Orka Cluster: Manage Access to Resources
(Admin-only) How to manage the access to your cluster resources with namespaces and role bindings.
Quick navigation
Jump to:
Orka 3.0 introduces the concept of namespaces - a way to isolate and dedicate resources to users and teams within the cluster. This concept replaces the earlier versions of node dedication (also known as "grouping").
Orka 3.0 relies on RBAC for user access management. Both roles and role bindings are created and maintained automatically by Orka. Cluster administrators can manually add subjects to the role binding for a namespace, which grants the respective users and service accounts access to the namespace. All cluster administrators have access to all namespaces.
The resources within a namespace are completely isolated from one another and cannot be shared between namespaces. By default, users and service accounts limited to a specific namespace cannot access the resources in other namespaces, unless added to the respective role bindings.
By managing namespaces and the subjects of role bindings, administrators can isolate and dedicate resources to specific users or emulate the concept of teams in the cluster. For example, an administrator might create a namespace dedicated to a team and then add the users belonging to this team to the namespace role binding. Or an administrator might create a namespace dedicated exclusively to CI/CD and limit its access only to service accounts.
Before you begin
Create a namespace
You can create regular namespaces where you can deploy and run Orka VMs, or you can create a sandboxed namespace where you can deploy and run only Kubernetes custom pods.
-
Connect to your cluster via VPN.
-
Log in as an administrator.
-
Run the following command:
orka3 namespace create <NAMESPACE_NAME> OR, if you want to create a sandboxed namespace, orka3 namespace create <NAMESPACE_NAME> --enable-custom-pods
curl -X 'POST' \ 'http://<ORKA_API_IP>/api/v1/namespaces' \ -H 'accept: application/json' \ -H 'Authorization: Bearer <TOKEN>' \ -H 'Content-Type: application/json' \ -d '{ "enableCustomPods": false, "name": "<NAMESPACE_NAME>" }' OR, if you want to create a sandboxed namespace, curl -X 'POST' \ 'http://<ORKA_API_IP>/api/v1/namespaces' \ -H 'accept: application/json' \ -H 'Authorization: Bearer <TOKEN>' \ -H 'Content-Type: application/json' \ -d '{ "enableCustomPods": true, "name": "<NAMESPACE_NAME>" }'
Your namespace name must meet the following requirements:
- Begins with the
orka-
prefix. - Does not exceed 63 characters (including the prefix).
- Consists of lowercase alphanumeric characters or dashes (-).
- The string ends with an alphanumeric character.
- The name is unique to the cluster.
Grant access to the namespace
You can dedicate a pool of resources to one or more users or service accounts by assigning them to a specific namespace.
-
To add one or more users, run the following command:
orka3 rb add-subject --user [email protected] [--namespace <TARGET_NAMESPACE>] OR orka3 rb add-subject --user [email protected],[email protected] [--namespace <TARGET_NAMESPACE>]
curl -X 'POST' \ 'http://<ORKA_API_IP>/api/v1/namespaces/<TARGET_NAMESPACE>/rolebindings/orka-dev/subjects/add' \ -H 'accept: application/json' \ -H 'Authorization: Bearer <TOKEN>' \ -H 'Content-Type: application/json' \ -d '{ "users": [ "[email protected]" ] }'
-
To add one or more service accounts, run the following command:
orka3 rb add-subject --serviceaccount <SA_NAMESPACE>:<SA_NAME> [--namespace <TARGET_NAMESPACE>] OR orka3 rb add-subject --serviceaccount <SA_NAMESPACE_2>:<SA_NAME_1>,<SA_NAMESPACE_2>:<SA_NAME_2> [--namespace <TARGET_NAMESPACE>]
curl -X 'POST' \ 'http://<ORKA_API_IP>/api/v1/namespaces/<TARGET_NAMESPACE>/rolebindings/orka-dev/subjects/add' \ -H 'accept: application/json' \ -H 'Authorization: Bearer <TOKEN>' \ -H 'Content-Type: application/json' \ -d '{ "serviceaccounts": [ { "name": "<SERVICE_ACCOUNT_NAME>", "namespace": "<SERVICE_ACCOUNT_NAMESPACE>" } ] }'
Dedicate resources to the namespace
The resources within a namespace are completely isolated and cannot be shared between namespaces. By default, users and service accounts limited to a specific namespace cannot access the resources in other namespaces, unless added to the respective role binding.
Formerly, this feature was known as node dedication and was achieved with node and user grouping.
Run the following command:
orka3 node namespace <NODE_NAME> [--namespace <CURRENT_NAMESPACE>] <TARGET_NAMESPACE>
curl -X 'POST' \
'http://<ORKA_API_IP>/api/v1/namespaces/<CURRENT_NAMESPACE>/nodes/<NODE_NAME>/namespace' \
-H 'accept: application/json' \
-H 'Authorization: <TOKEN>' \
-H 'Content-Type: application/json' \
-d '{
"namespace": "<TARGET_NAMESPACE>"
}'
There must be no running VMs on the node.
Revoke access to a specific namespace
If needed, you can revoke the access of a user or a service account to a namespace. You need to remove the respective subjects from the respective role binding.
-
To add one or more users, run the following command:
orka3 rb remove-subject --user [email protected] [--namespace <TARGET_NAMESPACE>] OR orka3 rb remove-subject --user [email protected],[email protected] [--namespace <TARGET_NAMESPACE>]
curl -X 'DELETE' \ 'http://<ORKA_API_IP>/api/v1/namespaces/<TARGET_NAMESPACE>/rolebindings/orka-dev/subjects/add' \ -H 'accept: application/json' \ -H 'Authorization: Bearer <TOKEN>' \ -H 'Content-Type: application/json' \ -d '{ "users": [ "[email protected]" ] }'
-
To add one or more service accounts, run the following command:
orka3 rb add-subject --serviceaccount <SA_NAMESPACE>:<SA_NAME> [--namespace <TARGET_NAMESPACE>] OR orka3 rb add-subject --serviceaccount <SA_NAMESPACE_2>:<SA_NAME_1>,<SA_NAMESPACE_2>:<SA_NAME_2> [--namespace <TARGET_NAMESPACE>]
curl -X 'DELETE' \ 'http://<ORKA_API_IP>/api/v1/namespaces/<TARGET_NAMESPACE>/rolebindings/orka-dev/subjects/add' \ -H 'accept: application/json' \ -H 'Authorization: Bearer <TOKEN>' \ -H 'Content-Type: application/json' \ -d '{ "serviceaccounts": [ { "name": "<SERVICE_ACCOUNT_NAME>", "namespace": "<SERVICE_ACCOUNT_NAMESPACE>" } ] }'
Remove resources from a namespace
If needed, you can move unused resources (nodes) across namespaces.
- Verify that there are no VMs deployed on the node.
- Run the following command:
orka3 node namespace <NODE_NAME> [--namespace <CURRENT_NAMESPACE>] <TARGET_NAMESPACE>
curl -X 'POST' \ 'http://<ORKA_API_IP>/api/v1/namespaces/<CURRENT_NAMESPACE>/nodes/<NODE_NAME>/namespace' \ -H 'accept: application/json' \ -H 'Authorization: <TOKEN>' \ -H 'Content-Type: application/json' \ -d '{ "namespace": "<TARGET_NAMESPACE>" }'
See also
Updated about 1 year ago