Creating Supervisor NamespacesAugust 17, 2020
Congratulations, you’ve deployed the Workload Management components for your vSphere 7 cluster. If you’ve been following along with the series so far, you’ll have left off with a workload management cluster created and ready to being configuring your cluster for use with Kubernetes.
The next step in the process is to create a namespace. Before we do that, it’s probably useful to recap what a namespace is used for.
Namespaces the Theory
Depending on your past experiences, a namespace will likely seem familiar to you in some fashion. If you have a kubernetes background, you’ll be familiar with namespaces as a way to set permissions for a group of users (or a project, etc) and for assigning resources. Alternatively, if you have a vSphere background, you’re used to using things like Resource Pools to set resource allocation.
A Supervisor Cluster namespace is a combination of resource allocations and permissions set within the Supervisor Cluster. When you create a Supervisor Namespace, you’ll assign who has access to use it, and how many of the ESXi cluster’s resources you can use (much like a resource pool).
When you enabled the Workload Management components, you created a special Kubernetes cluster called the “Supervisor Cluster”. You can continue to deploy virtual machines in this cluster, and you can also deploy kubernetes pods as a “pod vm” which is basically a container with some special wrapping so they are better isolated, like a virtual machine is.
To better illustrate things, the diagram below demonstrates that you can carve up the Supervisor Cluster to suit your needs. The diagram below has two namespaces for two different Development teams (you could carve these up by project, app, or whatever you’d like, dev teams is just an example). Those two namespaces would have different permissions so one development team couldn’t see the pods/resources in the other namespaces. They are also sized differently.
The third namespace on the far right side, is a namespace similar to the first two, but instead of it running PodVMs (think of them as containers for now) it’s running … another Kubernetes cluster within that namespace called a Tanzu Kubernetes Grid (TKG) cluster. That cluster will have resources allocated by the Supervisor Namespace, but then pods can run on those VMs. NOTE: I can almost hear you asking why I’d build another cluster within a cluster, but that will need to wait for another post for now.
Hopefully you’ve gotten the purpose behind Supervisor Namespaces now, and are ready to configure your cluster.
Create a Namespace
Within the Workload Management menu, select the Namespaces tab. If this is your first namespace, you’ll be greeted with a fancy splash page with the robot thingy on the right side. Sorry, I don’t know it’s name, but it really should have one..)
On the first screen select which Supervisor Cluster to create the namespace, then give it a name and a description. Then click
Your Namespace is now created. You should probably do some additional configurations though now. Your screen should look something like this now.
You can see a couple of buttons on that overview screen. Let’s set some permissions so that some of our users can use this namespace soon. Click the
App Permissions button within the “Permissions” tab. Select your identity source, a user or a group from that source, and either view or edit permissions. I’ve used edit permissions so we can use this user in later posts. Click OK.
NOTE: View permissions =
watch permissions while Edit permissions also include
Next, in the Capacity and Usage tab, click the
Edit Limits link to set some resource limits on the namespace. Enter limits for CPU, Memory and Storage for this namespace and then click OK.
The last setting we’ll do in this post is the
Add Storage button in the Storage tab. Here you’ll select a storage policy that can be used with this namespace. These are standard storage policies that can be used on vsphere datastores to select the correct ones.
In the end, your dashboard will look something like the one below.
And you’ll notice the namespaces are also listed under the “Hosts and Clusters” view if you’re logged in as [email protected], very similar to a resource pool would look.
Supervisor Namespaces are a way to isolate resources, assign role based access controls, and allocate physical resources for your users. Stay tuned for the next post when we login to the Supervisor Cluster within this namespace.