github.com/clastix/capsule-proxy Should address the list namespace issue. Although I am just now digging into all of this. Thanks for all the great content!
@@MrTmorton77 I think I mentioned it in the video. I don't think the proxy is the solution but, rather, a workaround. That would need to be changed in Kubernetes itself to make it transparent for the users.
thanks. This tool seems very promising. As yoou said sometimes kubernetes clusters can be used for prototyping, educational, testing, etc.. and using Capsule can provide this level of isolation to sharre the same infra resroures at the same time
Oh yeah. When using k3s abd with something as fast and cheap as, let's say Civo, it does not make sense to create virtual clusters. However, most of k8s usage is in AWS, GCP, and Azure and they are slow and cost a lot for such usage.
@@DevOpsToolkit yes, you (unintentionally ?) guessed right it was Civo which I had in mind. It really makes you think: do we really need k8s for new clusters ? How much am I missing with going with k3s ?
@@autohmae Let's put it this way... For larger clusters, the difference in the time to create a cluster or the resource overhead is not big (relatively speaking). So, i would not go with k3s for HA cluster with many nodes. It's not worth it. I still prefer GKE, EKS, AKS, etc. But, if you have smaller clusters and, especially if you create/destroy them often, those differences are relevant and using k3s makes a lot of sense. I might, for example, use GKE as the production cluster, but Civo for development or preview clusters that are created/destroyed on-demand and relatively frequently.
Thanks Victor for the wonderful explanation around multi-tenant clusters. How do you compare Capsule with other CNCF certified projects such as SAP Gardener or even Kubernetes Kubermatic Platform? These are really cool solutions to manage multitenancy across multi-geo locations.
Capsule is mostly focused on solving multi-tenancy problems within a cluster while those you mentioned are more focused on how to manage multiple clusters. I'm planning to do a video about both. In the meantime, a new video about a potentially better solution for multi-tenancy will be published in a few hours :)
Hi Viktor, thanks for the video, capsule looks interesting. Would you mind to make a video about automating cluster bootstrapping? Let's say, we provisioned our k8s cluster with a tool like terraform... Then comes all the other components which are required for real world production multi-tenant clusters like: argocd, sealed secrets, gatekeeper, istio, trident, prometheus, fluentbit, RBAC policies, namespaces for projects etc... How would you automate this? What we started to build up is that when we create the cluster the last step in the provisioning with terraform is to setup argocd and use app-to-app pattern to bring up all these components (starting with sealed secrets and a key restore). This seems to be working (we are at very early stage) but we would be interested in your thoughts :)
I do something similar. I would create a cluster with Terraform and do the initial installation of Argo CD and the root app which, initially, would have only Sealed Secrets and Argo CD (so that it manages itself). From there on, it's all about adding the rest of the resources to Git repos and letting Argo CD do the "magic". That being said, I'm moving towards a different model in which Crossplane would replace both Terraform and the initial k8s resources like, for example, Argo CD. On top of that, I'm using Crossplane Composites to simplify the process in a way that anyone can define anything in a very simple way. I'll be making a video (or a video videos) on that subject soon.
@@DevOpsToolkit are you saying that Crossplane can replace Argo CD all together or are you just talking about for bootstrapping a cluster? I would love to hear more about the solution you are working on. I love your videos!
I'm saying that crossplane can replace terraform as well as to do initial installation of Argo CD (even though that part is not important). Since crossplane is based on k8s resources, it is a great combination with Argo CD (not a replacement). With crossplane managing your infra, you can have everything aynced with Argo CD (not only your apps).
Conceptually, there is overlap. Part of Capsule is about ensuring that tenant "behave". However, that's only conceptually. In practice, it would be very hard (not to say impossible) to do the same though OPA simply because Kubernetes itself does not have multi-tenancy baked in. If you would use OPA for validating tenants operations, you'd still need a solution for creating tenants.
How did you implement tenants? What do you think about Capsule?
github.com/clastix/capsule-proxy Should address the list namespace issue. Although I am just now digging into all of this. Thanks for all the great content!
$ kubectl --context alice-oidc@mycluster get namespaces
NAME STATUS AGE
gas-marketing Active 2m
oil-development Active 2m
oil-production Active 2m
@@MrTmorton77 I think I mentioned it in the video. I don't think the proxy is the solution but, rather, a workaround. That would need to be changed in Kubernetes itself to make it transparent for the users.
@@DevOpsToolkit you did I just commented before I heard it. :) Looking forward to your video on HNS.
Can we use multi tenant concept for maintain different env(dev, stage, prod)?
Your description of tenant and multi-tenant with apartments example is just awesome ♥️
Hey Viktor, would love to hear more about your thoughts on hierarchical-namespaces.
Adding it to my TODO list... :)
I like this type of contents!!! I like innovative Cloud Native Solutions! Keep it up bro
thanks. This tool seems very promising. As yoou said sometimes kubernetes clusters can be used for prototyping, educational, testing, etc.. and using Capsule can provide this level of isolation to sharre the same infra resroures at the same time
Capsule is indeed awesome. Nevertheless, I think I have an even better option. If everything goes as planned, it should be published next Monday.
Multitenancy is a very hard problem to crack, capsule looks promising. I would also like to see a deep dive on hierarchical namespaces please.
HNS is coming... :)
I wonder if Capsule could be paired with some WebUI/GUI for limited scope of actions but full UI for tenants...
I'll have a video about that in about 3 weeks :)
This video came out in the right time thank you !
Hey Viktor, thanks for the video
Can you do a video on multi-cluster/tenacy monitoring using using prometheus-stack and thanos/cortex with HA
That's a good one. Adding it to my TODO list... :)
At least one provider delivers managed k3s, thus having a lot less overhead for the control plane and still having per customer/tenant clusters
Oh yeah. When using k3s abd with something as fast and cheap as, let's say Civo, it does not make sense to create virtual clusters. However, most of k8s usage is in AWS, GCP, and Azure and they are slow and cost a lot for such usage.
@@DevOpsToolkit yes, you (unintentionally ?) guessed right it was Civo which I had in mind. It really makes you think: do we really need k8s for new clusters ? How much am I missing with going with k3s ?
@@autohmae Let's put it this way... For larger clusters, the difference in the time to create a cluster or the resource overhead is not big (relatively speaking). So, i would not go with k3s for HA cluster with many nodes. It's not worth it. I still prefer GKE, EKS, AKS, etc. But, if you have smaller clusters and, especially if you create/destroy them often, those differences are relevant and using k3s makes a lot of sense. I might, for example, use GKE as the production cluster, but Civo for development or preview clusters that are created/destroyed on-demand and relatively frequently.
@@DevOpsToolkit my thinking is where I want to move to is gitops+Cluster-API. So yeah.
nice 1.
or should I say, "nyice vun".
elite videos!
Thanks Victor for the wonderful explanation around multi-tenant clusters. How do you compare Capsule with other CNCF certified projects such as SAP Gardener or even Kubernetes Kubermatic Platform? These are really cool solutions to manage multitenancy across multi-geo locations.
Capsule is mostly focused on solving multi-tenancy problems within a cluster while those you mentioned are more focused on how to manage multiple clusters. I'm planning to do a video about both.
In the meantime, a new video about a potentially better solution for multi-tenancy will be published in a few hours :)
Hi Viktor, Thank you for this video. Did you have any chance to check/use kiosk from loft for multi-tenancy in k8s?
Not yet! Adding it to my TODO list... :)
Hi Viktor, thanks for the video, capsule looks interesting.
Would you mind to make a video about automating cluster bootstrapping? Let's say, we provisioned our k8s cluster with a tool like terraform... Then comes all the other components which are required for real world production multi-tenant clusters like: argocd, sealed secrets, gatekeeper, istio, trident, prometheus, fluentbit, RBAC policies, namespaces for projects etc... How would you automate this?
What we started to build up is that when we create the cluster the last step in the provisioning with terraform is to setup argocd and use app-to-app pattern to bring up all these components (starting with sealed secrets and a key restore). This seems to be working (we are at very early stage) but we would be interested in your thoughts :)
I do something similar. I would create a cluster with Terraform and do the initial installation of Argo CD and the root app which, initially, would have only Sealed Secrets and Argo CD (so that it manages itself). From there on, it's all about adding the rest of the resources to Git repos and letting Argo CD do the "magic".
That being said, I'm moving towards a different model in which Crossplane would replace both Terraform and the initial k8s resources like, for example, Argo CD. On top of that, I'm using Crossplane Composites to simplify the process in a way that anyone can define anything in a very simple way. I'll be making a video (or a video videos) on that subject soon.
@@DevOpsToolkit are you saying that Crossplane can replace Argo CD all together or are you just talking about for bootstrapping a cluster? I would love to hear more about the solution you are working on. I love your videos!
I'm saying that crossplane can replace terraform as well as to do initial installation of Argo CD (even though that part is not important). Since crossplane is based on k8s resources, it is a great combination with Argo CD (not a replacement). With crossplane managing your infra, you can have everything aynced with Argo CD (not only your apps).
Nice informative video. Does capsule and open policy agent both has same work?
Conceptually, there is overlap. Part of Capsule is about ensuring that tenant "behave". However, that's only conceptually. In practice, it would be very hard (not to say impossible) to do the same though OPA simply because Kubernetes itself does not have multi-tenancy baked in. If you would use OPA for validating tenants operations, you'd still need a solution for creating tenants.
Hi Victor! Thank you for review. Is it better than Loft?
It's different. Capsule makes multi-tenancy "invisible" for users, but its scope is smaller than Loft.
I'll do my best to create a comparison video.
Just published a review of Loft vcluster :)
th-cam.com/video/JqBjpvp268Y/w-d-xo.html
@@DevOpsToolkit Good job, thank you Victor!
Nice 👍