kubernetes capsule guide multi-tenancy KIND ClastixLabs

How to Install Capsule on KIND

In this post, we will show you step by step how to install Capsule on KIND to bring multitenancy to your local cluster.

Friday, August 5, 2022 Dario Tranchitella

What is Capsule? 

Capsule implements a multi-tenant and policy-based environment in your Kubernetes cluster. It is designed as a micro-services-based ecosystem with a minimalist approach, leveraging only on upstream Kubernetes.

What's the problem with the current status?

Kubernetes introduces the Namespace object type to create logical partitions of the cluster as isolated slices. However, implementing advanced multi-tenancy scenarios soon becomes complicated because of the flat structure of Kubernetes namespaces and the impossibility to share resources among namespaces belonging to the same tenant. To overcome this, cluster admins tend to provision a dedicated cluster for each group of users, teams, or departments. As an organization grows, the number of clusters to manage and keep aligned becomes an operational nightmare, described as the well-known phenomenon of clusters sprawl.

What is KIND? 

KIND is a tool for running local Kubernetes clusters using Docker container “nodes”.

kind was primarily designed for testing Kubernetes itself, but being used as a local development environment use-case arose.

Why KIND? 

  • kind supports multi-node (including HA) clusters

  • kind supports building Kubernetes release builds from source

  1. support for make/bash or docker, in addition to pre-published builds

  • kind supports Linux, macOS and Windows

  • kind is a CNCF certified conformant Kubernetes installer

How to Install Capsule on KIND? 

After we have explained all the tools we are going to use, it is time to introduce them to each other! You can also watch the short guided video by clicking 👉here

Installing Docker

Since KIND is expecting the Docker Engine to be installed (although it could work also with Podman), you have to follow the instructions provided by Docker itself available at the following link.

Installing KIND

KIND can be installed in several ways, from source, using a package manager, or from GitHub release binaries.

For further information, refer to the related documentation available here.

Ensure that KIND is working as expected by issuing the following command (YMMV):

$: kind version
kind v0.14.0 go1.18.2 linux/amd64

Creating the cluster

Once we have Docker and KIND, finally, we can create the cluster that will be supercharged with Capsule multi-tenancy, just issue the following command.

$: kind create cluster --name capsule
kind v0.14.0 go1.18.2 linux/amd64

Creating cluster "capsule" ...
✓ Ensuring node image (kindest/node:v1.24.0) 🖼
✓ Preparing nodes 📦
✓ Writing configuration 📜
✓ Starting control-plane 🕹️
✓ Installing CNI 🔌
✓ Installing StorageClass 💾
Set kubectl context to "kind-capsule"
You can now use your cluster with:
kubectl cluster-info --context kind-capsule

You can now use your cluster with:

kubectl cluster-info --context kind-capsule

You can now use your cluster with:

kubectl cluster-info --context kind-capsule

Have a question, bug, or feature request? Let us know! https://kind.sigs.k8s.io/#community 🙂

Once finished, you’ll notice a local container named capsule-control-plane that is our Kubernetes cluster, named capsule.

0ca1590b2978 kindest/node:v1.24.0 "/usr/local/bin/entr…" 2 minutes ago Up 2 minutes>6443/tcp capsule-control-plane

KIND has also configured our local kubeconfig file with all the details to connect to it, we can check the correctness of the data by checking the available nodes.

capsule-control-plane Ready control-plane 3m1s v1.24.0 <none> Ubuntu 21.10 5.18.10-76051810-generic containerd://1.6.4

Installing Capsule

The preferred way to install Capsule is using the available Helm Chart, which requires Helm, a popular Kubernetes package manager.

You can follow the official documentation to install it on your local machine.

Once installed, it’s time to add the Clastix repository, a requirement to install Capsule.

$: helm repo add clastix https://clastix.github.io/charts
"clastix" has been added to your repositories

Now it’s time to refresh our local repositories, YMMV according to the available repositories you added on your own.

$: helm repo update Hang tight while we grab the latest from your chart repositories...
...Successfully got an update from the "clastix" chart repository
Update Complete. ⎈Happy Helming!⎈

Finally, let’s launch the installation of the Capsule chart: this step will require some time since it’s going to be set up in a fashioned and automated way with all the requirements by Capsule, just sit and relax.

$: helm upgrade --install capsule clastix/capsule -n capsule-system --create-namespace Release "capsule" does not exist. Installing it now.
NAME: capsule
LAST DEPLOYED: Fri Aug 5 12:08:12 2022
NAMESPACE: capsule-system
STATUS: deployed
- Capsule Operator Helm Chart deployed:
# Check the capsule logs
$ kubectl logs -f deployment/capsule-controller-manager -c manager -n capsule-system
# Check the capsule logs
$ kubectl logs -f deployment/capsule-controller-manager -c manager -n capsule-system
- Manage this chart:
# Upgrade Capsule
$ helm upgrade capsule -f <values.yaml> capsule -n capsule-system
# Show this status again
$ helm status capsule -n capsule-system
# Uninstall Capsule
$ helm uninstall capsule -n capsule-system

That’s awesome, Capsule has been installed and you can start interacting with it, both as a cluster administrator or as a tenant owner.

Simulate a Tenant owner

Kubernetes allows user impersonation using the CLI thanks to the flags --as and --as-group, without the need of hacking or mangling your kubeconfig.

For most of the Capsule tutorials, we’re interacting as alice: you can achieve that by issuing your commands with these flags.

$: kubectl --as=alice --as-group=capsule.clastix.io auth can-i create namespace Warning: resource 'namespaces' is not namespace scoped

Using a real Kubeconfig is possible thanks to the create-user.sh script, download it in your favorite location and issue the following command:

$: kubectl --as=alice --as-group=capsule.clastix.io auth can-i create namespace Warning: resource 'namespaces' is not namespace scoped
$: ./create-user.sh alice solar creating certs in TMPDIR /tmp/tmp.Y3HNMjIR9G
merging groups /O=capsule.clastix.io
Generating RSA private key, 2048 bit long modulus (2 primes)
e is 65537 (0x010001)
WARNING: version difference between client (1.22) and server (1.24) exceeds the supported minor version skew of +/-1
certificatesigningrequest.certificates.k8s.io/alice-solar created
certificatesigningrequest.certificates.k8s.io/alice-solar approved
kubeconfig file is: alice-solar.kubeconfig
to use it as alice export KUBECONFIG=alice-solar.kubeconfig

The use of the utility create-user.sh requires openssl, jq, and kubectl in your path.

You’ll find a file named alice-solar.kubeconfig with proper CA and certificates that will be recognized by the Kubernetes API Server as the user alice, part of the group capsule.clastix.io which is bound to the multi-tenancy user group: export it in your shell as the KUBECONFIG environment variable, or by specifying its path as --kubeconfig CLI flag of the kubectl binary to interact with the cluster as one of the tenant owners.