota** section. The **Maximum CPU** and **Maximum Memory** allow you to specif the maximum amount of CPU cores and memory that all resources in the entire workspace are allowed to consume. - You may also specify resource limits on specific namespaces. When you specify a namespace-based limit, it means that - namespace can get the resources you configured in each cluster. +9. You may also specify resource limits on specific namespaces. For example, if you have two clusters `cluster1` and `cluster2`, and they each have a namespace called `default`. If you impose a 2Gi memory limit on the namespace default, then the `default` namespace in both clusters will be able to - consume 2 Gi memory each. You must ensure that the namespaced-limits, when added together, do not exceed the total - workspace limit you configured. If we continue with the previous example, you imposed a workspace quota of 4 Gi - memory, then the `default` namespace cannot have more than 2 Gi of memory, since they are two such namespaces in the - workspace and both of them added together are allowed 4 Gi of memory. + consume 2 Gi memory each. For more information about resource quotas, refer to + [Resource Management](./workspace-mgmt/resource-mgmt.md). -9. On the same **Namsespaces** page, you can optionally configure role bindings. When you configure a role binding for a - namespace, you are configuring the same role binding in that namespace in every cluster. Like in Kubernetes, you can - use either a role or a cluster role in a role binding. Similar to cluster role bindings, this action does not create - the roles or the subject for you. You must ensure that the corresponding role and subject referenced in the role - binding exists in the namespaces you configured. + You must ensure that the namespaced limits, when added together, do not exceed the total workspace limit you + configured. If you impose a workspace quota of 4 Gi memory for a two-cluster workspace, then a namespace cannot have + more than 2 Gi of memory as its limit, since there are two such namespaces in the workspace and both of them added + together are allowed 4 Gi of memory. - You can use Regular Expressions (regex) to create role bindings in multiple namespaces that match a certain pattern. - To do so, enter the regex in the namespace field. For example, `/palette-.*/` will match all namespaces that start - with `palette-`. When creating the role binding, you can select the regex as the namespace. +10. On the same **Namsespaces** page, you can optionally configure role bindings. When you configure a role binding for + a namespace, you are configuring the same role binding in that namespace in every cluster. Like in Kubernetes, you + can use either a role or a cluster role in a role binding. Similar to cluster role bindings, this action does not + create the roles or the subject for you. You must ensure that the corresponding role and subject referenced in the + role binding exists in the namespaces you configured. - :::info + You can use Regular Expressions (regex) to create role bindings in multiple namespaces that match a certain pattern. + To do so, enter the regex in the namespace field. For example, `/palette-.*/` will match all namespaces that start + with `palette-`. When creating the role binding, you can select the regex as the namespace. - Regex entries in the **Namespaces** field do not add the namespaces that match the regex to the workspace. You will - not be able to monitor resource usage, impose resource limits, or create backups unless you specifically add a - namespace by its name. + :::info - ::: + Regex entries in the **Namespaces** field do not add the namespaces that match the regex to the workspace. You will + not be able to monitor resource usage, impose resource limits, or create backups unless you specifically add a + namespace by its name. - When you are finished, click **Next**. + ::: + + When you are finished, click **Next**. -10. In the **Setting** page, you can schedule backups for select namespaces. These backups are created for each cluster +11. In the **Setting** page, you can schedule backups for select namespaces. These backups are created for each cluster in the workspace. Like cluster backups in Palette, restoring a backup requires the source cluster to be available. When you restore a @@ -115,12 +118,12 @@ how to create a workspace in Palette. All workspace settings can be updated afte For more information about backups, refer to [Backup and Restore](../clusters/cluster-management/backup-restore/backup-restore.md) -11. Lastly, you can restrict certain container images from being loaded in the namespaces that are managed by the +12. Lastly, you can restrict certain container images from being loaded in the namespaces that are managed by the workspace. To restrict images from being loaded by resources in a namespace, click **Add New Container Image**. Select a namespace you want to restrict the image in, and enter the image URLs in a comma-separated list. When you are done, click **Next**. -12. Review your configurations and click **Finish Configuration** to create the workspace. +13. Review your configurations and click **Finish Configuration** to create the workspace. ## Validate diff --git a/docs/docs-content/workspace/workspace.md b/docs/docs-content/workspace/workspace.md index c786b4e6e2..46ce9f170a 100644 --- a/docs/docs-content/workspace/workspace.md +++ b/docs/docs-content/workspace/workspace.md @@ -20,8 +20,8 @@ The following sections describe what Palette workspaces can help you achieve. ## Namespace and Resource Management -Workspaces in Spectro Cloud Palette automate the creation and management of namespaces across all clusters in the -workspace. This includes: +Workspaces in Palette automate the creation and management of namespaces across all clusters in the workspace. This +includes: - **Namespace Creation**: Creating namespaces across all clusters in your workspace if a cluster does not have a specified namespace. @@ -36,7 +36,7 @@ all clusters, ensuring consistent and secure access policies across all clusters ## Visibility and Insights -Workspaces enhance operational visibility and provide actionable insights through: +Workspaces enhance operational visibility and provide actionable insights - **Workload Visibility**: A centralized workload browser aggregates and displays workloads (pods, deployments, jobs, stateful sets, etc.) across all namespaces and clusters in the workspace. From 34ac0275e3484e16cc74d77e5f6a3536eac05c2d Mon Sep 17 00:00:00 2001 From: Lenny Chen Date: Thu, 19 Dec 2024 10:44:56 -0800 Subject: [PATCH 10/21] docs: add backup page --- .../workspace-mgmt/backup-restore.md | 37 +++++++++++++++++++ .../workspace-mgmt/configure-rbac.md | 2 - .../workspace-mgmt/delete-workspace.md | 2 - .../workspace/workspace-mgmt/resource-mgmt.md | 2 - .../workspace-mgmt/restrict-images.md | 2 +- 5 files changed, 38 insertions(+), 7 deletions(-) create mode 100644 docs/docs-content/workspace/workspace-mgmt/backup-restore.md diff --git a/docs/docs-content/workspace/workspace-mgmt/backup-restore.md b/docs/docs-content/workspace/workspace-mgmt/backup-restore.md new file mode 100644 index 0000000000..69043eacf6 --- /dev/null +++ b/docs/docs-content/workspace/workspace-mgmt/backup-restore.md @@ -0,0 +1,37 @@ +--- +sidebar_label: Backup and Restore +title: Backup and Restore +description: "Learn how to configure backup and restore for your workspaces." +hide_table_of_contents: false +tags: ["workspace"] +--- + +Palette allows you to create backups at the workspace-level. A workspace backup may include any or all namespaces +included in the workspace, across every cluster in the workspace. The backup feature for workspaces uses the same +Velero-based approach as regular cluster backups and are subject to the same limitations. For more information, refer to +[Cluster Backup and Restore](../../clusters/cluster-management/backup-restore/backup-restore.md). + +The backup files will be stored in a backup location you configure. Each cluster will have its own backup files. + +## Create a workspace backup + +Creating a workspace + +### Prerequisites + +### Procedure + +### Validate + +## Restore a workspace backup + +Restoring a workspace will restore the selected namespaces every cluster that is currently in the workspace to the same +state from which the backup was created. The clusters being restored must be healthy and reachable, because the restore +relies on access to the Kubernetes API. If you have deleted a cluster from the workspace, the deleted cluster will not +be restored. + +### Prerequisites + +### Procedure + +### Validate diff --git a/docs/docs-content/workspace/workspace-mgmt/configure-rbac.md b/docs/docs-content/workspace/workspace-mgmt/configure-rbac.md index de3bf8b776..5359701012 100644 --- a/docs/docs-content/workspace/workspace-mgmt/configure-rbac.md +++ b/docs/docs-content/workspace/workspace-mgmt/configure-rbac.md @@ -3,8 +3,6 @@ sidebar_label: "Configure RBAC in Workspaces" title: "Configure RBAC in Workspaces" description: "Learn how to configure RBAC in workspaces." hide_table_of_contents: false -sidebar_custom_props: - icon: "workspaces" tags: ["workspace", "rbac"] --- diff --git a/docs/docs-content/workspace/workspace-mgmt/delete-workspace.md b/docs/docs-content/workspace/workspace-mgmt/delete-workspace.md index 65c7f15398..e5344ee05c 100644 --- a/docs/docs-content/workspace/workspace-mgmt/delete-workspace.md +++ b/docs/docs-content/workspace/workspace-mgmt/delete-workspace.md @@ -3,8 +3,6 @@ sidebar_label: Delete Workspace title: Delete Workspace description: "Learn how to restrict certain images from being used by your workspace" hide_table_of_contents: false -sidebar_custom_props: - icon: "workspaces" tags: ["workspace"] --- diff --git a/docs/docs-content/workspace/workspace-mgmt/resource-mgmt.md b/docs/docs-content/workspace/workspace-mgmt/resource-mgmt.md index 1fe37dd60e..14c2ecc256 100644 --- a/docs/docs-content/workspace/workspace-mgmt/resource-mgmt.md +++ b/docs/docs-content/workspace/workspace-mgmt/resource-mgmt.md @@ -3,8 +3,6 @@ sidebar_label: "Resource Management" title: "Resource Management" description: "Learn how to monitor workload resource consumption and implement resource quotas for your workspace." hide_table_of_contents: false -sidebar_custom_props: - icon: "workspaces" tags: ["workspace", "resource-management"] --- diff --git a/docs/docs-content/workspace/workspace-mgmt/restrict-images.md b/docs/docs-content/workspace/workspace-mgmt/restrict-images.md index efaf8f9aa7..b2751317f7 100644 --- a/docs/docs-content/workspace/workspace-mgmt/restrict-images.md +++ b/docs/docs-content/workspace/workspace-mgmt/restrict-images.md @@ -1,6 +1,6 @@ --- sidebar_label: Restrict Container Images -title: Restrict Container Images" +title: Restrict Container Images description: "Learn how to restrict certain images from being used by your workspace" hide_table_of_contents: false sidebar_custom_props: From e5073f92919768cd5b2476d17676cfe99cd4923c Mon Sep 17 00:00:00 2001 From: Lenny Chen Date: Thu, 19 Dec 2024 17:09:26 -0800 Subject: [PATCH 11/21] docs: add backup & restore sections --- .../workspace-mgmt/backup-restore.md | 112 +++++++++++++++++- 1 file changed, 111 insertions(+), 1 deletion(-) diff --git a/docs/docs-content/workspace/workspace-mgmt/backup-restore.md b/docs/docs-content/workspace/workspace-mgmt/backup-restore.md index 69043eacf6..98e825529b 100644 --- a/docs/docs-content/workspace/workspace-mgmt/backup-restore.md +++ b/docs/docs-content/workspace/workspace-mgmt/backup-restore.md @@ -15,14 +15,93 @@ The backup files will be stored in a backup location you configure. Each cluster ## Create a workspace backup -Creating a workspace +Backing up a workspace creates a backup file for every cluster in your workspace. Each cluster backup file will contain +all Kubernetes objects as well as volumes in the namespaces selected. ### Prerequisites +- You have configured at least one backup location for cluster backups. Refer to + [Add Backup Location using Static Credentials](../../clusters/cluster-management/backup-restore/add-backup-location-static.md). + +- You are logged in as a Palette user that has the permission to modify workspaces. For more information, refer to + [Permissions](../../user-management/palette-rbac/permissions.md). + +- The clusters in the workspace you want to backup are healthy and available. Unhealthy clusters will not be backed up. + + +- If you want to include volume snapshots in the backup, ensure that your CSI driver supports volume snapshots. For more + information about volume support, review the CSI pack README for your CSI driver in use. Refer to the [Volume Snapshots](../../clusters/cluster-management/backup-restore/backup-restore.md#volume-snapshots) section for more information. + + :::warning + + Ensure that `manifests.volume-snapshot-class.deletionPolicy` is set to the `Retain` value if you have configured as a layer in your cluster profile. This setting allows volume snapshot content to be retained when volume snapshots are deleted, facilitating backup and restore functionality. + + ```yaml hideClipboard {5} + volume-snapshot-class: + create: true + name: "spectro-volume-snapshot-class" + driver: "" + deletionPolicy: "Retain" + ``` + + Additionally, you must add the following snippet under the `manifests.volume-snapshot-class` field if you are using as your CSI layer on a cluster deployed to a MAAS environment. These labels ensure that the pack installs correctly. + + ```yaml + extraLabels: + pod-security.kubernetes.io/enforce: privileged + pod-security.kubernetes.io/audit: privileged + pod-security.kubernetes.io/warn: privileged + ``` + + ::: + ### Procedure +1. Log in to [Palette](https://console.spectrocloud.com). + +2. In the **Drop-Down Menu** at the top of the page, choose the project that has your workspace. + +3. On the left **Main Menu**, click **Workspaces**. + +4. Click on the workspace you want to back up. + +5. Click **Settings** in the upper-right corner. + +6. Click **Schedule backups**. + +7. Fill in the following basic information about your scheduled backups. + + | Parameter | Description | + | ------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | + | Backup prefix | The prefix to your backup file names. | + | Select backup location | Select a location to store your backup files. | + | Backup schedule | Configure a schedule for your backups. | + | Select expiry | The period for which your backup files are kept. Backup files past the expiry date are deleted automatically. | + | Include all disks | Select this checkbox if you want to include all the disks in the backup. | + | Include cluster-wide resources | Cluster wide resources are resources that are not namespaced but are scoped to the whole cluster, such as cluster roles. **Auto** option includes persistent volumes that are linked to claims within the selected namespaces, but exclude other cluster-wide resources. | + +8. Enter the namespaces you want to back up. + +9. Select the clusters you want to back up. + +10. Click **Save Changes**. + +The backup process will take some time ranging from 15 mins to hours depending on the scope of the backup. + ### Validate +1. Log in to [Palette](https://console.spectrocloud.com). + +2. In the **Drop-Down Menu** at the top of the page, choose the project that has your workspace. + +3. On the left **Main Menu**, click **Workspaces**. + +4. Click on the workspace you backed up. + +5. Click on the **Backups** tab. + +6. Confirm that your backup is in progress or completed. + ## Restore a workspace backup Restoring a workspace will restore the selected namespaces every cluster that is currently in the workspace to the same @@ -32,6 +111,37 @@ be restored. ### Prerequisites +- You have created a backup file for the workspace. + +- You are logged in as a Palette user that has the permission to modify workspaces. For more information, refer to + [Permissions](../../user-management/palette-rbac/permissions.md). + +- The clusters you want to restore are healthy and available. + ### Procedure +1. Log in to [Palette](https://console.spectrocloud.com). + +2. In the **Drop-Down Menu** at the top of the page, choose the project that has your workspace. + +3. On the left **Main Menu**, click **Workspaces**. + +4. Click on the workspace you want to restore. + +5. Click on **Backups** to switch to the backup tab. + +6. Click on a backup file you want to restore from. + +7, Click **Restore**. + ### Validate + +1. Log in to [Palette](https://console.spectrocloud.com). + +2. In the **Drop-Down Menu** at the top of the page, choose the project that has your workspace. + +3. On the left **Main Menu**, click **Workspaces**. + +4. Click on the workspace you restored. + +5. Ensure that the result of the restore was successful. From 30c6529ae4670b60f666e4c3f2cdeaf3af974c3f Mon Sep 17 00:00:00 2001 From: Lenny Chen Date: Thu, 19 Dec 2024 17:20:37 -0800 Subject: [PATCH 12/21] docs: adjust page order --- docs/docs-content/workspace/workspace-mgmt/backup-restore.md | 1 + docs/docs-content/workspace/workspace-mgmt/configure-rbac.md | 1 + docs/docs-content/workspace/workspace-mgmt/delete-workspace.md | 1 + docs/docs-content/workspace/workspace-mgmt/resource-mgmt.md | 1 + docs/docs-content/workspace/workspace-mgmt/restrict-images.md | 3 +-- docs/docs-content/workspace/workspace-mgmt/workspace-mgmt.md | 2 ++ 6 files changed, 7 insertions(+), 2 deletions(-) diff --git a/docs/docs-content/workspace/workspace-mgmt/backup-restore.md b/docs/docs-content/workspace/workspace-mgmt/backup-restore.md index 98e825529b..35bb9d7219 100644 --- a/docs/docs-content/workspace/workspace-mgmt/backup-restore.md +++ b/docs/docs-content/workspace/workspace-mgmt/backup-restore.md @@ -3,6 +3,7 @@ sidebar_label: Backup and Restore title: Backup and Restore description: "Learn how to configure backup and restore for your workspaces." hide_table_of_contents: false +sidebar_position: 30 tags: ["workspace"] --- diff --git a/docs/docs-content/workspace/workspace-mgmt/configure-rbac.md b/docs/docs-content/workspace/workspace-mgmt/configure-rbac.md index 5359701012..c9dc66daf9 100644 --- a/docs/docs-content/workspace/workspace-mgmt/configure-rbac.md +++ b/docs/docs-content/workspace/workspace-mgmt/configure-rbac.md @@ -3,6 +3,7 @@ sidebar_label: "Configure RBAC in Workspaces" title: "Configure RBAC in Workspaces" description: "Learn how to configure RBAC in workspaces." hide_table_of_contents: false +sidebar_position: 0 tags: ["workspace", "rbac"] --- diff --git a/docs/docs-content/workspace/workspace-mgmt/delete-workspace.md b/docs/docs-content/workspace/workspace-mgmt/delete-workspace.md index e5344ee05c..1a7cffbd30 100644 --- a/docs/docs-content/workspace/workspace-mgmt/delete-workspace.md +++ b/docs/docs-content/workspace/workspace-mgmt/delete-workspace.md @@ -3,6 +3,7 @@ sidebar_label: Delete Workspace title: Delete Workspace description: "Learn how to restrict certain images from being used by your workspace" hide_table_of_contents: false +sidebar_position: 40 tags: ["workspace"] --- diff --git a/docs/docs-content/workspace/workspace-mgmt/resource-mgmt.md b/docs/docs-content/workspace/workspace-mgmt/resource-mgmt.md index 14c2ecc256..21014490dc 100644 --- a/docs/docs-content/workspace/workspace-mgmt/resource-mgmt.md +++ b/docs/docs-content/workspace/workspace-mgmt/resource-mgmt.md @@ -3,6 +3,7 @@ sidebar_label: "Resource Management" title: "Resource Management" description: "Learn how to monitor workload resource consumption and implement resource quotas for your workspace." hide_table_of_contents: false +sidebar_position: 20 tags: ["workspace", "resource-management"] --- diff --git a/docs/docs-content/workspace/workspace-mgmt/restrict-images.md b/docs/docs-content/workspace/workspace-mgmt/restrict-images.md index b2751317f7..ab271b9d32 100644 --- a/docs/docs-content/workspace/workspace-mgmt/restrict-images.md +++ b/docs/docs-content/workspace/workspace-mgmt/restrict-images.md @@ -3,8 +3,7 @@ sidebar_label: Restrict Container Images title: Restrict Container Images description: "Learn how to restrict certain images from being used by your workspace" hide_table_of_contents: false -sidebar_custom_props: - icon: "workspaces" +sidebar_position: 60 tags: ["workspace"] --- diff --git a/docs/docs-content/workspace/workspace-mgmt/workspace-mgmt.md b/docs/docs-content/workspace/workspace-mgmt/workspace-mgmt.md index 00988ed36e..d125b4105d 100644 --- a/docs/docs-content/workspace/workspace-mgmt/workspace-mgmt.md +++ b/docs/docs-content/workspace/workspace-mgmt/workspace-mgmt.md @@ -18,6 +18,8 @@ quotas. - [Resource Management](resource-mgmt.md) +- [Backup and Restore](./backup-restore.md) + - [Restrict Container Images](restrict-images.md) - [Delete Workspace](./delete-workspace.md) From 7571e6b8e30444556c326cd23e2e915b46164f52 Mon Sep 17 00:00:00 2001 From: Lenny Chen Date: Thu, 19 Dec 2024 17:53:31 -0800 Subject: [PATCH 13/21] docs: add more examples --- .../workspace-mgmt/backup-restore.md | 9 ++-- .../workspace-mgmt/configure-rbac.md | 13 +++-- .../workspace-mgmt/delete-workspace.md | 2 + .../workspace/workspace-mgmt/resource-mgmt.md | 47 ++++++++++++++----- .../workspace-mgmt/restrict-images.md | 4 +- 5 files changed, 52 insertions(+), 23 deletions(-) diff --git a/docs/docs-content/workspace/workspace-mgmt/backup-restore.md b/docs/docs-content/workspace/workspace-mgmt/backup-restore.md index 35bb9d7219..553298179f 100644 --- a/docs/docs-content/workspace/workspace-mgmt/backup-restore.md +++ b/docs/docs-content/workspace/workspace-mgmt/backup-restore.md @@ -12,7 +12,8 @@ included in the workspace, across every cluster in the workspace. The backup fea Velero-based approach as regular cluster backups and are subject to the same limitations. For more information, refer to [Cluster Backup and Restore](../../clusters/cluster-management/backup-restore/backup-restore.md). -The backup files will be stored in a backup location you configure. Each cluster will have its own backup files. +The backup files will be stored in a backup location you configure. Each cluster will have its own backup files. When +you delete a workspace, the backup files will not be deleted. ## Create a workspace backup @@ -24,7 +25,7 @@ all Kubernetes objects as well as volumes in the namespaces selected. - You have configured at least one backup location for cluster backups. Refer to [Add Backup Location using Static Credentials](../../clusters/cluster-management/backup-restore/add-backup-location-static.md). -- You are logged in as a Palette user that has the permission to modify workspaces. For more information, refer to +- You are logged in as a Palette user that has the permission to back up workspaces. For more information, refer to [Permissions](../../user-management/palette-rbac/permissions.md). - The clusters in the workspace you want to backup are healthy and available. Unhealthy clusters will not be backed up. @@ -87,7 +88,7 @@ all Kubernetes objects as well as volumes in the namespaces selected. 10. Click **Save Changes**. -The backup process will take some time ranging from 15 mins to hours depending on the scope of the backup. +The backup process will take some time ranging from 15 minutes to hours depending on the scope of the backup. ### Validate @@ -114,7 +115,7 @@ be restored. - You have created a backup file for the workspace. -- You are logged in as a Palette user that has the permission to modify workspaces. For more information, refer to +- You are logged in as a Palette user that has the permission to restore workspaces. For more information, refer to [Permissions](../../user-management/palette-rbac/permissions.md). - The clusters you want to restore are healthy and available. diff --git a/docs/docs-content/workspace/workspace-mgmt/configure-rbac.md b/docs/docs-content/workspace/workspace-mgmt/configure-rbac.md index c9dc66daf9..05f5c98a4a 100644 --- a/docs/docs-content/workspace/workspace-mgmt/configure-rbac.md +++ b/docs/docs-content/workspace/workspace-mgmt/configure-rbac.md @@ -22,6 +22,10 @@ Kubernetes users, groups and service accounts. | Subjects | Kubernetes users, groups, and service accounts. | Palette users and teams | | Example resources | ConfigMaps, Secrets, Pods, StatefulSets, etc. | Cluster profiles, clusters, workspaces, Edge hosts, etc. | +Because workspace RBAC is built on top of Kubernetes RBAC, we recommend you becoming familiar with Kubernetes' RBAC +model before using workspace RBAC. For more information about RBAC in Kubernetes, refer to +[Kubernetes Documentation](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) + ## Create Workspace-Level Role Bindings By creating a workspace-level role binding, you create role bindings in the all clusters in the workspace in the @@ -54,7 +58,7 @@ cluster role `podReader` to the service account `podReaderAccount` in that clust 6. If the namespace where you want to include are already in the workspace, skip this step. At the top of the page, enter the namespace you want to create the role bindings in. Note that doing so will include - the namespace in the workspace and Palette users who have access to this workspace will be able to see its workloads + the namespace in the workspace and Palette users who have access to this workspace will be able to view its workloads and resource consumption. Alternatively, enter a regex that match the namespaces where you want to create the role binding. Each regex needs to @@ -64,8 +68,9 @@ cluster role `podReader` to the service account `podReaderAccount` in that clust :::info - Using regex will _not_ include all the namespaces that match the regex in the workspace. It will still allow you to - create the role bindings, but the workloads in those namespaces will not be visible. + Using regex will _not_ include the namespaces that match the regex in the workspace. It will still allow you to + create the role bindings, but the workloads in those namespaces will not be visible, and you cannot backup those + namespaces. ::: @@ -108,7 +113,7 @@ By creating a workspace-level cluster role binding, you create the same cluster workspace. For example, if you create a cluster role binding that binds the cluster role `podReader` to the service account -`podReaderAccount`, every cluster will get the role binding that binds the the cluster role `podReader` to the service +`podReaderAccount`, every cluster will get the role binding that binds the cluster role `podReader` to the service account `podReaderAccount`. ### Prerequisites diff --git a/docs/docs-content/workspace/workspace-mgmt/delete-workspace.md b/docs/docs-content/workspace/workspace-mgmt/delete-workspace.md index 1a7cffbd30..729f866844 100644 --- a/docs/docs-content/workspace/workspace-mgmt/delete-workspace.md +++ b/docs/docs-content/workspace/workspace-mgmt/delete-workspace.md @@ -11,6 +11,8 @@ This page teaches you how to delete a workspace. Deleting a workspace removes re using the workspace, such as role bindings, cluster role bindings, and resource quotas. Deleting a workspace does not delete any of the clusters inside the workspace. +Deleting the workspace will not automatically delete any backup files you created for the workspace. + ## Prerequisites - An existing workspace. Refer to [Create a Workspace](../adding-a-new-workspace.md) to learn how to create a workspace. diff --git a/docs/docs-content/workspace/workspace-mgmt/resource-mgmt.md b/docs/docs-content/workspace/workspace-mgmt/resource-mgmt.md index 21014490dc..46e0a8b7e3 100644 --- a/docs/docs-content/workspace/workspace-mgmt/resource-mgmt.md +++ b/docs/docs-content/workspace/workspace-mgmt/resource-mgmt.md @@ -26,21 +26,23 @@ You can view more workloads by selecting the corresponding tab. For example, sel monitor pod workloads. Each tab will show you the CPU and memory consumption of the corresponding workload in the entire workspace. -| **Resource** | **Description availed from Workspace** | -| ---------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| **Namespaces** | Cluster Specific namespaces with CPU and Memory utilization. | -| **Pods** | Lists all the pods running on a particular namespace with cluster names with the detailed health status, age, and resource utilization of each of them. | -| **Deployments** | All the running deployments specific to clusters belonging to the Workspace with namespace to which these deployments belong, pods details, replicas, and age are enumerated | -| **DaemonSets** | DaemonSet resource utilization is described, with details on namespaces, pods, and age of individual Daemon sets | -| **StatefulSets** | All the active StatefulSets specific to clusters belonging to the Workspace with corresponding namespace, pods details, replicas, and age are enumerated | -| **Jobs** | A Job creates one or more Pods and will continue to retry execution of the Pods until a specified number of them successfully terminate. | -| **CronJobs** | Cron Jobs are regularly scheduled actions or jobs such as backups, report generation, etc. Each of these jobs will recur as scheduled. | -| **RoleBinding** | A role binding grants the permissions defined in a role to a user or set of users. | -| **ClusterRoleBinding** | A Cluster Role binding defines the permissions defined across a cluster. | +| **Resource** | **Available information** | +| ---------------------- | ---------------------------------------------------------------------------------------------------------------------------------------- | +| **Namespaces** | CPU and memory utilization of the namespace s in each cluster. | +| **Pods** | Lists all the pods running on a particular namespace with cluster names with the detailed health status, age, and resource utilization.. | +| **Deployments** | All deployments in the namespaces included in the workspace and their age, pods, and resource utilization. | +| **DaemonSets** | All daemon set in the namespaces included in the workspace and their age, pods, and resource utilization. | +| **StatefulSets** | All the active StatefulSets in the namespaces included in the workspace and their age, pods, replicas, and resource utilization. | +| **Jobs** | All jobs in the namespaces included in the workspace and their status. | +| **CronJobs** | All cron jobs in the namespaces included in the workspace and their status. | +| **RoleBinding** | All role bindings in the namespaces included in the workspace, including the role name and the subject name. | +| **ClusterRoleBinding** | All cluster role bindings in the clusters included in the workspace. | ## Implement Resource Quotas -You can implement resource quotas on an entire workspace, as well as implement them on individual namespaces. +You can implement resource quotas on an entire workspace or implement them on individual namespaces. Resource quotas are +implemented through Kubernetes' native ResourceQuota object. For more information about resource quotas in Kubernetes, +refer to [Kubernetes documentation](https://kubernetes.io/docs/concepts/policy/resource-quotas/). ### Prerequisites @@ -70,9 +72,28 @@ You can implement resource quotas on an entire workspace, as well as implement t and **Allocate memory** columns next to the namespace entry. By default, the namespace in each cluster has the same resource limit. You can change this and enter the limit on the - namespace in one particular cluster. You must ensure that resources alloted to individual namespaces do not exceed + namespace in one particular cluster. You must ensure that resources configured to individual namespaces do not exceed the workspace quota when added together. + For example, if you have three clusters in the workspace and impose a workspace-level quota of 8 Gi of memory and 8 + CPUs. When each instance of the namespace in each cluster are added together, the total memory and CPU quota cannot + exceed 8 Gi of memory and 8 CPUs. + + The following resource quota configuration is not allowed for a workspace with 8 Gi of memory and 8 CPUs because the + resource quotas add up to 11 Gi and 11 CPUs. + + | | Cluster 1 | Cluster 2 | + | ----------- | ------------ | ------------ | + | Namespace 1 | 4 Gi, 4 CPUs | 4 Gi, 4 CPUs | + | Namespace 2 | 2 Gi, 2 CPU | 1 Gi, 1 CPU | + + The following resource quota configuration is allowed because the total quota is 8 Gi and 8 CPUs. + + | | Cluster 1 | Cluster 2 | + | ----------- | ------------ | ------------ | + | Namespace 1 | 2 Gi, 2 CPUs | 2 Gi, 2 CPUs | + | Namespace 2 | 3 Gi, 3 CPU | 1 Gi, 1 CPU | + ### Validate 1. Connect to a cluster in your workspace using kubectl. For more information, refer to diff --git a/docs/docs-content/workspace/workspace-mgmt/restrict-images.md b/docs/docs-content/workspace/workspace-mgmt/restrict-images.md index ab271b9d32..5df9b171cb 100644 --- a/docs/docs-content/workspace/workspace-mgmt/restrict-images.md +++ b/docs/docs-content/workspace/workspace-mgmt/restrict-images.md @@ -7,8 +7,8 @@ sidebar_position: 60 tags: ["workspace"] --- -You can specify image URLs in a workspace to restrict access to images in your workspace for specific namespaces. -Restricted images cannot be loaded into any cluster in the namespaces you specify. +You can specify image URLs in a workspace to restrict access to those images for specific namespaces. Restricted images +cannot be loaded into any cluster in the namespaces you specify. Access control to images is achieved using Kyverno policies. For more information about Kyverno, refer to [Kyverno documentation](https://kyverno.io/). From 89f186fc4f248372875e258602ffd85baae912a7 Mon Sep 17 00:00:00 2001 From: Lenny Chen Date: Thu, 19 Dec 2024 17:53:53 -0800 Subject: [PATCH 14/21] docs: modify example --- docs/docs-content/workspace/workspace-mgmt/resource-mgmt.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/docs-content/workspace/workspace-mgmt/resource-mgmt.md b/docs/docs-content/workspace/workspace-mgmt/resource-mgmt.md index 46e0a8b7e3..c0581f0f26 100644 --- a/docs/docs-content/workspace/workspace-mgmt/resource-mgmt.md +++ b/docs/docs-content/workspace/workspace-mgmt/resource-mgmt.md @@ -75,7 +75,7 @@ refer to [Kubernetes documentation](https://kubernetes.io/docs/concepts/policy/r namespace in one particular cluster. You must ensure that resources configured to individual namespaces do not exceed the workspace quota when added together. - For example, if you have three clusters in the workspace and impose a workspace-level quota of 8 Gi of memory and 8 + For example, if you have two clusters in the workspace and impose a workspace-level quota of 8 Gi of memory and 8 CPUs. When each instance of the namespace in each cluster are added together, the total memory and CPU quota cannot exceed 8 Gi of memory and 8 CPUs. From 64b258929729d96fac6ddbdf520774124e1e5c02 Mon Sep 17 00:00:00 2001 From: Lenny Chen Date: Fri, 20 Dec 2024 10:27:47 -0800 Subject: [PATCH 15/21] docs: add restore options --- .../workspace/workspace-mgmt/backup-restore.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/docs/docs-content/workspace/workspace-mgmt/backup-restore.md b/docs/docs-content/workspace/workspace-mgmt/backup-restore.md index 553298179f..8e3b7143b0 100644 --- a/docs/docs-content/workspace/workspace-mgmt/backup-restore.md +++ b/docs/docs-content/workspace/workspace-mgmt/backup-restore.md @@ -134,7 +134,15 @@ be restored. 6. Click on a backup file you want to restore from. -7, Click **Restore**. +7. You have the following options for restoring the backup. + + | Option | Description | + | ------------------------- | ----------------------------------------------------------------------------- | + | Include Cluster Resources | Check the box to restore all the cluster scoped resources. | + | Preserve Node Ports | Check the box to preserve ports for node port service running in the cluster. | + | Restore PVs | Check the box to restore the persistent volumes. | + +7, Click **Restore Backup**. ### Validate From dc8b2fe80ca82ef64d7e2692b1a9720fff5d75b3 Mon Sep 17 00:00:00 2001 From: Lenny Chen Date: Fri, 20 Dec 2024 10:40:01 -0800 Subject: [PATCH 16/21] docs: vale --- .../workspace-mgmt/backup-restore.md | 10 ++++----- .../workspace/workspace-mgmt/resource-mgmt.md | 22 +++++++++---------- 2 files changed, 16 insertions(+), 16 deletions(-) diff --git a/docs/docs-content/workspace/workspace-mgmt/backup-restore.md b/docs/docs-content/workspace/workspace-mgmt/backup-restore.md index 8e3b7143b0..acd8f28d3b 100644 --- a/docs/docs-content/workspace/workspace-mgmt/backup-restore.md +++ b/docs/docs-content/workspace/workspace-mgmt/backup-restore.md @@ -136,11 +136,11 @@ be restored. 7. You have the following options for restoring the backup. - | Option | Description | - | ------------------------- | ----------------------------------------------------------------------------- | - | Include Cluster Resources | Check the box to restore all the cluster scoped resources. | - | Preserve Node Ports | Check the box to preserve ports for node port service running in the cluster. | - | Restore PVs | Check the box to restore the persistent volumes. | + | Option | Description | + | ------------------------- | --------------------------------------------------------------------- | + | Include Cluster Resources | Check the box to restore all the cluster scoped resources. | + | Preserve Node Ports | Check the box to preserve ports for node port service in the cluster. | + | Restore PVs | Check the box to restore the persistent volumes. | 7, Click **Restore Backup**. diff --git a/docs/docs-content/workspace/workspace-mgmt/resource-mgmt.md b/docs/docs-content/workspace/workspace-mgmt/resource-mgmt.md index c0581f0f26..98c982284e 100644 --- a/docs/docs-content/workspace/workspace-mgmt/resource-mgmt.md +++ b/docs/docs-content/workspace/workspace-mgmt/resource-mgmt.md @@ -26,17 +26,17 @@ You can view more workloads by selecting the corresponding tab. For example, sel monitor pod workloads. Each tab will show you the CPU and memory consumption of the corresponding workload in the entire workspace. -| **Resource** | **Available information** | -| ---------------------- | ---------------------------------------------------------------------------------------------------------------------------------------- | -| **Namespaces** | CPU and memory utilization of the namespace s in each cluster. | -| **Pods** | Lists all the pods running on a particular namespace with cluster names with the detailed health status, age, and resource utilization.. | -| **Deployments** | All deployments in the namespaces included in the workspace and their age, pods, and resource utilization. | -| **DaemonSets** | All daemon set in the namespaces included in the workspace and their age, pods, and resource utilization. | -| **StatefulSets** | All the active StatefulSets in the namespaces included in the workspace and their age, pods, replicas, and resource utilization. | -| **Jobs** | All jobs in the namespaces included in the workspace and their status. | -| **CronJobs** | All cron jobs in the namespaces included in the workspace and their status. | -| **RoleBinding** | All role bindings in the namespaces included in the workspace, including the role name and the subject name. | -| **ClusterRoleBinding** | All cluster role bindings in the clusters included in the workspace. | +| **Resource** | **Available information** | +| ---------------------- | -------------------------------------------------------------------------------------------------------------------------------- | +| **Namespaces** | CPU and memory utilization of the namespace s in each cluster. | +| **Pods** | Lists all the pods in a particular namespace with cluster names with the detailed health status, age, and resource utilization.. | +| **Deployments** | All deployments in the namespaces included in the workspace and their age, pods, and resource utilization. | +| **DaemonSets** | All daemon set in the namespaces included in the workspace and their age, pods, and resource utilization. | +| **StatefulSets** | All the active StatefulSets in the namespaces included in the workspace and their age, pods, replicas, and resource utilization. | +| **Jobs** | All jobs in the namespaces included in the workspace and their status. | +| **CronJobs** | All cron jobs in the namespaces included in the workspace and their status. | +| **RoleBinding** | All role bindings in the namespaces included in the workspace, including the role name and the subject name. | +| **ClusterRoleBinding** | All cluster role bindings in the clusters included in the workspace. | ## Implement Resource Quotas From 0b9727efbaf71b4a0cd66bdab86dce382308f00a Mon Sep 17 00:00:00 2001 From: Lenny Chen <55669665+lennessyy@users.noreply.github.com> Date: Fri, 20 Dec 2024 13:39:43 -0800 Subject: [PATCH 17/21] Apply suggestions from code review Co-authored-by: caroldelwing --- .../backup-restore/backup-restore.md | 4 +- .../workspace/adding-a-new-workspace.md | 26 ++++++------- .../workspace-mgmt/backup-restore.md | 20 +++++----- .../workspace-mgmt/configure-rbac.md | 38 +++++++++---------- 4 files changed, 44 insertions(+), 44 deletions(-) diff --git a/docs/docs-content/clusters/cluster-management/backup-restore/backup-restore.md b/docs/docs-content/clusters/cluster-management/backup-restore/backup-restore.md index 394a03ce67..da585acb50 100644 --- a/docs/docs-content/clusters/cluster-management/backup-restore/backup-restore.md +++ b/docs/docs-content/clusters/cluster-management/backup-restore/backup-restore.md @@ -43,8 +43,8 @@ To get started with creating a backup, check out the :::info If you are using a workspace, refer to the -[Manage Palette Workspace](../../../workspace/workspace-mgmt/workspace-mgmt.md) guide to learn more about backup and -restore actions for a workspace. +[Manage Palette Workspace](../../../workspace/workspace-mgmt/workspace-mgmt.md) guide to learn more about workspace backup and +restore actions. ::: diff --git a/docs/docs-content/workspace/adding-a-new-workspace.md b/docs/docs-content/workspace/adding-a-new-workspace.md index 246555f82a..1a9cb0fbe5 100644 --- a/docs/docs-content/workspace/adding-a-new-workspace.md +++ b/docs/docs-content/workspace/adding-a-new-workspace.md @@ -1,14 +1,14 @@ --- sidebar_label: "Create a Workspace" -title: "Create a workspace" -description: "How to create multi-cluster workspace in Palette." +title: "Create a Workspace" +description: "How to create a multi-cluster workspace in Palette." icon: "" hide_table_of_contents: false sidebar_position: 0 tags: ["workspace"] --- -Palette enables multi-cluster management and governance capabilities by introducing Workspaces. This page teaches you +Palette enables multi-cluster management and governance capabilities by introducing workspaces. This page teaches you how to create a workspace in Palette. All workspace settings can be updated after creation. ## Prerequisites @@ -27,11 +27,11 @@ how to create a workspace in Palette. All workspace settings can be updated afte 3. On the left **Main Menu**, click **Workspaces**. Then click **New Workspace**. -4. Add the Basic Information Provide the basic information for the workspace such as。 +4. Provide the basic information for the workspace. - - **Name**. The workspace name must be unique in the project. - - **Description**. An optional description for the workspace. - - **Tag**. Optional tags for the workspace. + - **Name**: The workspace name must be unique in the project. + - **Description**: An optional description for the workspace. + - **Tag**: Optional tags for the workspace. When you are finished, click **Next**. @@ -65,7 +65,7 @@ how to create a workspace in Palette. All workspace settings can be updated afte ::: -7. Enter the namespaces you want to include in the workspace. If the a cluster that is part of your workspace has that +7. Enter the namespaces you want to include in the workspace. If a cluster that is part of your workspace has that namespace, the namespace and all resources that are scoped within it will be included in the workspace. If any cluster in the workspace is missing the namespace you entered, the namespace will be created on that cluster. @@ -78,8 +78,8 @@ how to create a workspace in Palette. All workspace settings can be updated afte 9. You may also specify resource limits on specific namespaces. - For example, if you have two clusters `cluster1` and `cluster2`, and they each have a namespace called `default`. If - you impose a 2Gi memory limit on the namespace default, then the `default` namespace in both clusters will be able to + For example, if you have two clusters, `cluster1` and `cluster2`, and they each have a namespace called `default`. If + you impose a 2 Gi memory limit on the namespace default, then the `default` namespace in both clusters will be able to consume 2 Gi memory each. For more information about resource quotas, refer to [Resource Management](./workspace-mgmt/resource-mgmt.md). @@ -112,11 +112,11 @@ how to create a workspace in Palette. All workspace settings can be updated afte in the workspace. Like cluster backups in Palette, restoring a backup requires the source cluster to be available. When you restore a - back up, the namespaces that are backed up are restored to each cluster in the workspace. If you delete a cluster + backup, the namespaces that are backed up are restored to each cluster in the workspace. If you delete a cluster from the workspace, that cluster's backup will not be restored. For more information about backups, refer to - [Backup and Restore](../clusters/cluster-management/backup-restore/backup-restore.md) + [Backup and Restore](../clusters/cluster-management/backup-restore/backup-restore.md). 12. Lastly, you can restrict certain container images from being loaded in the namespaces that are managed by the workspace. To restrict images from being loaded by resources in a namespace, click **Add New Container Image**. @@ -129,7 +129,7 @@ how to create a workspace in Palette. All workspace settings can be updated afte 1. Log in to [Palette](https://console.spectrocloud.com). -2. In the **Drop-Down Menu** at the top of the page, choose the project you created the workspace in. +2. In the **drop-down Menu** at the top of the page, choose the project you created the workspace in. 3. On the left **Main Menu**, click **Workspaces**. diff --git a/docs/docs-content/workspace/workspace-mgmt/backup-restore.md b/docs/docs-content/workspace/workspace-mgmt/backup-restore.md index acd8f28d3b..283dbc6bc1 100644 --- a/docs/docs-content/workspace/workspace-mgmt/backup-restore.md +++ b/docs/docs-content/workspace/workspace-mgmt/backup-restore.md @@ -15,7 +15,7 @@ Velero-based approach as regular cluster backups and are subject to the same lim The backup files will be stored in a backup location you configure. Each cluster will have its own backup files. When you delete a workspace, the backup files will not be deleted. -## Create a workspace backup +## Create a Workspace Backup Backing up a workspace creates a backup file for every cluster in your workspace. Each cluster backup file will contain all Kubernetes objects as well as volumes in the namespaces selected. @@ -61,7 +61,7 @@ all Kubernetes objects as well as volumes in the namespaces selected. 1. Log in to [Palette](https://console.spectrocloud.com). -2. In the **Drop-Down Menu** at the top of the page, choose the project that has your workspace. +2. In the **drop-down Menu** at the top of the page, choose the project that has your workspace. 3. On the left **Main Menu**, click **Workspaces**. @@ -94,7 +94,7 @@ The backup process will take some time ranging from 15 minutes to hours dependin 1. Log in to [Palette](https://console.spectrocloud.com). -2. In the **Drop-Down Menu** at the top of the page, choose the project that has your workspace. +2. In the **drop-down Menu** at the top of the page, choose the project that has your workspace. 3. On the left **Main Menu**, click **Workspaces**. @@ -104,10 +104,10 @@ The backup process will take some time ranging from 15 minutes to hours dependin 6. Confirm that your backup is in progress or completed. -## Restore a workspace backup +## Restore a Workspace Backup -Restoring a workspace will restore the selected namespaces every cluster that is currently in the workspace to the same -state from which the backup was created. The clusters being restored must be healthy and reachable, because the restore +Restoring a workspace will restore the selected namespaces in every cluster that is currently in the workspace to the same +state from which the backup was created. The clusters being restored must be healthy and reachable, because the restore process relies on access to the Kubernetes API. If you have deleted a cluster from the workspace, the deleted cluster will not be restored. @@ -124,7 +124,7 @@ be restored. 1. Log in to [Palette](https://console.spectrocloud.com). -2. In the **Drop-Down Menu** at the top of the page, choose the project that has your workspace. +2. In the **drop-down Menu** at the top of the page, choose the project that has your workspace. 3. On the left **Main Menu**, click **Workspaces**. @@ -139,16 +139,16 @@ be restored. | Option | Description | | ------------------------- | --------------------------------------------------------------------- | | Include Cluster Resources | Check the box to restore all the cluster scoped resources. | - | Preserve Node Ports | Check the box to preserve ports for node port service in the cluster. | + | Preserve Node Ports | Check the box to preserve ports for the node port service in the cluster. | | Restore PVs | Check the box to restore the persistent volumes. | -7, Click **Restore Backup**. +8. Click **Restore Backup**. ### Validate 1. Log in to [Palette](https://console.spectrocloud.com). -2. In the **Drop-Down Menu** at the top of the page, choose the project that has your workspace. +2. In the **drop-down Menu** at the top of the page, choose the project that has your workspace. 3. On the left **Main Menu**, click **Workspaces**. diff --git a/docs/docs-content/workspace/workspace-mgmt/configure-rbac.md b/docs/docs-content/workspace/workspace-mgmt/configure-rbac.md index 05f5c98a4a..deb553d02e 100644 --- a/docs/docs-content/workspace/workspace-mgmt/configure-rbac.md +++ b/docs/docs-content/workspace/workspace-mgmt/configure-rbac.md @@ -14,26 +14,26 @@ how to create workspace-level role bindings and cluster role bindings. RBAC in workspaces is distinct from Palette RBAC. Palette RBAC regulates access to Palette resources such as clusters, workspaces, and Edge hosts and its subjects are Palette users. Workspace RBAC is an extension of Kubernetes' native RBAC model. It regulates access to Kubernetes objects in the clusters encompassed by the workspace, and its subjects are -Kubernetes users, groups and service accounts. +Kubernetes users, groups, and service accounts. | | Workspace RBAC | Palette RBAC | | --------------------- | -------------------------------------------------------- | -------------------------------------------------------- | | Access control domain | Kubernetes API objects in the clusters in the workspace. | Palette resources. | -| Subjects | Kubernetes users, groups, and service accounts. | Palette users and teams | +| Subjects | Kubernetes users, groups, and service accounts. | Palette users and teams. | | Example resources | ConfigMaps, Secrets, Pods, StatefulSets, etc. | Cluster profiles, clusters, workspaces, Edge hosts, etc. | Because workspace RBAC is built on top of Kubernetes RBAC, we recommend you becoming familiar with Kubernetes' RBAC -model before using workspace RBAC. For more information about RBAC in Kubernetes, refer to -[Kubernetes Documentation](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) +model before using workspace RBAC. For more information about RBAC in Kubernetes, refer to the +[Kubernetes Documentation](https://kubernetes.io/docs/reference/access-authn-authz/rbac/). ## Create Workspace-Level Role Bindings -By creating a workspace-level role binding, you create role bindings in the all clusters in the workspace in the +By creating a workspace-level role binding, you create role bindings in all clusters in the workspace in the namespaces you choose. You can also use Regular Expressions (regex) to create role bindings in all namespaces that match the regex. For example, if you create a role binding that binds the cluster role `podReader` to the service account -`podReaderAccount` in the `default` namespace. Every cluster in your workspace will get a role binding that binds the +`podReaderAccount` in the `default` namespace, every cluster in your workspace will get a role binding that binds the cluster role `podReader` to the service account `podReaderAccount` in that cluster's `default` namespace. ### Prerequisites @@ -47,7 +47,7 @@ cluster role `podReader` to the service account `podReaderAccount` in that clust 1. Log in to [Palette](https://console.spectrocloud.com). -2. In the **Drop-Down Menu** at the top of the page, choose the project that has your workspace. +2. In the **drop-down Menu** at the top of the page, choose the project that has your workspace. 3. On the left **Main Menu**, click **Workspaces**. @@ -55,14 +55,14 @@ cluster role `podReader` to the service account `podReaderAccount` in that clust 5. In the upper-right corner, click **Settings**. Then click **Namespaces**. -6. If the namespace where you want to include are already in the workspace, skip this step. +6. If the namespace where you want to include is already in the workspace, skip this step. At the top of the page, enter the namespace you want to create the role bindings in. Note that doing so will include the namespace in the workspace and Palette users who have access to this workspace will be able to view its workloads and resource consumption. - Alternatively, enter a regex that match the namespaces where you want to create the role binding. Each regex needs to - start and end with a forward slash`/`. For example `/palette-.*/` will match any namespace that starts with + Alternatively, enter a regex that matches the namespaces where you want to create the role binding. Each regex needs to + start and end with a forward slash `/`. For example `/palette-.*/` will match any namespace that starts with `palette-`. You may also use the negation symbol `~` to select all namespaces that do not match the regex. For example, `~/palette-.*/` matches everything that does not start with `palette-`. @@ -78,7 +78,7 @@ cluster role `podReader` to the service account `podReaderAccount` in that clust 8. In the **Namespace** field, select a namespace or the regex. Then enter the **Role type** and **Role name**. As is in Kubernetes, you can use either a role or a cluster role to create a role binding. If you use a cluster role, the - privilege of the cluster role will still be limited to the namespace where the role binding exists only. + privilege of the cluster role will still be limited to the namespace where the role binding exists. :::info @@ -89,22 +89,22 @@ cluster role `podReader` to the service account `podReaderAccount` in that clust ::: -9. Then in the **Subject** fields, choose the type of the subject and enter the subject name. You can enter as many +9. In the **Subject** fields, choose the type of the subject and enter the subject name. You can enter as many subjects as you need. -10: Click **Confirm**. +10. Click **Confirm**. ### Validate 1. Log in to [Palette](https://console.spectrocloud.com). -2. In the **Drop-Down Menu** at the top of the page, choose the project that has your workspace. +2. In the **drop-down Menu** at the top of the page, choose the project that has your workspace. 3. On the left **Main Menu**, click **Workspaces**. Select your workspace. 4. Switch to the **Role Bindings** tab. -5. Search for entries that starts with **spectro-on-demand-**. Open the these entries to confirm that the role bindings +5. Search for entries that starts with **spectro-on-demand-**. Open these entries to confirm that the role bindings bind the expected role to the expected subject. ## Configure Cluster Role Binding in All Clusters @@ -127,7 +127,7 @@ account `podReaderAccount`. 1. Log in to [Palette](https://console.spectrocloud.com). -2. In the **Drop-Down Menu** at the top of the page, choose the project that has your workspace. +2. In the **drop-down Menu** at the top of the page, choose the project that has your workspace. 3. On the left **Main Menu**, click **Workspaces**. @@ -141,7 +141,7 @@ account `podReaderAccount`. name of the subject. You can enter as many subjects as you need. As is with role bindings, neither the cluster role nor the subjects referenced need to exist when you create the - cluster role binding. However, you must make create them in each cluster. Otherwise, the cluster role binding will + cluster role binding. However, you must create them in each cluster. Otherwise, the cluster role binding will have no effect. 8. Click **Confirm**. @@ -150,11 +150,11 @@ account `podReaderAccount`. 1. Log in to [Palette](https://console.spectrocloud.com). -2. In the **Drop-Down Menu** at the top of the page, choose the project that has your workspace. +2. In the **drop-down Menu** at the top of the page, choose the project that has your workspace. 3. On the left **Main Menu**, click **Workspaces**. Select your workspace. 4. Switch to the **Cluster Role Bindings** tab. -5. Search for entries that starts with **spectro-on-demand-**. Open the these entries to confirm that the role bindings +5. Search for entries that start with **spectro-on-demand-**. Open these entries to confirm that the role bindings bind the expected role to the expected subject. From 2acecc3edafc363ddfccf80d93d1b60789f51447 Mon Sep 17 00:00:00 2001 From: Lenny Chen <55669665+lennessyy@users.noreply.github.com> Date: Fri, 20 Dec 2024 13:40:11 -0800 Subject: [PATCH 18/21] Update docs/docs-content/workspace/workspace-mgmt/delete-workspace.md --- docs/docs-content/workspace/workspace-mgmt/delete-workspace.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/docs-content/workspace/workspace-mgmt/delete-workspace.md b/docs/docs-content/workspace/workspace-mgmt/delete-workspace.md index 729f866844..45915ff8ef 100644 --- a/docs/docs-content/workspace/workspace-mgmt/delete-workspace.md +++ b/docs/docs-content/workspace/workspace-mgmt/delete-workspace.md @@ -1,7 +1,7 @@ --- sidebar_label: Delete Workspace title: Delete Workspace -description: "Learn how to restrict certain images from being used by your workspace" +description: "Learn how to delete a workspace. " hide_table_of_contents: false sidebar_position: 40 tags: ["workspace"] From d37095f1b7bf83c2a05ebfd0a9aa501e72639dcd Mon Sep 17 00:00:00 2001 From: Lenny Chen <55669665+lennessyy@users.noreply.github.com> Date: Fri, 20 Dec 2024 13:40:34 -0800 Subject: [PATCH 19/21] Apply suggestions from code review Co-authored-by: caroldelwing --- docs/docs-content/workspace/workspace.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/docs-content/workspace/workspace.md b/docs/docs-content/workspace/workspace.md index 46ce9f170a..19ca5edee8 100644 --- a/docs/docs-content/workspace/workspace.md +++ b/docs/docs-content/workspace/workspace.md @@ -8,7 +8,7 @@ sidebar_custom_props: tags: ["workspace"] --- -A workspaces in Palette consists of a group of clusters and namespaces and the resources scoped in those clusters and +A workspace in Palette consists of a group of clusters and namespaces and the resources scoped in those clusters and namespaces. Using workspaces enables you to provide application or team-specific governance and visibility into workloads, cost, and usage metrics. @@ -31,7 +31,7 @@ includes: ## Centralized Access Control Workspaces simplify Role-Based Access Control (RBAC) by centralizing management of role bindings and cluster role -bindings. You can specifying role bindings and cluster role bindings within the workspace to automatically apply them to +bindings. You can specify role bindings and cluster role bindings within the workspace to automatically apply them to all clusters, ensuring consistent and secure access policies across all clusters in a workspace. ## Visibility and Insights @@ -47,7 +47,7 @@ Workspaces enhance operational visibility and provide actionable insights ## Backup and Disaster Recovery -**Workspace-Based Backup**: extends cluster-level backups to include namespaces in all clusters within a workspace. For +**Workspace-Based Backup**: Extends cluster-level backups to include namespaces in all clusters within a workspace. For detailed prerequisites and instructions, refer to the [Backup and Restore](../clusters/cluster-management/backup-restore/backup-restore.md) page. From 0e60110f9bcaf579bf825531a59c5bc3c83067c3 Mon Sep 17 00:00:00 2001 From: Lenny Chen <55669665+lennessyy@users.noreply.github.com> Date: Fri, 20 Dec 2024 13:41:34 -0800 Subject: [PATCH 20/21] Apply suggestions from code review Co-authored-by: caroldelwing --- .../workspace/workspace-mgmt/delete-workspace.md | 6 +++--- .../workspace/workspace-mgmt/resource-mgmt.md | 12 ++++++------ .../workspace/workspace-mgmt/restrict-images.md | 2 +- 3 files changed, 10 insertions(+), 10 deletions(-) diff --git a/docs/docs-content/workspace/workspace-mgmt/delete-workspace.md b/docs/docs-content/workspace/workspace-mgmt/delete-workspace.md index 45915ff8ef..0c54bb959c 100644 --- a/docs/docs-content/workspace/workspace-mgmt/delete-workspace.md +++ b/docs/docs-content/workspace/workspace-mgmt/delete-workspace.md @@ -24,7 +24,7 @@ Deleting the workspace will not automatically delete any backup files you create 1. Log in to [Palette](https://console.spectrocloud.com). -2. In the **Drop-Down Menu** at the top of the page, choose the project that has your workspace. +2. In the **drop-down Menu** at the top of the page, choose the project that has your workspace. 3. On the left **Main Menu**, click **Workspaces**. @@ -34,13 +34,13 @@ Deleting the workspace will not automatically delete any backup files you create 6. Click **Delete Workspace**. -7. Enter the workspace name to confirm deletion. +7. Enter the workspace name to confirm the deletion. ## Validate 1. Log in to [Palette](https://console.spectrocloud.com). -2. In the **Drop-Down Menu** at the top of the page, choose the project that has your workspace. +2. In the **drop-down Menu** at the top of the page, choose the project that has your workspace. 3. On the left **Main Menu**, click **Workspaces**. diff --git a/docs/docs-content/workspace/workspace-mgmt/resource-mgmt.md b/docs/docs-content/workspace/workspace-mgmt/resource-mgmt.md index 98c982284e..b8545e1a0d 100644 --- a/docs/docs-content/workspace/workspace-mgmt/resource-mgmt.md +++ b/docs/docs-content/workspace/workspace-mgmt/resource-mgmt.md @@ -9,7 +9,7 @@ tags: ["workspace", "resource-management"] Workspaces give you a unified view of resource consumption in specified namespaces across all clusters in the workspace. Additionally, you can implement resource quotas for the workspace as a whole, or for individual namespaces. The resource -quotas are implemented using the native Kubernetes ResourceQuota object. Refer to +quotas are implemented using the native Kubernetes ResourceQuota object. Refer to the [Kubernetes documentation](https://kubernetes.io/docs/concepts/policy/resource-quotas) to learn more about resource quotas. @@ -26,10 +26,10 @@ You can view more workloads by selecting the corresponding tab. For example, sel monitor pod workloads. Each tab will show you the CPU and memory consumption of the corresponding workload in the entire workspace. -| **Resource** | **Available information** | +| **Resource** | **Available Information** | | ---------------------- | -------------------------------------------------------------------------------------------------------------------------------- | -| **Namespaces** | CPU and memory utilization of the namespace s in each cluster. | -| **Pods** | Lists all the pods in a particular namespace with cluster names with the detailed health status, age, and resource utilization.. | +| **Namespaces** | CPU and memory utilization of the namespace in each cluster. | +| **Pods** | Lists all the pods in a particular namespace with cluster names with detailed health status, age, and resource utilization. | | **Deployments** | All deployments in the namespaces included in the workspace and their age, pods, and resource utilization. | | **DaemonSets** | All daemon set in the namespaces included in the workspace and their age, pods, and resource utilization. | | **StatefulSets** | All the active StatefulSets in the namespaces included in the workspace and their age, pods, replicas, and resource utilization. | @@ -55,7 +55,7 @@ refer to [Kubernetes documentation](https://kubernetes.io/docs/concepts/policy/r 1. Log in to [Palette](https://console.spectrocloud.com). -2. In the **Drop-Down Menu** at the top of the page, choose the project that has your workspace. +2. In the **drop-down Menu** at the top of the page, choose the project that has your workspace. 3. On the left **Main Menu**, click **Workspaces**. @@ -76,7 +76,7 @@ refer to [Kubernetes documentation](https://kubernetes.io/docs/concepts/policy/r the workspace quota when added together. For example, if you have two clusters in the workspace and impose a workspace-level quota of 8 Gi of memory and 8 - CPUs. When each instance of the namespace in each cluster are added together, the total memory and CPU quota cannot + CPUs, when each instance of the namespace in each cluster is added together, the total memory and CPU quota cannot exceed 8 Gi of memory and 8 CPUs. The following resource quota configuration is not allowed for a workspace with 8 Gi of memory and 8 CPUs because the diff --git a/docs/docs-content/workspace/workspace-mgmt/restrict-images.md b/docs/docs-content/workspace/workspace-mgmt/restrict-images.md index 5df9b171cb..e41a4c0726 100644 --- a/docs/docs-content/workspace/workspace-mgmt/restrict-images.md +++ b/docs/docs-content/workspace/workspace-mgmt/restrict-images.md @@ -24,7 +24,7 @@ Access control to images is achieved using Kyverno policies. For more informatio 1. Log in to [Palette](https://console.spectrocloud.com). -2. In the **Drop-Down Menu** at the top of the page, choose the project that has your workspace. +2. In the **drop-down Menu** at the top of the page, choose the project that has your workspace. 3. On the left **Main Menu**, click **Workspaces**. From 8274d02f5696119f886bd86c38143cb2391f2efe Mon Sep 17 00:00:00 2001 From: lennessyy Date: Fri, 20 Dec 2024 21:45:00 +0000 Subject: [PATCH 21/21] ci: auto-formatting prettier issues --- .../backup-restore/backup-restore.md | 4 +-- .../workspace/adding-a-new-workspace.md | 4 +-- .../workspace-mgmt/backup-restore.md | 16 +++++------ .../workspace-mgmt/configure-rbac.md | 27 +++++++++---------- .../workspace/workspace-mgmt/resource-mgmt.md | 4 +-- 5 files changed, 27 insertions(+), 28 deletions(-) diff --git a/docs/docs-content/clusters/cluster-management/backup-restore/backup-restore.md b/docs/docs-content/clusters/cluster-management/backup-restore/backup-restore.md index da585acb50..9e18bd28e6 100644 --- a/docs/docs-content/clusters/cluster-management/backup-restore/backup-restore.md +++ b/docs/docs-content/clusters/cluster-management/backup-restore/backup-restore.md @@ -43,8 +43,8 @@ To get started with creating a backup, check out the :::info If you are using a workspace, refer to the -[Manage Palette Workspace](../../../workspace/workspace-mgmt/workspace-mgmt.md) guide to learn more about workspace backup and -restore actions. +[Manage Palette Workspace](../../../workspace/workspace-mgmt/workspace-mgmt.md) guide to learn more about workspace +backup and restore actions. ::: diff --git a/docs/docs-content/workspace/adding-a-new-workspace.md b/docs/docs-content/workspace/adding-a-new-workspace.md index 1a9cb0fbe5..2beec35090 100644 --- a/docs/docs-content/workspace/adding-a-new-workspace.md +++ b/docs/docs-content/workspace/adding-a-new-workspace.md @@ -79,8 +79,8 @@ how to create a workspace in Palette. All workspace settings can be updated afte 9. You may also specify resource limits on specific namespaces. For example, if you have two clusters, `cluster1` and `cluster2`, and they each have a namespace called `default`. If - you impose a 2 Gi memory limit on the namespace default, then the `default` namespace in both clusters will be able to - consume 2 Gi memory each. For more information about resource quotas, refer to + you impose a 2 Gi memory limit on the namespace default, then the `default` namespace in both clusters will be able + to consume 2 Gi memory each. For more information about resource quotas, refer to [Resource Management](./workspace-mgmt/resource-mgmt.md). You must ensure that the namespaced limits, when added together, do not exceed the total workspace limit you diff --git a/docs/docs-content/workspace/workspace-mgmt/backup-restore.md b/docs/docs-content/workspace/workspace-mgmt/backup-restore.md index 283dbc6bc1..831b70a61b 100644 --- a/docs/docs-content/workspace/workspace-mgmt/backup-restore.md +++ b/docs/docs-content/workspace/workspace-mgmt/backup-restore.md @@ -106,10 +106,10 @@ The backup process will take some time ranging from 15 minutes to hours dependin ## Restore a Workspace Backup -Restoring a workspace will restore the selected namespaces in every cluster that is currently in the workspace to the same -state from which the backup was created. The clusters being restored must be healthy and reachable, because the restore process -relies on access to the Kubernetes API. If you have deleted a cluster from the workspace, the deleted cluster will not -be restored. +Restoring a workspace will restore the selected namespaces in every cluster that is currently in the workspace to the +same state from which the backup was created. The clusters being restored must be healthy and reachable, because the +restore process relies on access to the Kubernetes API. If you have deleted a cluster from the workspace, the deleted +cluster will not be restored. ### Prerequisites @@ -136,11 +136,11 @@ be restored. 7. You have the following options for restoring the backup. - | Option | Description | - | ------------------------- | --------------------------------------------------------------------- | - | Include Cluster Resources | Check the box to restore all the cluster scoped resources. | + | Option | Description | + | ------------------------- | ------------------------------------------------------------------------- | + | Include Cluster Resources | Check the box to restore all the cluster scoped resources. | | Preserve Node Ports | Check the box to preserve ports for the node port service in the cluster. | - | Restore PVs | Check the box to restore the persistent volumes. | + | Restore PVs | Check the box to restore the persistent volumes. | 8. Click **Restore Backup**. diff --git a/docs/docs-content/workspace/workspace-mgmt/configure-rbac.md b/docs/docs-content/workspace/workspace-mgmt/configure-rbac.md index deb553d02e..46bea51dd4 100644 --- a/docs/docs-content/workspace/workspace-mgmt/configure-rbac.md +++ b/docs/docs-content/workspace/workspace-mgmt/configure-rbac.md @@ -19,7 +19,7 @@ Kubernetes users, groups, and service accounts. | | Workspace RBAC | Palette RBAC | | --------------------- | -------------------------------------------------------- | -------------------------------------------------------- | | Access control domain | Kubernetes API objects in the clusters in the workspace. | Palette resources. | -| Subjects | Kubernetes users, groups, and service accounts. | Palette users and teams. | +| Subjects | Kubernetes users, groups, and service accounts. | Palette users and teams. | | Example resources | ConfigMaps, Secrets, Pods, StatefulSets, etc. | Cluster profiles, clusters, workspaces, Edge hosts, etc. | Because workspace RBAC is built on top of Kubernetes RBAC, we recommend you becoming familiar with Kubernetes' RBAC @@ -28,9 +28,8 @@ model before using workspace RBAC. For more information about RBAC in Kubernetes ## Create Workspace-Level Role Bindings -By creating a workspace-level role binding, you create role bindings in all clusters in the workspace in the -namespaces you choose. You can also use Regular Expressions (regex) to create role bindings in all namespaces that match -the regex. +By creating a workspace-level role binding, you create role bindings in all clusters in the workspace in the namespaces +you choose. You can also use Regular Expressions (regex) to create role bindings in all namespaces that match the regex. For example, if you create a role binding that binds the cluster role `podReader` to the service account `podReaderAccount` in the `default` namespace, every cluster in your workspace will get a role binding that binds the @@ -61,8 +60,8 @@ cluster role `podReader` to the service account `podReaderAccount` in that clust the namespace in the workspace and Palette users who have access to this workspace will be able to view its workloads and resource consumption. - Alternatively, enter a regex that matches the namespaces where you want to create the role binding. Each regex needs to - start and end with a forward slash `/`. For example `/palette-.*/` will match any namespace that starts with + Alternatively, enter a regex that matches the namespaces where you want to create the role binding. Each regex needs + to start and end with a forward slash `/`. For example `/palette-.*/` will match any namespace that starts with `palette-`. You may also use the negation symbol `~` to select all namespaces that do not match the regex. For example, `~/palette-.*/` matches everything that does not start with `palette-`. @@ -89,8 +88,8 @@ cluster role `podReader` to the service account `podReaderAccount` in that clust ::: -9. In the **Subject** fields, choose the type of the subject and enter the subject name. You can enter as many - subjects as you need. +9. In the **Subject** fields, choose the type of the subject and enter the subject name. You can enter as many subjects + as you need. 10. Click **Confirm**. @@ -104,8 +103,8 @@ cluster role `podReader` to the service account `podReaderAccount` in that clust 4. Switch to the **Role Bindings** tab. -5. Search for entries that starts with **spectro-on-demand-**. Open these entries to confirm that the role bindings - bind the expected role to the expected subject. +5. Search for entries that starts with **spectro-on-demand-**. Open these entries to confirm that the role bindings bind + the expected role to the expected subject. ## Configure Cluster Role Binding in All Clusters @@ -141,8 +140,8 @@ account `podReaderAccount`. name of the subject. You can enter as many subjects as you need. As is with role bindings, neither the cluster role nor the subjects referenced need to exist when you create the - cluster role binding. However, you must create them in each cluster. Otherwise, the cluster role binding will - have no effect. + cluster role binding. However, you must create them in each cluster. Otherwise, the cluster role binding will have no + effect. 8. Click **Confirm**. @@ -156,5 +155,5 @@ account `podReaderAccount`. 4. Switch to the **Cluster Role Bindings** tab. -5. Search for entries that start with **spectro-on-demand-**. Open these entries to confirm that the role bindings - bind the expected role to the expected subject. +5. Search for entries that start with **spectro-on-demand-**. Open these entries to confirm that the role bindings bind + the expected role to the expected subject. diff --git a/docs/docs-content/workspace/workspace-mgmt/resource-mgmt.md b/docs/docs-content/workspace/workspace-mgmt/resource-mgmt.md index b8545e1a0d..a74247e7b6 100644 --- a/docs/docs-content/workspace/workspace-mgmt/resource-mgmt.md +++ b/docs/docs-content/workspace/workspace-mgmt/resource-mgmt.md @@ -28,8 +28,8 @@ workspace. | **Resource** | **Available Information** | | ---------------------- | -------------------------------------------------------------------------------------------------------------------------------- | -| **Namespaces** | CPU and memory utilization of the namespace in each cluster. | -| **Pods** | Lists all the pods in a particular namespace with cluster names with detailed health status, age, and resource utilization. | +| **Namespaces** | CPU and memory utilization of the namespace in each cluster. | +| **Pods** | Lists all the pods in a particular namespace with cluster names with detailed health status, age, and resource utilization. | | **Deployments** | All deployments in the namespaces included in the workspace and their age, pods, and resource utilization. | | **DaemonSets** | All daemon set in the namespaces included in the workspace and their age, pods, and resource utilization. | | **StatefulSets** | All the active StatefulSets in the namespaces included in the workspace and their age, pods, replicas, and resource utilization. |