Managing Namespaces on a Supervisor
Supervisor
You can use the
vSphere
Automation
APIs to
create namespaces on a Supervisor
and
configure them with resource limits and permissions for the DevOps users. To create and configure a namespace, use the
Instances
service from
the namespaces
package. You can configure the access control to the
objects in a namespace by using the Access
service.Create a vSphere Namespace
vSphere Namespace
You can use the
vSphere Supervisor
automation APIs to create namespaces on a
Supervisor
. You can set resource quotas,
storage, as well as permissions for the DevOps users.- EnablevSphere Supervisoron a vSphere cluster.
- Create users and groups for the DevOps engineers who will use the namespace. For more information about how to create users and groups through the Web Services APIs, see thevSphere Web Services SDK Programming Guide.
- Create storage policies for persistent storage used by thevSphere Pods and the pods inside aTKGcluster.
- Create VM Classes and content libraries for DevOps provisioned VMs. See Create a VM Class in vSphere Supervisor and Creating and Managing Content Libraries for VM Provisioning in vSphere Supervisor.
- Required privileges on theSupervisor:
- Retrieve theSupervisorID by filtering the clusters available in thevCenter Serversystem.Call the list method of theClustersservice from thecom.vmware.vcenter.namespace_managementpackage and retrieve the ID of the cluster on which you want to create a namespace from the returned cluster summary objects.
- Retrieve the ID of the storage policy that you configured for placement of the persistent volumes fromvSphere Pods andTKGclusters.
- Configure the access control to the objects in the namespace.Create an instance of thecom.vmware.vcenter.namespaces.InstancesTypes.Accessclass and specify the following access information:ParameterDescriptionsetDomain(domain)Set the domain name of thevCenter Serversystem on which the namespace is created.setSubjectType(subjectType)Set the type of the user accounts that are associated with the specific role for the namespace. You must select between theUSERandGROUPoptions.setSubject(subject)Set the name of the user or group that have permissions to access the namespace objects.setRole(role)Set the role that is associated with the predefined set of privileges that you want to grant the specific user or group. You can select between theEDIT,VIEWandOWNERroles.The owner role is introduced in vSphere 7.0 Update 2a. When a DevOps engineer creates a namespace in a self-service manner, the Namespace Self-Service grants the owner role to the namespace creator. See Self-Service Namespace Management.
- Create aCreateSpecinstance that holds the namespaces specification.The namespace specification can contain the following information:ParameterDescriptionsetCluster(cluster)Set the ID of theSupervisoron which the namespace is created.setNamespace(namespace)Set a name of the namespace following the DNS label standard defined in RFC 1123. The name must be unique across all namespaces in the currentvCenter Serversystem.setNetworks(java.util.List<java.lang.String> networks)Optional. You can set the workload networks used by thevSphere Namespace. Passnullas a value of this parameter, if theSupervisoris configured to useNSXas networking solution. The workload networking support for such namespaces is provisioned byNSX.If theSupervisoruses the vSphere networking stack, pass the workload network to be associated with the namespace. If you passnullas a value of this parameter, thevSphere Namespaces on the cluster are automatically associated with the cluster primary workload network. See Configuring the vSphere Networking Stack for vSphere Supervisor.setDescription(description)Optional. You can set a description of the namespace.setAccessList(accessList)Optional. You can set the access control that is associated with the namespace in Step 3.setStorageSpecs(storageSpecs)Optional. You can set the amount of storage dedicated to each storage policy associated with the namespace and the maximum amount of storage that is used by the namespace. Use theStorageSpecspecification to configure the storage quotas on the namespace.setResourceSpec(resourceSpec)Optional. You can set resource limitations to the namespace. You can limit the CPU, memory, the maximum number of pods that can exist on the namespace, and so on.setCreator(InstancesTypes.Principal creator)Optional. The Namespace Self-Service populates this parameter with information about the DevOps user who created the namespace withcubectl. The user name and domain of the namespace creator are stored with this parameter.setVmServiceSpec(InstancesTypes.VMServiceSpec vmServiceSpec)Optional. The VM Service specification for the Dev-Ops provisioned virtual machines.
- Create a namespace object on theSupervisorby using the namespace create specification.
Share the namespace with DevOps engineers and provide them with the user or group configured for accessing the namespace.
- Java
- This example creates avSphere Namespaceon aSupervisor.The following code snippet is part of theCreateNameSpace.javasample. Some parts of the original code sample are omitted to save space. You can view the complete and up-to-date version of this sample in thevsphere-automation-sdk-javaVMware repository at GitHub.(...) @Override protected void run() throws Exception { InstancesTypes.CreateSpec spec =new InstancesTypes.CreateSpec(); spec.setCluster(this.clusterId); spec.setDescription("My first namespace, WOW"); spec.setNamespace(this.namespaceName); InstancesTypes.StorageSpec storageSpec=new InstancesTypes.StorageSpec(); storageSpec.setLimit(Long.valueOf(this.storageLimit).longValue()); storageSpec.setPolicy(this.storagePolicyId); List<InstancesTypes.StorageSpec> storageSpecs = new ArrayList<InstancesTypes.StorageSpec>(); storageSpecs.add(storageSpec); spec.setStorageSpecs(storageSpecs); InstancesTypes.Access accessList= new InstancesTypes.Access(); accessList.setDomain(this.domainName); if(this.roleName.equalsIgnoreCase("EDIT")) { accessList.setRole(AccessTypes.Role.EDIT); } else{ accessList.setRole(AccessTypes.Role.VIEW); } accessList.setSubject( this.subjectName); //Default is Administrator if(this.subjectType.equalsIgnoreCase("USER")) { accessList.setSubjectType( AccessTypes.SubjectType.USER); } else{ accessList.setSubjectType( AccessTypes.SubjectType.GROUP); } List<InstancesTypes.Access> accessLists = new ArrayList<InstancesTypes.Access>(); accessLists.add(accessList); spec.setAccessList(accessLists); this.namespaceService.create(spec); System.out.println("Invocation is successful for creating supervisor namespace, check H5C or call GET API to get status"); } (...)
Updating the Namespace Configuration
You can change the whole namespace configuration or only some of the namespace settings.
To change the configuration of an existing namespace, you must have the
Namespaces.Configure
privilege on the Supervisor
.Before deleting a storage policy from
vCenter Server
or a vSphere Namespace
, or changing the storage policy assignment, make sure that no persistent volume claim with the corresponding storage class runs in the namespace. Also, ensure that no TKG
cluster is using the storage class.To patch a
namespace configuration, create an
UpdateSpec
specification and set new
values only to the configuration settings that you want to change. The parameters of the
update specification are the same as the ones you configured during the namespace creation.
When you call the update operation, only the settings that you configured in the update
specification are applied, the other settings are left as they are.To reconfigure a
namespace entirely, you must create an instance of the
SetSpec
class. You
can change the description, access controls, storage settings, and resource limitations of the
specific namespace.Configuring the Access to a Namespace
You can use the
vSphere Supervisor
APIs to
grant access permissions to DevOps engineers on the vSphere Namespace
s.Use the
Access
service to
retrieve information about the access control of the DevOps engineers on a specific namespace.
You can also set up or remove an access control for a specific user or group on a specific
namespace, and add another access control on the namespace. You set up each access control to
allow a user or group to access a namespace in a specific vCenter Server
system. You can grant access to a DevOps engineer to more than
one namespace. You must have the
privilege to grant permissions to a user. You assign the view and edit access
role on the namespace for the user or group. Starting with vSphere 7.0 Update 2а, you can also assign the owner role to a DevOps engineer.
These roles allow the user to deploy workloads, share the namespace with other DevOps
engineers, and delete it when it is no longer needed.
Self-Service Namespace Management
You can use the
vSphere Supervisor
automation
APIs to create a vSphere Namespace
with specific resource quotas,
set permissions, and assign storage policies. DevOps engineers can then use the namespace as
a template for self-provisioning namespaces on the cluster. Starting with vSphere 7.0 Update 2a, the Namespace Self-Service feature is available in
vSphere Supervisor
. The service enables
Kubernetes users to create vSphere Namespaces
from templates configured through the automation APIs or vSphere Client
. To activate the Namespace Self-Service on a cluster,
use one of the following options: - Create a self-service namespace template and then activate the Namespace Self-Service on the cluster.
- Create or update a self-service namespace template simultaneously with activating the Namespace Self-Service on the cluster.
Currently, only one namespace self-service template is allowed per
vSphere Namespace
. After a DevOps engineer
creates a namespace from the template, the namespace can also be deleted through
kubectl
. You can verify whether a namespace is created from a
template by retrieving the value of thegetSelfServiceNamespace()
flag of the
com.vmware.vcenter.namespaces.InstancesTypes.Info
object that
you receive when you call the get(String namespace)
method of
the Instances
interface.To create a template for a self-service namespace,
call the
You use as create(String cluster, NamespaceTemplatesTypes.CreateSpec
spec)
method of the NamespaceTemplates
interface.
parameters
the cluster ID and
the namespace
template create specification. You define the following configuration settings and resource limitations of the template:
Parameter | Description |
---|---|
setTemplate(String
template) | The identifier of the namespace template must be a unique name across
all clusters on the vCenter Server instance. The name must be compliant with DNS.
|
setResourceSpec(Structure
resourceSpec) | The resource quotas, such as CPU and memory, that are reserved for the
namespace on the vCenter Server instance. The CPU limit is set in MHz and the minimum
value is 10 MHz. The memory and the storage limits are set in MiB. For more
options to configure resource limits for the namespace, see the
ResourceQuotaOptionsV1 class in the API Reference
documentation. |
setStorageSpecs(List<InstancesTypes.StorageSpec>
storageSpecs) | The amount of storage in MiB utilized for each storage policy that you
associate with the namespace. You must specify at least one policy.
|
setNetworks(List<java.lang.String> networks) | Optional. The networks associated with the namespace. Currently, you
can set only one network for the namespace. Pass null as
argument if the Supervisor is configured with NSX-T Data Center support. If
you pass null for a namespace template on a cluster
configured with a vSphere networking stack, the namespace is automatically
associated with the Supervisor management workload network. |
setPermissions(List<NamespaceTemplatesTypes.Subject>
permissions) | Optional. The permissions that allow DevOps engineers to use the
template to self-provision namespaces through kubectl .
If set to , only users with the
Administrator role can use the template. null |
Once you have the template created, you can activate the Namespace Self-Service on the
cluster
by calling the
If you want to restrict DevOps users to use the namespace
template on a cluster, you can deactivate the Namespace Self-Service feature. Then users
are able to delete only the namespaces already created from the template. activate(java.lang.String cluster)
method of the
NamespaceSelfService
interface.You can activate the Namespace Self-Service on the cluster after configuring the
namespace template by using the
NamespaceSelfService
service. You call the
Depending on the availability of a template on the cluster, this
method either creates a namespace template or activates the deactivated service and at
the same time updates the existing template.activateWithTemplate(java.lang.String cluster,
NamespaceSelfServiceTypes.ActivateTemplateSpec spec)
method of the
NamespaceSelfService
interface.