Managing Namespaces on a
Supervisor

You can use the
vSphere Automation
APIs to create namespaces on a
Supervisor
and configure them with resource limits and permissions for the DevOps users.
To create and configure a namespace, use the
Instances
service from the
namespaces
package. You can configure the access control to the objects in a namespace by using the
Access
service.

Create a
vSphere Namespace

You can use the
vSphere Supervisor
automation APIs to create namespaces on a
Supervisor
. You can set resource quotas, storage, as well as permissions for the DevOps users.
  • Enable
    vSphere Supervisor
    on a vSphere cluster.
  • Create users and groups for the DevOps engineers who will use the namespace. For more information about how to create users and groups through the Web Services APIs, see the
    vSphere Web Services SDK Programming Guide
    .
  • Create storage policies for persistent storage used by the
    vSphere Pod
    s and the pods inside a
    TKG
    cluster.
  • Required privileges on the
    Supervisor
    :
    • Namespaces
      Modify cluster-wide configuration
    • Namespaces
      Modify namespace configuration
    • Virtual Machine Classes
      Manage Virtual Machine Classes
  1. Retrieve the
    Supervisor
    ID by filtering the clusters available in the
    vCenter Server
    system.
    Call the list method of the
    Clusters
    service from the
    com.vmware.vcenter.namespace_management
    package and retrieve the ID of the cluster on which you want to create a namespace from the returned cluster summary objects.
  2. Retrieve the ID of the storage policy that you configured for placement of the persistent volumes from
    vSphere Pod
    s and
    TKG
    clusters.
  3. Configure the access control to the objects in the namespace.
    Create an instance of the
    com.vmware.vcenter.namespaces.InstancesTypes.Access
    class and specify the following access information:
    Parameter
    Description
    setDomain(domain)
    Set the domain name of the
    vCenter Server
    system on which the namespace is created.
    setSubjectType(subjectType)
    Set the type of the user accounts that are associated with the specific role for the namespace. You must select between the
    USER
    and
    GROUP
    options.
    setSubject(subject)
    Set the name of the user or group that have permissions to access the namespace objects.
    setRole(role)
    Set the role that is associated with the predefined set of privileges that you want to grant the specific user or group. You can select between the
    EDIT
    ,
    VIEW
    and
    OWNER
    roles.
    The owner role is introduced in vSphere 7.0 Update 2a. When a DevOps engineer creates a namespace in a self-service manner, the Namespace Self-Service grants the owner role to the namespace creator. See Self-Service Namespace Management.
  4. Create a
    CreateSpec
    instance that holds the namespaces specification.
    The namespace specification can contain the following information:
    Parameter
    Description
    setCluster(cluster)
    Set the ID of the
    Supervisor
    on which the namespace is created.
    setNamespace(namespace)
    Set a name of the namespace following the DNS label standard defined in RFC 1123. The name must be unique across all namespaces in the current
    vCenter Server
    system.
    setNetworks(java.util.List<java.lang.String> networks)
    Optional. You can set the workload networks used by the
    vSphere Namespace
    . Pass
    null
    as a value of this parameter, if the
    Supervisor
    is configured to use
    NSX
    as networking solution. The workload networking support for such namespaces is provisioned by
    NSX
    .
    If the
    Supervisor
    uses the vSphere networking stack, pass the workload network to be associated with the namespace. If you pass
    null
    as a value of this parameter, the
    vSphere Namespace
    s on the cluster are automatically associated with the cluster primary workload network. See Configuring the vSphere Networking Stack for vSphere Supervisor.
    setDescription(description)
    Optional. You can set a description of the namespace.
    setAccessList(accessList)
    Optional. You can set the access control that is associated with the namespace in Step 3.
    setStorageSpecs(storageSpecs)
    Optional. You can set the amount of storage dedicated to each storage policy associated with the namespace and the maximum amount of storage that is used by the namespace. Use the
    StorageSpec
    specification to configure the storage quotas on the namespace.
    setResourceSpec(resourceSpec)
    Optional. You can set resource limitations to the namespace. You can limit the CPU, memory, the maximum number of pods that can exist on the namespace, and so on.
    setCreator(InstancesTypes.Principal creator)
    Optional. The Namespace Self-Service populates this parameter with information about the DevOps user who created the namespace with
    cubectl
    . The user name and domain of the namespace creator are stored with this parameter.
    setVmServiceSpec(InstancesTypes.VMServiceSpec vmServiceSpec)
    Optional. The VM Service specification for the Dev-Ops provisioned virtual machines.
  5. Create a namespace object on the
    Supervisor
    by using the namespace create specification.
Share the namespace with DevOps engineers and provide them with the user or group configured for accessing the namespace.
Java
This example creates a
vSphere Namespace
on a
Supervisor
.
The following code snippet is part of the
CreateNameSpace.java
sample. Some parts of the original code sample are omitted to save space. You can view the complete and up-to-date version of this sample in the
vsphere-automation-sdk-java
VMware repository at GitHub.
(...) @Override protected void run() throws Exception { InstancesTypes.CreateSpec spec =new InstancesTypes.CreateSpec(); spec.setCluster(this.clusterId); spec.setDescription("My first namespace, WOW"); spec.setNamespace(this.namespaceName); InstancesTypes.StorageSpec storageSpec=new InstancesTypes.StorageSpec(); storageSpec.setLimit(Long.valueOf(this.storageLimit).longValue()); storageSpec.setPolicy(this.storagePolicyId); List<InstancesTypes.StorageSpec> storageSpecs = new ArrayList<InstancesTypes.StorageSpec>(); storageSpecs.add(storageSpec); spec.setStorageSpecs(storageSpecs); InstancesTypes.Access accessList= new InstancesTypes.Access(); accessList.setDomain(this.domainName); if(this.roleName.equalsIgnoreCase("EDIT")) { accessList.setRole(AccessTypes.Role.EDIT); } else{ accessList.setRole(AccessTypes.Role.VIEW); } accessList.setSubject( this.subjectName); //Default is Administrator if(this.subjectType.equalsIgnoreCase("USER")) { accessList.setSubjectType( AccessTypes.SubjectType.USER); } else{ accessList.setSubjectType( AccessTypes.SubjectType.GROUP); } List<InstancesTypes.Access> accessLists = new ArrayList<InstancesTypes.Access>(); accessLists.add(accessList); spec.setAccessList(accessLists); this.namespaceService.create(spec); System.out.println("Invocation is successful for creating supervisor namespace, check H5C or call GET API to get status"); } (...)

Updating the Namespace Configuration

You can change the whole namespace configuration or only some of the namespace settings.
To change the configuration of an existing namespace, you must have the
Namespaces.Configure
privilege on the
Supervisor
.
Before deleting a storage policy from
vCenter Server
or a
vSphere Namespace
, or changing the storage policy assignment, make sure that no persistent volume claim with the corresponding storage class runs in the namespace. Also, ensure that no
TKG
cluster is using the storage class.
To patch a namespace configuration, create an
UpdateSpec
specification and set new values only to the configuration settings that you want to change. The parameters of the update specification are the same as the ones you configured during the namespace creation. When you call the update operation, only the settings that you configured in the update specification are applied, the other settings are left as they are.
To reconfigure a namespace entirely, you must create an instance of the
SetSpec
class. You can change the description, access controls, storage settings, and resource limitations of the specific namespace.

Configuring the Access to a Namespace

You can use the
vSphere Supervisor
APIs to grant access permissions to DevOps engineers on the
vSphere Namespace
s.
Use the
Access
service to retrieve information about the access control of the DevOps engineers on a specific namespace. You can also set up or remove an access control for a specific user or group on a specific namespace, and add another access control on the namespace. You set up each access control to allow a user or group to access a namespace in a specific
vCenter Server
system. You can grant access to a DevOps engineer to more than one namespace.
You must have the
Namespaces
Configure
privilege to grant permissions to a user. You assign the view and edit access role on the namespace for the user or group.
Starting with vSphere 7.0 Update 2а, you can also assign the owner role to a DevOps engineer. These roles allow the user to deploy workloads, share the namespace with other DevOps engineers, and delete it when it is no longer needed.

Self-Service Namespace Management

You can use the
vSphere Supervisor
automation APIs to create a
vSphere Namespace
with specific resource quotas, set permissions, and assign storage policies. DevOps engineers can then use the namespace as a template for self-provisioning namespaces on the cluster.
Starting with vSphere 7.0 Update 2a, the Namespace Self-Service feature is available in
vSphere Supervisor
. The service enables Kubernetes users to create
vSphere Namespaces
from templates configured through the automation APIs or
vSphere Client
. To activate the Namespace Self-Service on a cluster, use one of the following options:
  • Create a self-service namespace template and then activate the Namespace Self-Service on the cluster.
  • Create or update a self-service namespace template simultaneously with activating the Namespace Self-Service on the cluster.
Currently, only one namespace self-service template is allowed per
vSphere Namespace
. After a DevOps engineer creates a namespace from the template, the namespace can also be deleted through
kubectl
. You can verify whether a namespace is created from a template by retrieving the value of the
getSelfServiceNamespace()
flag of the
com.vmware.vcenter.namespaces.InstancesTypes.Info
object that you receive when you call the
get(String namespace)
method of the
Instances
interface.
To create a template for a self-service namespace,
call the
create(String cluster, NamespaceTemplatesTypes.CreateSpec spec)
method of the
NamespaceTemplates
interface.
You use as
parameters
the cluster ID and the namespace template create specification.
You define the following configuration settings and resource limitations of the template:
Parameter
Description
setTemplate(String template)
The identifier of the namespace template must be a unique name across all clusters on the
vCenter Server
instance. The name must be compliant with DNS.
setResourceSpec(Structure resourceSpec)
The resource quotas, such as CPU and memory, that are reserved for the namespace on the
vCenter Server
instance. The CPU limit is set in MHz and the minimum value is 10 MHz. The memory and the storage limits are set in MiB. For more options to configure resource limits for the namespace, see the
ResourceQuotaOptionsV1
class in the API Reference documentation.
setStorageSpecs(List<InstancesTypes.StorageSpec> storageSpecs)
The amount of storage in MiB utilized for each storage policy that you associate with the namespace. You must specify at least one policy.
setNetworks(List<java.lang.String> networks)
Optional. The networks associated with the namespace. Currently, you can set only one network for the namespace. Pass
null
as argument if the
Supervisor
is configured with NSX-T Data Center support. If you pass
null
for a namespace template on a cluster configured with a vSphere networking stack, the namespace is automatically associated with the Supervisor management workload network.
setPermissions(List<NamespaceTemplatesTypes.Subject> permissions)
Optional. The permissions that allow DevOps engineers to use the template to self-provision namespaces through
kubectl
. If
set to
null
, only users with the Administrator role can use the template.
Once you have the template created, you can activate the Namespace Self-Service on the cluster
by calling the
activate(java.lang.String cluster)
method of the
NamespaceSelfService
interface.
If you want to restrict DevOps users to use the namespace template on a cluster, you can deactivate the Namespace Self-Service feature. Then users are able to delete only the namespaces already created from the template.
You can activate the Namespace Self-Service on the cluster after configuring the namespace template by using the
NamespaceSelfService
service.
You call the
activateWithTemplate(java.lang.String cluster, NamespaceSelfServiceTypes.ActivateTemplateSpec spec)
method of the
NamespaceSelfService
interface.
Depending on the availability of a template on the cluster, this method either creates a namespace template or activates the deactivated service and at the same time updates the existing template.