Last active
November 23, 2020 11:57
-
-
Save haproxytechblog/f14974d148064e31809a9ab8efbefb1d to your computer and use it in GitHub Desktop.
Multi-tenant Kubernetes Clusters with the HAProxy Kubernetes Ingress Controller
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: v1 | |
kind: Namespace | |
metadata: | |
name: dev |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ kubectl apply -f dev-namespace.yaml |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: v1 | |
kind: ConfigMap | |
metadata: | |
name: my-configmap | |
namespace: dev | |
data: | |
foo: 'bar' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ kubectl get configmaps --namespace=dev |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ kubectl get namespaces | |
NAME STATUS AGE | |
default Active 4m33s | |
dev Active 2m38s |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: RoleBinding | |
metadata: | |
name: dev-edit | |
namespace: dev # grants permissions within the "dev" namespace | |
subjects: | |
- kind: User | |
name: bob # permissions for a user named bob | |
apiGroup: rbac.authorization.k8s.io | |
roleRef: | |
kind: ClusterRole | |
name: edit # read/write access | |
apiGroup: rbac.authorization.k8s.io |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: RoleBinding | |
metadata: | |
name: dev-edit | |
namespace: dev # grants permissions within the "dev" namespace | |
subjects: | |
- kind: Group | |
name: dev-group # permissions for the group | |
apiGroup: rbac.authorization.k8s.io | |
roleRef: | |
kind: ClusterRole | |
name: edit # read/write access | |
apiGroup: rbac.authorization.k8s.io |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ kubectl apply -f dev-rolebinding.yaml |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Sign it with the cluster's CA certificate | |
# This creates bob.crt | |
$ openssl x509 -req -in bob.csr -CA ~/.minikube/ca.crt -CAkey ~/.minikube/ca.key -CAcreateserial -out bob.crt -days 1000 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ kubectl config set-credentials bob --client-certificate=bob.crt --client-key=bob.key | |
$ kubectl config set-context minikube-bob --cluster=minikube --user=bob | |
$ kubectl config use-context minikube-bob |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ kubectl get pods --namespace=dev | |
NAME READY STATUS RESTARTS AGE | |
app-66d9457bf5-vpbnw 1/1 Running 1 22h | |
$ kubectl get pods --namespace=default | |
Error from server (Forbidden): pods is forbidden: User "bob" cannot list resource "pods" in API group "" in the namespace "default" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ kubectl config use-context minikube |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ helm install onlydev haproxytech/kubernetes-ingress \ | |
--set-string "controller.extraArgs={--namespace-whitelist=dev}" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ helm install onlydev haproxytech/kubernetes-ingress \ | |
--set-string "controller.extraArgs={--namespace-whitelist=dev-team-a,--namespace-whitelist=dev-team-b}" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: networking.k8s.io/v1beta1 | |
kind: Ingress | |
metadata: | |
name: app-ingress | |
namespace: dev | |
spec: | |
rules: | |
- http: | |
paths: | |
- path: /app-service | |
backend: | |
serviceName: app-service | |
servicePort: 80 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ helm install intranet haproxytech/kubernetes-ingress \ | |
--set controller.ingressClass=intranet |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: networking.k8s.io/v1beta1 | |
kind: Ingress | |
metadata: | |
name: app-ingress-internal | |
namespace: default | |
annotations: | |
haproxy.org/ingress.class: "intranet" | |
spec: | |
rules: | |
- http: | |
paths: | |
- path: /app-service | |
backend: | |
serviceName: app-service-internal | |
servicePort: 80 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: v1 | |
kind: ResourceQuota | |
metadata: | |
name: dev-resources | |
namespace: dev | |
spec: | |
hard: | |
requests.cpu: "1" | |
requests.memory: 1Gi | |
limits.cpu: "2" | |
limits.memory: 2Gi |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ kubectl apply -f dev-quota.yaml |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ kubectl describe resourcequota dev-resources -n dev | |
Name: dev-resources | |
Namespace: dev | |
Resource Used Hard | |
-------- ---- ---- | |
limits.cpu 0 2 | |
limits.memory 0 2Gi | |
requests.cpu 500m 1 | |
requests.memory 50Mi 1Gi |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Create a certificate signing request with CN=bob and O=dev-group | |
# This creates bob.csr and bob.key | |
$ openssl req -newkey rsa:2048 -nodes -keyout bob.key -out bob.csr -subj "/CN=bob/O=dev-group" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ cat <<EOF | kubectl apply -f - | |
apiVersion: certificates.k8s.io/v1beta1 | |
kind: CertificateSigningRequest | |
metadata: | |
name: bob | |
spec: | |
request: $(cat bob.csr | base64 | tr -d '\n') | |
usages: | |
- digital signature | |
EOF |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ kubectl certificate approve bob |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ kubectl get csr bob -o jsonpath='{.status.certificate}' | base64 --decode > bob.crt |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment