Description
The module enables the creation of projects in a Kubernetes cluster. Project is an isolated environment where applications can be deployed.
Why is this needed?
The standard Namespace resource, used for logical resource separation in Kubernetes, does not provide necessary functionalities, hence it is not an isolated environment:
- Resource consumption by pods is not limited by default;
- Network communication with other pods works by default from any point in the cluster;
- Unrestricted access to node resources: address space, network space, mounted host directories.
The configuration capabilities of Namespace do not fully meet modern development requirements. By default, the following features are not included for Namespace:
- Log collection;
- Audit;
- Vulnerability scanning.
The functionality of projects allows addressing these issues.
Advantages of the module
For platform administrators:
- Consistency: Administrators can create projects using the same template, ensuring consistency and simplifying management.
- Security: Projects provide isolation of resources and access policies between different projects, supporting a secure multitenant environment.
- Resource Consumption: Administrators can easily set quotas on resources and limitations for each project, preventing excessive resource usage.
For platform users:
- Isolation: Each project provides an isolated environment where developers can deploy and test their applications without impacting other projects.
- Quick Start: Developers can request projects created from ready-made templates from administrators, allowing for a quick start to developing a new application.
Internal Logic
To create projects, the following Custom Resources are used:
- ProjectTemplate — a resource that describes the project template. It defines a list of resources to be created in the project and a schema for parameters that can be passed when creating the project;
- Project — a resource that describes a specific project.
When creating a Project resource from a specific ProjectTemplate, the following happens:
- The parameters passed are validated against the OpenAPI specification (the openAPI field of ProjectTemplate);
- Rendering of the resources template is performed using Helm. Values for rendering are taken from the parameters field of the Project resource;
- A
Namespaceis created with a name matching the name of Project; - All resources described in the template are created in sequence.
Attention! When changing the project template, all created projects will be updated according to the new template.