Mastering Kubernetes Spaces with Nauticus
Context
As we embrace the era of containerisation, Kubernetes has taken center stage, revolutionising how we orchestrate and manage containerised applications. Its widespread adoption is a testament to its power and flexibility. However, with this flexibility comes complexity. Managing Kubernetes namespaces, ensuring efficient resource allocation, and maintaining security policies can be a challenging task.
Enter Nauticus, a Kubernetes controller designed to simplify the management of Kubernetes spaces. This innovative tool is set to make Kubernetes management more accessible and efficient. Here’s a deep dive into how Nauticus is redefining Kubernetes management.
Introduction to Nauticus
Nauticus is an open-source Kubernetes controller that simplifies the management of spaces (namespaces with enhanced features) within your cluster. It introduces a new level of abstraction, making it easier for developers and administrators to manage resources and policies.
Nauticus offers several powerful features:
- Space Management: Easily create, update, and delete spaces, similar to managing Kubernetes namespaces but with more control.
- Resource Management: Assign resource quotas to ensure efficient resource utilization within a namespace and prevent resource overconsumption.
- Security Policy Management: Enable default strict mode for network policies, effectively isolating resources within a Kubernetes cluster.
- Additional Role Bindings: Assign specific roles and permissions to users or service accounts within the space, providing a more granular level of access control.
- Limit Ranges: Set constraints on the resources that can be requested and consumed by the containers in a namespace.
- Service Account Creation: Create a Kubernetes Service Account bound with the cloud-specific IAM, removing manual annotation hassle.
Why Nauticus ?
Managing Kubernetes resources, especially in multi-tenant environments, can be complex. Ensuring that each team has access to the resources it needs, while preventing unauthorized access and overconsumption, requires constant vigilance.
Nauticus simplifies this process by providing a centralized, easy-to-use tool that manages spaces and their associated resources. It provides administrators with the ability to assign roles and permissions, manage network policies, and allocate resources, all from a single place.
Moreover, with Nauticus, you can implement a ‘Namespace-as-a-Service’ approach, which allows developers to manage their namespaces, reducing the load on cluster admins. This approach improves the overall workflow, fosters faster development cycles, and reduces the chances of error.
What is not Nauticus !
In the landscape of Kubernetes tools, it’s important to understand that different solutions are designed with specific focus areas in mind, and that’s certainly true for Nauticus. Nauticus specializes in providing robust solutions for managing Spaces and streamlining Kubernetes resources, particularly focusing on easing the administration workload related to provisioning.
However, Nauticus does not focus on the self-service approach often adopted in Kubernetes environments. The term “self-service” in the Kubernetes context refers to a setup where individual teams or users can create and manage their own resources, without needing direct intervention from cluster administrators. The aim of this approach is to foster greater agility and faster deployments, as developers can autonomously control their environments without creating dependencies or bottlenecks.
Nauticus Spaces are Cluster Scoped resources, which means that they are not designed to fit a self-service approach. The decision to design Nauticus in this way is not a limitation, but rather a strategic choice focused on delivering a more effective solution for the challenges faced by Kubernetes administrators during the provisioning process.
That said, if your goal is to adopt a self-service approach within your Kubernetes environment, we recommend checking out Capsule. Capsule is another Kubernetes tool specifically designed to facilitate a self-service approach, providing features such as multitenancy, isolation, network policies, and more. You can learn more about Capsule from their official website: Capsule.
Installation and Configuration of Nauticus
Before you get started, there are a few prerequisites:
- A running Kubernetes cluster (version 1.17 or later) with the
kubectlcommand-line tool installed and configured on your machine. - Access to the cluster with cluster-admin permissions.
- Familiarity with Kubernetes concepts such as namespaces, RBAC, and resources.
The following step-by-step guide will help you install Nauticus locally and take you through its core features.
Step 1: Installing Nauticus
Nauticus can be installed using either Helm or kubectl. We will use Helm during this workshop.
Make sure you have Docker and Kind installed if you intend to create a Kubernetes cluster within Docker. You can create a new Kubernetes cluster with the kind command if you don't have one:
kind create cluster --image kindest/node:v1.27.2 --wait 5m --name nauticusEnsure that you have Helm and kubectl installed on your machine. If not, you can find instructions on how to install them here: helm and here kubectl.
Add the Nauticus Helm repository:
helm repo add edixos https://edixos.github.io/chartsNext, install Nauticus:
kubectl create namespace nauticus-system
helm install nauticus --namespace nauticus-system edixos/nauticusStep 2: Using Nauticus
With Nauticus installed, you can start creating and managing Spaces in your cluster.
To create a new space, you can use the following kubectl command:
cat << EOF | kubectl apply -f -
apiVersion: nauticus.io/v1alpha1
kind: Space
metadata:
name: my-space
EOFThe Space object will create a namespace and update the status of the Space by adding status.NamespaceName to it.
Now, suppose you want to set up a quota for your Space to ensure resource usage does not exceed the specified limits. Here’s how you can do it:
cat << EOF | kubectl apply -f -
apiVersion: nauticus.io/v1alpha1
kind: Space
metadata:
labels:
app.kubernetes.io/name: space
app.kubernetes.io/instance: space-sample
app.kubernetes.io/part-of: nauticus
app.kubernetes.io/managed-by: kustomize
app.kubernetes.io/created-by: nauticus
name: space-sample-rc
spec:
resourceQuota:
hard:
limits.cpu: "2"
limits.memory: 2Gi
EOFIn this case, a new Space my-space-with-quota is created with a resource quota . This quota limits CPU usage to 2 cores and memory usage to 2Gi within the Space.
Nauticus also enables you to manage network policies within a Space. You can define a network policy like this:
cat << EOF | kubectl apply -f -
apiVersion: nauticus.io/v1alpha1
kind: Space
metadata:
name: my-space-with-network-policy
spec:
networkPolicies:
enableDefaultStrictMode: true # false
items:
- policyTypes:
- Ingress
- Egress
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
except:
- 192.168.0.0/16
ingress:
- from:
- namespaceSelector:
matchLabels:
app.kubernetes.io/instance: space-all-in-one
- podSelector: { }
- ipBlock:
cidr: 192.168.0.0/16
podSelector: { }
EOFThe Space my-space-with-network-policy is created with a default network policy that denies all ingress and egress traffic to the pods in the Space. In items fields you can specify any network policy you think useful for you Space.
Additionally, Nauticus integrates with Kubernetes RBAC, allowing you to specify role bindings within a Space:
cat << EOF | kubectl apply -f -
apiVersion: nauticus.io/v1alpha1
kind: Space
metadata:
name: my-space-with-rbac
spec:
additionalRoleBindings:
- subjects:
- kind: User
name: dev
roleRef:
kind: ClusterRole
name: view
EOFIn this example, a new Space my-space-with-rbac is created. Within this Space, an additional role binding dev-role-binding is created, which grants the view role to the user dev.
Conclusion
We have now taken an in-depth look at Nauticus, a Kubernetes controller that significantly simplifies the management of Spaces, fully-managed Kubernetes namespaces. We’ve learned how to install it, how to use it, and we’ve covered a range of practical use cases.
With its unique approach to encapsulating namespaces and their associated resources, Nauticus is a powerful tool for administrators who oversee multi-tenant Kubernetes clusters. It helps to streamline the provisioning process and manage resources efficiently, with a fine level of control.
Remember that, although Nauticus doesn’t lend itself to a self-service approach, its purpose is to empower Kubernetes administrators. For those looking to adopt a self-service approach, there are alternative tools like Capsule.
Next Steps
This is just the beginning of what you can achieve with Nauticus. As you continue to explore its features, we encourage you to leverage the full potential of this tool. Understanding and mastering Nauticus can be a game-changer in managing your Kubernetes environments, whether you’re dealing with small development clusters or large production landscapes.
In upcoming articles, we’ll also take a look at other tools in the Kubernetes ecosystem that can complement or enhance the functionality of Nauticus.
Finally, we encourage you to contribute to the Nauticus project. It’s an open-source project, meaning that contributions from the community are welcomed and appreciated. This could be a great opportunity to give back to the community, learn more, and potentially shape the future direction of the tool.
Thank you for reading, and stay tuned for more on Nauticus!
Useful Links
For more information and resources related to Nauticus, please refer to the following links:
- Nauticus GitHub Repository: https://github.com/edixos/nauticus Get the source code, contribute, or report issues directly on the Nauticus project page on GitHub.
- Nauticus Documentation: https://nauticus.edixos.com/ Comprehensive documentation on the installation, usage, and advanced features of Nauticus.
- Edixos Official Website: https://edixos.com Learn more about Edixos, the organization behind Nauticus, their philosophy, and other projects.
